Friday, October 23, 2009
Tuesday, October 13, 2009
Economic Downturn impedes Needed Investments and Increases Security Risks
MEDFORD, N.J.--(BUSINESS WIRE)--The Independent Oracle Users Group (IOUG) today released its second annual database security study, “IOUG Data Security 2009: Budget Pressures Lead to Increased Risks”. The study conducted by Unisphere Research and sponsored by Oracle Corporation surveyed members of the IOUG in July and August of 2009. The 316 respondents oversee complex and multiple database sites, many with large volumes of data. Forty-two percent of those surveyed manage greater than 100 databases, and 20 percent manage in excess of 500 databases.
Among the key findings:
- There has been a 50 percent increase in data breaches since last year and growing wariness of the potential for data security problems. However, the uncertain economic climate over the past year has put a damper on the availability of funding and staff time to address these issues.
- There is pressure to do more with less and unfortunately in many cases less is actually being done. Only 28 percent of respondents reported receiving additional funding for their data security budgets – down a third from a year ago.
- Managers see internal threats – such as access by unauthorized users – as more pressing than external hackers or viruses. Potential abuse of access privileges by IT staff also ranked highly as a perceived security risk and regulatory compliance issue.
- Most organizations still do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information in financial, HR, or other business applications. Most are still unable to even detect such breaches or incidents.
- Outsourcing of database administration, development and testing functions has increased by up to 40 percent over the past year. More outsourcing and off-shoring without adequate security has also resulted in organizations unintentionally exposing data to additional risks.
- Close to half of organizations employ actual production data within non-production environments, thereby exposing this information in unsecured settings. To make matters worse, there has been a decline in companies “de-identifying” such sensitive data. A third even ship live un-encrypted production data offsite.
- Overall, corporate management is still complacent about data security. One out of four cited lack of management commitment and lax procedures. Efforts to address data security are still ad hoc and manual. Organizations are not addressing database security as part of overall database security strategy and making the most of limited budgets.
Members of the IOUG received access to the final report document as a benefit of membership with the organization, under the IOUG ResearchWire program. Others may download the final report in PDF through the Oracle web site at http://www.oracle.com/go/?&Src=6811199&Act=294&pcode=WWMK09047366MPP012
To learn more about the survey findings and cost-effective solutions to mitigate risks to enterprise data and Oracle databases, please join us for a complementary live webcast hosted by the IOUG. Register here: http://www.dbta.com/Webinars/Details.aspx?EventID=192&src=webad
For more information contact Aimee Pagano, apagano@smithbucklin.com, (312) 673-5801
About the Independent Oracle Users Group
Founded in 1993, the Independent Oracle Users Group (IOUG) is a global membership organization that provides Oracle users the opportunity to enhance their productivity, maximize their investment and influence the quality, usability and support of Oracle technology. The IOUG represents the voice of Oracle technology and database professionals serving nearly 20,000 database administrators, developers, architects, technical managers and other Oracle professionals throughout North America and worldwide. The IOUG empowers its members to be more productive and successful in their business and careers by delivering education, sharing best practices and providing technology direction and networking opportunities. For more information, visit www.ioug.org or call (312) 245-1579.
by Ericka Chickowski, DarkReading
New Dark Reading report outlines threats posed to databases by end users -- an how to protect your data.
In all of their frenzy to protect sensitive data from hackers and thieves, many organizations overlook the most likely threat to their databases: authorized users.
While today's headlines might be full of compromises and SQL injection attacks, most database leaks are still caused by end users who have legitimate access to the data, experts say. Yet, according to "Protecting Your Databases From Careless End Users," a new report published today by Dark Reading, many enterprises still don't do enough to protect data from accidental leaks or insider theft.
"It sometimes amazes me how little concern companies have for their production data," says James Koopmann, owner of the database consultancy Pine Horse. "They allow nearly anyone to plug in shareware, freeware, and demo tools to access sensitive production data -- without any concern for how it might be retrieving, caching, or altering data."
According to the report, there are five common factors that lead to the compromise of database information: ignorance, poor password management, rampant account sharing, unfettered access to data, and excessive portability of data.
Many database leaks are caused by users who don't know any better, experts say. According to CompTIA's Seventh Annual Trends in Information Security report, which was published earlier this year, only 45 percent of organizations surveyed offer security training to non-IT staff. Of those that did, 85 percent saw a reduction in major security breaches. Experts say that many users who work with databases simply don't understand the sensitivity -- or the value -- of the data they work with, and therefore become casual in their security practices.
Poor password management is another common issue. Either IT departments allow database users to set easy-to-guess passwords, or they make the passwords so complicated that the user ends up writing them down and sticking them to the computer screen.
"We have to strike a balance between ease of remembering for database users versus how complicated we make the passwords to protect against outsiders," says George Jucan, CEO of Open Data Systems, a database consulting firm.
In many database environments, account sharing is a common practice, which creates another set of security issues. "In many organizations, the credentialed or privileged accounts are shared and widely known," says Phil Neray, vice president of security strategy for Guardium, a database security tool vendor.
While some users take advantage of their co-workers' credentials, others gain access to data via highly privileged application server credentials. In either case, data compromises can occur without leaving a clear trail to the perpetrator.
Unfettered access to data is another common problem in many database environments, experts say. In many cases, employees are given access to more information than they need to do their jobs.
"Most of the databases today provide role-based access control to databases, and few companies actually take advantage of this," Jucan says. "If somebody doesn't even see that certain data exists in the database, they will not be tempted to print it and leave it on the printer."
In addition to role-based access controls, enterprises should look into data masking technology, database experts say. Such technology limits the user's exposure to highly-sensitive and highly regulated data sets -- such as Social Security numbers -- without limiting the user's ability to do their work. Finally, enterprises should take a closer look at technologies and practices for protecting data as it becomes increasingly portable, experts say. One of the biggest dangers companies face today is the ability of authorized users to simply download large chunks of information from the database onto spreadsheets, laptops, or portable storage devices.
These practices make it easier for thieves to gain access to the data via common PC hacking methods -- or to physically steal it from the user. Tools such as database activity monitoring, data leak prevention, and encryption all can help protect portable data, experts say.