An Epidemic of Security Worst Practices
A majority of enterprises are failing to apply IT security best practices, significantly increasing their security and compliance risks.
Where does the greatest challenge in database security originate from? According to a new survey released by Application Security, the real security challenge is found in organizational issues, as opposed to accidents or nefarious acts. The survey, Data Security At An Inflection Point: 2011 Survey Of Best Practices And Challenges, polled 524 enterprise IT and database managers. Below is one of the key findings:
Organizational issues impede efforts to address database security. In most cases, security is overseen by both database and security teams. Adding to the challenge is the need to store data for long periods of time-a majority of respondents maintain data well beyond the required storage limits. One out of four respondents now maintains data environments within private clouds, but a majority are concerned about security in these environments as well.
Another finding that I thought went hand-in-hand with organizational issues is that database security audits are few and far between. And when they are conducted, one of the problems is access control. That, in my opinion, comes down to organizational structure. At what level is access determined? Is it security who decides or the database management teams or someone else entirely?
Not surprisingly, the overwhelming number of survey participants agreed that the risks to the database have increased and will continue to increase, while a third believe their company has been the victim of a breach. With the news releases of the latest Anonymous or similar hacktivist attack coming at least weekly, there is a heightened awareness that anyone can get hit at any time. And that has those who deal with database management thinking more about security and stepping up their efforts. But there are plenty of hurdles to that security effort. According to a release:
Hacktivism generated additional security measures in 34% of the respondent companies due to increased concern among top management and board members. However, only 14% of companies in the survey reported additional funding for data security technologies and just 11% experienced additional staffing or consulting support. So, while there is increased management concern, it does not appear as if it has translated into additional support and commitment. As a result, DBAs and security pros are faced with the expectations of doing more with less.
Doing more with less. That seems to be a theme for security professionals, doesn't it? In fact, going back to the organizational issues as the primary issue when it comes to security, the survey found that 58 percent of respondents said that budget constraints are the greatest impediment to database security. Lack of understanding of threats came in next at 44 percent.