Database Security Is In Need of Repair

ESG recently surveyed 179 security professionals about database security in their organization. Survey respondents came from North American organizations with 1,000 employees or more. While databases live on Windows/Linux/UNIX servers, security issues are more critical than other applications or services. Why? To paraphrase bank robber Willie Sutton, "because that is where the money is." In this case, "money" = valuable confidential data. Fifty-eight percent of survey respondents said that databases contain the highest percentage of their organization's confidential data. The number 2 response, general purpose file servers, wasn't even close at 15%. With all of that valuable data, you'd think that database security is the digital equivalent of Fort Knox. Unfortunately, you'd be wrong in this assumption. The ESG data points to a few critical problem areas: 1. No one owns database security, rather it appears to be a collective effort done by security administrators, IT operations, data center managers, system administrators, DBAs, etc. With this many people involved, it is likely that database security is fraught with redundant processes, numerous "root" access passwords, and human error. 2. Database security is highlighted by manual processes. Again, if administrators are manually scanning databases, updating asset management tools, and patching systems, you can bet there are lots of known and unknown vulnerabilities -- everywhere. 3. While 57% of organizations assess their database security once per quarter or more frequently, 39% assess their database security twice a year or less frequently. In other words, the security tools and controls protecting organization's most critical data is only checked from time to time. Does anyone still wonder why there are so many data breaches? This situation is unacceptable and needs to be addressed. Government and industry regulations should demand more stringent controls and oversight while database vendors IBM (IBM), Microsoft (MSFT), Oracle (ORCL), and Sybase (SY) should warn customers about the risks of these deficiencies.