Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, October 09, 2009

Six Steps Toward Better Database Security Compliance

In a sea of compliance initiatives, database security is often overlooked.  But experts say no matter what the regulations say, securing the database is a critical part of any compliance effort.  “What I’ve found in my experience is that the database is often the forgotten layer, even though it’s the layer where the crown jewels—the data—usually resides,” says Scott Laliberte, global leader of information security assessment services for Protiviti, which conducts third-party audit assessments for enterprises.  But improving the security of the database as part of a larger compliance initiative is doable, experts say.  The trick is to follow six steps toward database compliance.

1. Database Discovery And Risk Assessment Before organizations can start their database compliance efforts, they must first find the databases—and where the regulated data resides in them.
“That’s a big challenge for a lot of folks.  They know where their mainframes are, and they know where a lot of their systems are but…they don’t really know which database systems they have on their network,” says Josh Shaul, vice president of product management for Application Security, a database security company.

2. Vulnerability And Configuration Management Once an inventory has been developed, organizations need to look at the databases themselves.
“Basic configuration and vulnerability assessment of databases is a key starting point for enterprises,” Shaul says.

3. Access Management and Segregation of Duties Figuring out who has access to regulated data, what kind of access they are given, and whether that access is appropriate for their jobs is at the heart of complying with regulatory mandates.  “Sometimes it’s as simple as account management, password controls, and removing default accounts,” Laliberte says.  Organizations need to be vigilant to constantly review roles and entitlements to prevent toxic combinations of privileges.  Take, for example, a payments clerk who gets a promotion to run the accounts payable department.  In the new position, that person “owns” the AP system and has the ability to modify and delete checks that have been written.

4. Monitoring Risky Behaviors And Users Unfortunately there is a built-in segregation of duties violation in every database—and it’s one you can’t get rid of, Shaul says.
“Databases in general don’t give you the ability to take away DBAs’ data access away from them,” Shaul says.  “And that’s what auditors are coming in and flagging folks for, saying, ‘First and foremost, you’ve got this easy-to-find segregation of duties violation.  This exposure is one reason why database activity monitoring is so critical to enterprises seeking to satisfy regulatory requirements.  Unfortunately, all too many organizations fail to log, track, or monitor database activity because they worry that such monitoring may affect database performance.  DBAs and other database stakeholders should know that today’s third-party monitoring tools aren’t nearly as burdensome to database performance as in years past, experts say.

5. Reporting On Compensating Controls In those instances where organizations have appropriate compensating controls in place, auditors want proof that these controls actually exist, Laliberte says.

6. Following Defense-In-Depth Strategies Finally, it is important to remember to keep a little perspective on the matter of database security and compliance.
“This is really just a piece of what has to be a pretty large security program that’s going to allow you to meet these regulations,” says Mike Rothman, senior vice president of strategy for eIQnetworks, a security information and event management company.

Phil Lieberman, president of Lieberman Software, a password management company, believes this is one of the biggest database risks of all.  The data may be secure on the server, but if someone with ill intent gets hold of the unencrypted tape, then it will be compromised all the same.

Posted on 10/09