With recent high-profile information theft (AKA database attacks) on TJ Maxx and others, more companies are realizing that it’s not enough to padlock the front door to their networks but they also have to put a watchdog on their databases which house the crown jewels. And it’s not only to prevent external breaches, but also to monitor for internal sabotage, especially in the current economic situation where disgruntled employees are more prevalent. In addition, recent PCI-DSS regulations have been updated requiring companies to toughen measures for protecting consumer credit and personal information. As a result, greater emphasis needs to be placed on database security for regulatory compliance, forcing companies to incorporate information security measures as part of their overall network security strategy.
In addition, for organizations with web-facing applications that are affected by PCI, a combination of database security and application firewall can provide the most comprehensive data protection strategy to meet today’s demanding security environments. Web application firewalls are designed to protect and accelerate web applications, databases and the information exchanged between them.
Traditionally, companies have not put high priority on database security despite the valuables they hold. Databases aren’t generally accessed by end-users, but rather by trusted parties like database administrators and auditors. End-users typically access database information through applications, such as those used for online banking or retail transactions. So, companies are more likely to just protect the network front door and the applications that make contact with databases, and lulled into the false sense of security that the data itself is then secured. The idea that companies are protected within the trusted zone of their networks is no longer the case as malicious intent may lurk within the network and certainly without.
Targeted database attacks will only continue to grow over time as the information stored in them – sensitive corporate intellectual property and consumer personal information – have real monetary value on the digital black market. According to the Privacy Rights Organization, a nonprofit consumer information and advocacy group, the number of records containing sensitive personal information involved in security breaches in the U.S. since January 2005 exceed more than 261 million (number of actual individuals affected may be higher). Forrester Research assesses the per-record cost of data breaches to be $305. So, it’s evident that the cost of not having a database security solution in place can be quite significant – not only to corporations, but also to the customers with whose personal information they have been entrusted.
If network firewall can be thought of as the lock to the network front door, database security might be considered the motion detector that senses all entries and exit to the database. An application firewall is then the traffic cop that checks to ensure that the information being served up complies with pre-approved policy. Because database information needs to be accessed by users inside and outside the network, it cannot be put under complete lock and key. But it can be monitored for unusual or suspicious activities and to identify and patch the soft spots before they can be breached.
The best approach to protecting corporate databases today, for companies of all sizes, is to employ a combined solution set of database security and web-application firewall. Deploying these devices in tandem provides multiple layers of security to prevent numerous types of threats originating from multiple vectors. In addition, compliance with various portions of the PCI-DSS is more easily achieved with the combination of these two products.
The database security solution should have a comprehensive, three-pronged approach: vulnerability assessment and remediation, 24×7 database activity monitoring, and database auditing for regulatory compliance:
• Vulnerability Assessment provides an auto-discovery process to help organizations identify where databases reside; then provides automated and policy-driven controls set to protect databases by detecting weaknesses in passwords, access privileges and configuration settings; alerts system administrators of potential threats; and offers remediation advice.
• Database activity monitoring implements controls that prevent erroneous or misuse of data around the clock to capture all types of activities, from administration events to user activity.
• Database Auditing records database activity for complete and accurate audit trails with independent audit storage to provide an additional security layer for audit integrity.
These features can get the job done if deployed individually and manually; however, it is a costly, cumbersome and time-intensive process open to human error. An automated database security approach can significantly reduce network complexity and achieve security compliance more quickly.
Web applications are essentially a public interface to databases storing sensitive information, so the need to secure this interface is as critical as securing the databases themselves. While many web applications today have built-in security protocols, writing secure web application code is difficult and often not the priority of the developer. In addition, there are a number of challenges to securing the code of various web applications: New vulnerabilities, patching schedules, code revisions, code access, vulnerability identification and deployment timelines. The ideal scenario would separate the security of the web application from the application itself to enforce uniform security measures regardless of the level of security built into the web application and provide an umbrella of security protection across a number of web applications.
Data siphoning is and will continue to be a real and imminent threat for corporations of all sizes and requires solutions with breadth and depth to ensure data integrity and regulatory compliancy.
Database security solutions should be a part of a comprehensive network security strategy that encompasses strong protection for the network perimeter, applications and databases.
Judhi Prasetyo, Regional Channel Manager, Fortinet Middle East writes on the need for a combined solution set of database security and web-application firewall to protect corporate databases
