FREE DM Review Site Registration!
Sign-up today and access DM Review on the Web!

Your FREE registration entitles you to:
FREE email newsletters

FREE access to all DM Review content

FREE access to web seminars, resource portals, our white paper library and more!

   

Data Protection: Some Common Misconceptions

Auditing and Risk Management

Mitigating risk may well be the most important job a senior manager has in business today. Data is a major source of business risk - we see the result of unrecognized and unmanaged risk every day in the headlines. The threat can take many forms, both internal and external, from malicious intent to honest mistakes. Regardless, it is ever-present. The most startling and damaging incidents seem to come when companies fail to understand what it takes to adequately protect data.

Knowing that risks exist in data protection is one thing. Knowing what is true data protection and what is not is entirely another. So, what are some of the common misconceptions surrounding data protection?

Some Myths

"We have very strong policies in place."
Policies are vital guides to expected organizational behavior, but too often they can be pieces of paper in a binder that no one reads or simply forget about over time. Polices are only effective if they are integrated into work processes and are actively applied. Companies need to automate policies, monitor and audit activity against those policies, investigate violations and continuously improve the policies and the organization's performance against them. Some policies are about user actions, while some are about system configurations (e.g., policies that help to identify deviations in configurations of systems controlling data and its use). While an important first step, just having a policy does not answer the challenge.

"We're compliant, because we've educated our employees and our customers."
There's no question that educating employees, customers and other stakeholders is important in achieving compliance and implementing credible practices. But compliance today is much more than policies and education, and it has been elevated to an entirely new level with Sarbanes-Oxley, HIPAA, Basel II, internal requirements and the SEC. Auditors and regulators expect strong policies and procedures to be provably in place and validated with real information and reporting. Similar to the creation of policies, educating employees is important, but constant activity monitoring is essential to ensure total compliance. Regularly inspect what you expect, and you'll see that certain types of activity will need to be addressed over time.

"My IT organization knows when someone is doing something wrong with our databases because we use database sniffers that monitor the network traffic to and from the database."
While network appliances and traffic "sniffers" are a tool, they are far from a complete answer for reasons of completeness and robustness. For example, if your network monitoring capabilities fail due to your sniffer being disconnected from the network or becoming overwhelmed with traffic, you've lost your ability to see what is happening. Traffic is still flowing to and from the network, but your visibility is now gone. To be truly in control and know what is happening in the database - who did what to what data and to what effect - you need a database-centric monitoring and auditing capability. As you encounter an issue, you have the ability to use detailed information about the impact on the database to investigate abnormal behavior.

"I've invested in the best available security technologies."
Yes, but what did you invest in? Too often, information security is focused on perimeter protection - keeping bad guys out. While a seemingly sound philosophy, it does not account for what someone does on the inside. Insiders are reported to be responsible for most of the misuse (accidental or malicious) of databases, but perimeter and network-focused security has no visibility into what insiders, especially privileged users, can do and actually do against sensitive data. The principle of defense-in-depth is the key - keep the perimeter and other protections in place, but think inside out and implement controls where the data actually lives.

"Our applications do auditing."
Indeed, some applications implement some level of security and auditing, at the application level. These controls typically concern whether the application user is legitimate (authentication), approved to carry out the requested operation (authorization) and properly configured within the application (separation of duty). However, the data underlying the application lives within the database, and that data needs separate protection. The real work of auditing has to take place down in the data, where all access (privileged or otherwise) takes place; otherwise you can never have a complete picture of who is doing what to the data and when.

"No hackers can get through our firewall and intrusion detection systems."
No security system is perfect. Hackers work tirelessly to find vulnerabilities and exploit them. The trick is to be able to identify their anomalous behavior if it occurs. And even if no hackers break in, you still have to "trust but verify" the activities of your insiders.

"We can trust our employees."
Data can be compromised, misused or lost in many ways. Deliberate malfeasance exists in almost every environment and just as dangerous are unintentional policy breaches, which can be equally as damaging. "Trust but verify" serves everyone's interests: the organization can identify potential problems quickly, employees have a way to exonerate themselves in the case of a data compromise and the owners of the data have higher levels of protection.

"My systems use encryption."
Encryption is not a panacea, especially on the database. If companies use it, they do so very selectively. Why? Because encryption imposes a performance penalty and comes with vexing key management challenges. Many companies that identify encryption as the "obvious" solution end up not using it in favor of other mitigating controls, so that their key business databases remain high performing and easy to manage.

"We have strong authentication on all critical systems."
Authentication only solves the "who is this?" question. It does not help with the "what did they do?" question. If an attacker uses legitimate user credentials, you need to know what the attacker did so that you can identify the suspicious behavior. In addition, "trusted" users who have appropriate approved access to your data can make honest mistakes when handling it. Worse, they can intentionally carry out malevolent activity such as theft, data destruction or doctoring data to obscure things from investors or regulators. A strong activity monitoring solution with automated policies and alerts is a good way to provide an added level of protection to notify you when abnormal activity is taking place.

An effective data risk management program requires many elements. At the core must be automated policies, continuous activity monitoring and ongoing system assessment. Data security is part of an overall corporate security framework, and informed communication among the c-suite executives, line-of-business managers and the IT staff is a must. The enterprise that agrees to and adheres to policies and procedures, and implements effective auditing and reporting enhances the database as a safe and trusted resource for business decision-making. That's no myth.


Dr. Murray Mazer is co-founder and vice president of Lumigent, a leading software company specializing in database auditing for compliance, security and risk management. Mazer works with Lumigent's most strategic partners and customers. He contributes thought leadership on compliance and best practices to the IT compliance and security communities through presentations, articles, interviews and other activities. A former Rotary International Scholar and reformed thespian, Mazer received the Ph.D. in computer science from the database group at the University of Toronto, where he was elected Junior Fellow at Massey College and Trinity College. You can reach him at murray.mazer@lumigent.com

For more information on related topics, visit the following channels:



Industry Vendors