From the Security Experts

May 03, 2012

Enterprises Lack Security for Protecting Sensitive Databases, Suggests IOUG Survey

By Contributing Writer

There’s no better time to address the importance of data protection and control by securing enterprise databases, as “Organizations Are Not Doing Enough to Secure Enterprise Data,” according to Chris Warticki in a recent report. Since corporate databases often contain sensitive data, they pose as a major security target of application threats and attacks by hackers.

Protecting sensitive information and the data center should be a priority for all enterprises, especially due to the increase in the number of threats now affecting applications. Denial-of-Service and SQL-injection, for example, are two common types of attacks against database-driven applications.

There are a number of actions businesses and security professionals can take to protect sensitive data from external threats and attacks by cybercriminals, and some of these actions are actually quite simple and easy to implement. One can prevent an unauthorized individual from gaining access to a system, by limiting the type of input some users can provide, and the privileges they have in interacting with the database server. This can also ensure integrity and restrict access to only authorized users.

Users can also be granted access according to their need-to-know: data can be separated according to their classification (such as top secret, secret, and confidential data) and users have access according to their own classification level.

Other than data classification and access control measures applied, auditing can be used to analyze and record the activities on a system to re-create the history of events, intrusions or possible systems failures. With system and event logs, one can produce a report of the system’s findings. And with database activity monitoring and prevention, one can also protect, if not block, unauthorized activities.

Unfortunately, data breaches are a common occurrence among organizations, as pointed out in a recent Independent Oracle Users Group (IOUG) survey. According to the survey, enterprises are not doing enough to prevent security vulnerabilities: In fact, the IOUG Security Survey reports that 60 percent of respondents have yet to implement the controls needed to prevent a data breach over the next 12 months.

In order protect sensitive data throughout the enterprise, it is important to take the necessary steps to prevent the intentional or unintentional release of secure information to an unauthorized party. One can easily reduce data breaches by enforcing least-privilege access controls and give rights and privileges only to those who have been identified and authenticated. With access controls (by means of DAC, MAC or RBAC), access rights, permissions, privileges, responsibilities and duties, an enterprise always has a way to secure data.

Edited by Braden Becker