New Study Finds Risk to Database Security Higher Than Ever

More proactive participation in data security needed from DBAs

The results of the latest IOUG survey on data security are in and the story is not likely to help data professionals or C-level executives sleep better at night. The study, "Databases are More at Risk Than Ever: 2011 IOUG Data Security Survey," conducted in July 2011 by Unisphere Research, a division of Information Today, Inc., and sponsored by Oracle, finds the security threat level to business is escalating and many information security professionals are concerned about the growing numbers of data breaches as well as the methods by which valuable data is being accessed.

The IOUG Data Security Survey has been conducted every year since 2008, and Oracle is making the new full report on the 2011 survey, authored by Unisphere Research analyst Joe McKendrick, available on the Oracle website. A short registration form is required for access.

"Threat levels are definitely higher - much higher, in fact. We have seen cyber crime at unprecedented levels," Roxana Bradescu, director of product management, Database Security, at Oracle, tells 5 Minute Briefing. "Not even counting all the things that are happening on an ongoing basis, every day almost every internet facing application has literally hundreds of SQL injection attacks that are thrown at it." And, in addition to that, there are increased levels of advanced persistent threats, which is different from cyber crime, in that they target organizations specifically either because of activism, a revenge angle, or a goal of capturing intellectual property or trade secrets, Bradescu notes.

The Problem

The problem, she explains, is that many of these attacks seek to take advantage of legitimate access. "As we saw in the IOUG report, most organizations have a very strong perimeter but then they don't have a lot of controls within their perimeter so as long as an attacker - whether it is a cyber criminal  opportunistically looking for customer data or someone on a mission for intellectual property or revenge - can get inside the firewall either by hijacking an application through a SQL injection attack or getting the credentials of an employee within the company who has legitimate access to those databases, essentially they can have uncontrolled access to data."

Particularly surprising, says Bradescu, is the lack of any kind of auditing on sensitive data reads, with only about 30% of organizations even monitoring who is looking at sensitive information "so even if there was a breach, especially something like an intellectual property breach, most organizations would not even know about it." Similarly, she points out, the percentage of respondents monitoring sensitive data changes was not much better.The results of such lack of oversight can be catastrophic, Bradescu says. "You have to ask, what are most organizations doing for database security, and the answer is really not a lot. They are still really relying on the perimeter."

The responsibility for data security is a shared one, with most respondents to the survey citing the security group and the database group as being in charge of data security. But there is a false sense of security that there are defenses in place - a firewall or some general monitoring - and general monitoring is not really going to tell an organization what it needs to know, Bradescu says. "A lot of organizations have enterprise-wide monitoring and that is great - but what is the source of the alerts, what is the source of what is actually detecting that there is a security problem at the database level - that is often not in place."

The Solution

Oracle does this annual survey with the IOUG to raise awareness, says Bradescu, explaining there are solutions that can help. "It is just a matter of getting the word out."

Many organizations are not aware that within the Oracle Database, for example, there are controls that can be put in place to monitor and even prevent unauthorized database administrator activity. "That is not to say that you should not trust your database administrator, but if somebody were able to get malware on that database administrator's computer and log into the database as that person, the amount of damage that could be done would be mitigated. There would be some controls in place."

Even take SQL injection attacks, says Bradescu. Many people think thwarting them is a laborious process, but there are things that can be done. "Oracle introduced the Database Firewall solution earlier this year which will monitor traffic to databases and inspect the SQL and be able to essentially filter out or block unauthorized SQL such as SQL statements containing injections."

Another myth is that auditing has a lot of overhead, but Bradescu says, Oracle has made major strides in auditing over the years. "Native database auditing in Oracle Database 7 had some overhead issues associated with it, but when we are talking about Oracle 11g, the overhead associated with native auditing is very, very low so it is easy to put in place native auditing to keep track of who is looking at sensitive data."

Moreover, Oracle has solutions that can help with collection of native audit data, says Bradescu. "Many of the respondents in the survey are responsible for hundreds of databases across their organizations so going in and checking that native audit trail is a non-starter for them. But there are tools like Oracle Audit Vault that will collect that audit trail and all of the native audit data, analyze it against policies, looking for things like is there somebody looking at sensitive information that should not be doing so, and then essentially generate an alert which can go into your enterprise-wide monitoring system."

In the survey, says Bradescu, "We also asked a question about personally identifiable information and to what extent it was encrypted on databases and that number is still relatively low." Again, she notes, there are tools in Oracle that can make that easier. Oracle Advanced Security allows organizations to encrypt data at the tablespace or column level and while traveling to and from the database with strong authentication to help address privacy and compliance requirements.

Cultural Change is Needed

A culture of more proactive security is necessary to better protect sensitive data, says Bradescu, observing that, typically, when one thinks of security and availability, they go hand in hand. "Most database groups, for example, fully own availability. Database availability is their responsibility but there is less of that around security. Around security, more database groups, even though it is a shared responsibility, wait for the security group to take the first step."

And, while it is clearly a shared responsibility, "I think in some sense, the database group should actually be going to the security group," Bradescu suggests, "and saying, What should we be doing to secure our databases? and, How do we be work together to do that?  I think from an organizational point of view, the database administrators and the folks that are responsible for the database infrastructure in the organization should step up and take the lead on that. They shouldn't have to wait for the security team."

Fill out a short registration form and access the "Databases are More at Risk Than Ever: 2011 IOUG Data Security Survey," here.