This commentary at CNET by Sentrigo Executive Vice President Dan Sarel on the importance of database security tracks well with a couple of recent items: my Q&A with another company executive and my related commentary.
We're linking to the new piece because the point bears repeating: Companies must protect their databases. Cyber criminals always have been good technically, able to move seamlessly from one "attack vector" to the next. The transition of hackers from thrill seekers to tools used by profit-oriented criminals puts databases at greater risk simply because that is where an organization's most valuable information is stored.
It's long been apparent that times are changing, so there is no great news in Sarel's commentary. He says databases are poorly protected and a tremendously inviting target to the bad guys, who can use a variety of methods -- tapping both insiders and outsiders -- to filch the data. Perhaps the most interesting point Sarel makes is that a key and relatively simple step is to reduce the amount of valuable data stored in the first place. Common sense also is important: It is a bad idea, for instance, to link employees to their records via Social Security number.
Sentrigo, of course, isn't the only company thinking about this issue. Last week, Forrester Research released its rankings and assessment of vendors in the category. The analysts tracked companies across 116 criteria. Firms listed in the executive summary -- and not all in a flattering light -- are Guardium, Tizor Systems, Application Security, Lumigent Technologies, Symantec, Tivoli Compliance Insight Manager (until recently called IBM Consul InSight), RippleTech, Embarcadero Technologies, Oracle, Microsoft, Sybase and IBM. The leading companies are Guardium, Tizor, Application Security, Imperva and Lumigent.
Clearly, there is a lot of money to be made in protecting databases. Last week, Symantec released version 3.0 of its Database Security product. New features include heuristic learning, intrusion identification, real-time policy alerts, and integration with Symantec Security Information Management (SSIM). Heuristics is the ability to refine and adjust approaches based on accumulated knowledge. Intruder identification, the release says, is the ability to trace suspicious or malicious activity back to its source.
Despite the availability of these products, the common wisdom still is that organizations are not paying enough attention to database security. This eWEEK feature opens with the alarming statistic that database administrators spend only 7 percent of their time working on security issues. This is surprising, since it is increasingly difficult to classify database security as a new or emerging discipline. The good news is that there does seem to be a growing recognition of the issue. Initiatives will raise that percentage beyond its anemic level.
It also is important to remember that database administration -- and thus, the security sector underpinning it -- is not monolithic. The four categories one consultant sees: department level DBAs, development DBAs, small firm DBAs and enterprise DBAs. The attention paid to security by personnel working in each area varies. The trend line generally is upward, however. For instance, some Fortune 1,000 companies have moved DBAs into broader security groups. This, presumably, will create heightened and better security know-how. This post at The NonProfit Times gets right to the point by listing eight questions by which to judge the quality of an organization's database security. The blogger is paraphrasing Tom Gaffny, the executive vice president of Epsilon. The questions: Is the organization storing unnecessary information? Is there one person ultimately responsible for each database? Is there an audit trail? Is there a data classification scheme? Is everything that leaves the secure data center encrypted? Has a security audit by an independent organization recently been done? Is database information backup done often enough and stored at an offsite location? Are employees up to speed on policies and procedures?
These all are vital questions. The key question, however, is far more basic: Is the organization paying adequate attention to database security?