April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
When in doubt, secure the data
Being a security practitioner today is a bit like playing Whack-A-Mole at the carnival. Every time you’ve nailed one problem down, a few other nasty critters pop up faster than you can deal with them.
For instance, according to a recent study by IMS Research, the proliferation of IP-enabled devices will grow from roughly 9.6 billion today to more than 28 billion by 2020. To make matters worse, use of nascent technologies, such as mobile, to enable productivity and commerce will be the most focused target of attacks. One report by NQ Mobile says the growth in malware specific to mobile platforms increased 163 percent in 2012 alone.
As attacks and hazards increase, the number of trained security practitioners and budgets remain relatively flat – or, in the case of many government agencies, actually decreases. Unfortunately, this is happening at a time when the number of tools that a network security practitioner has to use continues to spiral out of control -- firewall, intrusion prevention system, advanced malware detection, sandboxing, vulnerability management, encryption, data leakage prevention.
Sadly, none of these factors addresses the single most important element that users demand and that adversaries seek: an organization’s data and its intrinsic value. Perhaps, rather than rushing around reactively, like firefighters pouring meager buckets of water on each new inferno, we should attack the problem more proactively at the source of the organization’s value and the destination of its customers and its opponents.
The Verizon Business’ Data Breach Investigations Study of 2012 notes that only one in four breaches target the database of a victim organization. However, that specific 25 percent of breaches caused the mis-use/loss/exposure of a staggering 92 percent of all compromised records in the survey sample.
So, how do we go about ensuring that these assets are better protected? The first order of business is to understand the responsibilities of the individuals involved:
- Security practitioner -- Many security practitioners are focused upon the tools discussed above, and their responsibilities end with the operating system that the database is running upon. They have no idea what the database is doing; they only know that the OS and server are theoretically secure.
- Database administrator (dBA) -- This may sound like the person responsible, but the dBA’s prioritization is heavily weighted upon the availability of the database rather than its integrity or confidentiality.
- CIO -- Although ultimately responsible for all of IT, the CIO of the organization often looks at the database as just another part of the whole rather than as the high-value asset that it is to the organization and to its consumers.
- Data owner -- At the end of the day, the data owner is responsible for an application’s data, its use by consumers or its results, and is the proper person to set requirements for the confidentiality and integrity of the data itself.
By establishing the database as the focus for reducing an organization’s overall risk, and by establishing the data owner as the person to take responsibility for data risk, we can now focus on reducing that risk, while maintaining high availability, confidentiality and integrity. There are four repeatable efforts that data owners should engage in to improve results and create a framework to automate auditing and reporting processes.
- Discovery – Not every database has intellectual property, electronic protected health information, personally identifying information or other valuable contents. Performing automated sensitive data discovery helps the data owner focus on key assets first.
- Security hardening - Although a variety of freeware and commercial tools perform general vulnerability assessments, the data owner needs to ensure he has selected one specialized enough to identify, report upon and remediate dB specific issues that can compromise confidentiality, integrity and availability.
- Monitoring – Data consumers can inadvertently and/or maliciously utilize data. Their activities need to be authorized, reported upon and prevented when violating the data owner’s policies. However, designing a database-centric security policy is best done in conjunction with the dBA.
- Protection – Attacks against the database can have long-lasting, devastating effects upon the organization, including but not limited to financial loss, negative mission results, loss of human life, fines and privacy-related costs, and damage to the organization’s reputation. One specific example of protection is using a solution that provides real-time protection against SQL injections.
Creating database confidentiality, integrity and availability across a variety of tools, practitioners and network locations has consistently been a recipe for disaster. It causes front-page events, such as the Sony PlayStation network breach that exposed 100 million customer records and incurred an estimated $171 million to $1.25 billion in losses. At McAfee, we encourage narrowing the scope from the entire network down to the database servers and their contents. That way data owners can ensure that their policies and objectives can be consistently carried out, dramatically reducing the overall risk of the organization without compromising data consumer satisfaction.
Scott Montgomery is the vice president of public sector solutions at McAfee, Inc. He can be reached at: