As news of data breaches continues to grab headlines, data security is becoming a greater enterprise concern. However, at the same time, it is becoming clear that many organizations are actually doing things that make their data more vulnerable. Recently, Joe Pasqua, executive vice president of products at MarkLogic, provider of an enterprise NoSQL database, discussed the ways organizations and their employees are putting their data at greater risk—and the ways to address it.
With data becoming more central to their business missions, organizations are trying to wring all the value from it that they can and in doing that they are exposing themselves to more security and governance risks, Pasqua said. “We are in a world where velocity is important. The problem is that people are sacrificing security practices in their desire for speed and agility.”
Here are five common mistakes that Pasqua says companies are making unintentionally that can introduce vulnerability into their data management.
- Failure to manage role- and policy-based access controls through the lifecycle of data integration: When you are configuring a database, you want to make sure that applications are set up following the principle of least privilege, says Pasqua. The idea is that you don’t set up users with broad privileges in the database with access to everything. You set them up so that they have the minimum privilege to get their job done. This is one of those kinds of blocking and tackling things that you need to do to avoid security issues, or minimize their impact if a security issue does occur. In that same vein is the need to have proper auditing practices in place. There should be a process in place where you are collecting audit data on a regular basis and looking at that data, preferably in an automated fashion, so that you can detect anything that has gone wrong, so that if there is a breach you can find it quickly and react quickly. And, more importantly if you do see anomalies in usage patterns before a breach occurs or before it has an impact, you can stake steps to mitigate the problems.
- Burdening application developers with data security: You can’t make every application developer responsible for data security. If your database is wide open and you make it the application’s responsibility to protect the data in the database then you are pretty much guaranteeing that somewhere someone who is developing an application isn’t going to get it quite right. It is important to put the access control into the database, near the data, rather than making it the responsibility of every application developer.
- Taking an all-or-nothing approach to database access: Traditional databases, and MarkLogic, as well, have rich access controls built in, said Pasqua. If your database has a model that enables a user who logs in to have access to everything, then by default, you are putting all the responsibility on the application developer. If it is all or nothing—meaning that if you get in then you can see everything, then the application developer has to do all the work. But if the database has rich, granular access controls, you put that functionality in once, and with the appropriate roles, you use the principle of least privilege and then all applications get to use those permissions immediately.
- Failure to secure data not only in motion but also at rest, with advanced encryption technology: People think about encryption of data on the wire a lot, but it is also important to have encryption on the disk and you need that in order to keep your data safe both from internal and external threat, Pasqua stressed. You want an encryption system that not only protects from the outsider coming in, so that they can’t make use of the data on the disk, but also make sure that a system administrator can’t make use of data on disk. This means that the encryption can’t be at a low level in the operational system. It has got to be incorporated where the data gets used. It has to be encrypted all the way until it gets in the dataset and the database decrypts it, so it is past the system administrator already. That is what we are talking about when we say advanced encryption and advanced key management.
- Misalignment of database technology with business goals: Many people don’t think about this in a security context but if you have a service that your employees or customers are using but it doesn’t provide them the functionality they need to meet their business goals, they can either go back to IT and ask them to fix it, or take the more expedient approach which is to work around it. We see this all the time where an organization will have a nicely governed and controlled way of sharing data within the organization but for whatever reason, it doesn’t enable the customer or the end user to do the type of sharing they need to do, Pasqua said. They will take the data and put it in Dropbox or somewhere else so that it is easy to share with other people. They do this because the system that is already in place isn’t meeting their needs so that is the misalignment. From a database perspective, this happens all the time. When people want to do analytics or do a report and the particular analytics or report is not something provided by the application, they will do an extract of the data, and put it, for example, in an Excel spreadsheet. This leads to security risks. We have seen this where people have put data on their laptop, and the laptop gets hacked or left in a taxi cab, and the data becomes insecure. It is not because the core system is not secure but because it is not meeting the business need and people are working around it.
Another common mistake that sounds like straightforward blocking and tackling issue but is notable because so many organizations don't do it is protection, backup, and replication of the data that is running a business, said Pasqua. "Again, it sounds like an obvious thing but if you look at ransomware, for example, what hackers will do is get into your sysem and encrypt all of your data, making it unavailable unless you pay them. That is an invonvenience if you have got a consistent backup of your data somewhere. But if you don't, then you are really stuck."
Interview has been edited and condensed.