Databases hold the crown jewels of any organization -- information about customers, vendors, employees and just about everything else -- and thus are prime targets of hackers and dishonest and/or greedy employees.
Clearly, it's vital to protect databases. This Dark Reading feature describes a growing security segment called database activity monitoring (DAM). DAM, as the name implies, gives security personnel insight into who is accessing information. This improves security and helps the organization meet compliance requirements. The story details what should be in a DAM request for information (RFI). Several of the insights are true of all RFIs, such as issuing requirements that are as specific as possible in order to reduce the number of responses and make the ones that come in more relevant. Good DAM-specific hints also are offered.
One of the reasons database security is in the sorry state that it apparently finds itself is that security forces and database administrators (DBAs) don't necessarily speak the same language or, for that matter, speak often enough. This post at Securosis makes the point that organizations need DBAs who understand security and security folks who know their way around databases.
The blogger attempts to assign various tasks to one group or the other. His take covers six areas. The overall conclusion is that DBAs must design and configure systems and install and manage security. Security folks must take responsibility for external monitoring and scanning of systems once they are deployed. Clearly, those responsible for each task -- and the precise definition of the tasks themselves -- can vary. The bottom line, however, is that security staffs and DBAs are intensely concerned with what the other group does, and should act that way.
Database security is changing because databases are changing. This November, 2007 release -- which introduces Secerno SQL v2.1 -- raises an important point of which security planners must be cognizant. Many companies are consolidating their databases. The total number or records will continue, in many cases, to expand. The reality, then, is that the remaining databases will be accessed by more people and contain more records than in the past. These changes, juxtaposed against the benign neglect that many organizations seem to be showing toward database security, should be a yellow flag to security personnel.
Database security is a broad category because it deals with both accidental and malicious breaches. This post at The Seed of Reason deals with database security against a subgroup of problems, which are premeditated actions by people trying to steal data. The writer lists several ways in which database security can be compromised and ways of avoiding the problem. The post says that people with access to the database can be bribed or blackmailed. The databases can be hacked into. Several ways in which illicit entry can be gained are mentioned in the post overlap. The bottom line is that many people can get into databases with little trouble if they want or are forced to. No better case for top-notch security need be made.
The tide seems to be turning, however. Companies simply are realizing that database security is intensely important, and that hackers will pay increasing attention to it as perimeter defenses improve. Hopefully, security personnel and DBAs -- working together -- will be as successful as efforts have been to protect the organization from outside invaders.