Organization Issues Lead Database Security Concerns

Sue Marquette Poremba
Slide Show

An Epidemic of Security Worst Practices

A majority of enterprises are failing to apply IT security best practices, significantly increasing their security and compliance risks.

Where does the greatest challenge in database security originate from? According to a new survey released by Application Security, the real security challenge is found in organizational issues, as opposed to accidents or nefarious acts. The survey, Data Security At An Inflection Point: 2011 Survey Of Best Practices And Challenges, polled 524 enterprise IT and database managers. Below is one of the key findings:

Organizational issues impede efforts to address database security. In most cases, security is overseen by both database and security teams. Adding to the challenge is the need to store data for long periods of time-a majority of respondents maintain data well beyond the required storage limits. One out of four respondents now maintains data environments within private clouds, but a majority are concerned about security in these environments as well.

Another finding that I thought went hand-in-hand with organizational issues is that database security audits are few and far between. And when they are conducted, one of the problems is access control. That, in my opinion, comes down to organizational structure. At what level is access determined? Is it security who decides or the database management teams or someone else entirely?


Not surprisingly, the overwhelming number of survey participants agreed that the risks to the database have increased and will continue to increase, while a third believe their company has been the victim of a breach. With the news releases of the latest Anonymous or similar hacktivist attack coming at least weekly, there is a heightened awareness that anyone can get hit at any time. And that has those who deal with database management thinking more about security and stepping up their efforts. But there are plenty of hurdles to that security effort. According to a release:

Hacktivism generated additional security measures in 34% of the respondent companies due to increased concern among top management and board members. However, only 14% of companies in the survey reported additional funding for data security technologies and just 11% experienced additional staffing or consulting support. So, while there is increased management concern, it does not appear as if it has translated into additional support and commitment. As a result, DBAs and security pros are faced with the expectations of doing more with less.

Doing more with less. That seems to be a theme for security professionals, doesn't it? In fact, going back to the organizational issues as the primary issue when it comes to security, the survey found that 58 percent of respondents said that budget constraints are the greatest impediment to database security. Lack of understanding of threats came in next at 44 percent.


IT and database managers have recognized that everyone needs to take security more seriously - especially since we've learned that so many outside attacks on a database happen because of missing security steps, like encrypting data. Now the trick is getting others within the organization to understand why improving security is so important.

Add Comment      Leave a comment on this blog post
Feb 20, 2012 6:45 AM Rory Rory  says:

Great reflection. Another way IT Departments can work smarter with Database access regardless of database or platform is to use applications or databases that are built on the notion of role-based access. With good controls and staff that will put the proper users in the proper roles (rather than copy the credentials of another user to save time), you will quickly reduce unauthorised access. After I started using a product called GoAnywhere Director for our ETL requirements (they market it as MFT, but it does ETL very well), our database integrity improved since we were doing a better job restricting access to the data and who was allow to transmit any part of it. We had a few months of angry calls from users who wanted access to everything "like before." But they would admit that their new security role did provide them with access to just the data they needed to do their job.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.