Traditional security controls and processes have a strong focus on defending infrastructure rather than data. Those that do focus on data typically look at defending unstructured data from outsiders, with a view to preventing access to systems with file stores containing sensitive documents.
The importance of securing unstructured data will not go away; however, the part of the application stack which can get overlooked when securing company information is the database. Application DBs are typically where most consumer data, which is usually highly sensitive in nature, starts its life cycle.
In most organisations, the databases house the “crown jewels” of data, including sensitive financial and customer records. Moreover, new regulations around privacy and mandatory disclosure make database security more crucial than ever.
In this article we will review today’s challenges with database security, and the steps IT leaders can take to keep ahead of technology and regulatory changes.
Database security needs more priority
For decades organisations have focused on endpoint, network and perimeter security, in addition to data encryption and access control systems.
When breaches are analysed, it is often seen that attackers go after databases. Compromising the endpoint, network, perimeter, applications/APIs and other infrastructure to gain access to the crown jewels. If an attacker wants millions of records of highly sensitive data to hold someone to ransom, they will typically obtain it from a database.
Australian consumers are aware of the risks to their personal information. According to Imperva’s No Silver Linings report against the backdrop of increasing data breaches and misuse of personal data, 39 per cent say their faith in the willingness of digital service providers to keep personal data secure and private has decreased in the past five years. Furthermore, 28 per cent say they don’t trust any organisation – public or private – to keep their private information absolutely private.
Despite the important nature of information in databases, they have not had the right level of visibility and monitoring you would expect in line with the risk to the organisation.
And cloud is only accelerating this issue. The ability to quickly and easily deploy and manage databases in the cloud has given developers and IT managers a new level of flexibility, however, if not managed properly, this fluidity of data can expose challenges.
With all the benefits cloud brings, tracking data is one reason it can become a genuine risk. Cloud makes it effortless to move data around to various locations with different levels of security. Security could be high in production, but low in a staging or development environment.
Unfortunately, when it comes to databases many organisations have poorly maintained asset registers. Without knowing how many databases they have, along with the type and volume of data they hold, it’s impossible to suitably protect them.
“Protecting sensitive databases is hard for enterprise security groups with limited resources and tools. Often it is the security teams tools themselves that make database breach detection so difficult,” says Kane Fraser, Area Vice President at Imperva. “Tools that cannot properly contextualize alerts from a busy database often overwhelm security teams with an avalanche of mostly noise, making it hard understand where to begin and focus incident investigation efforts.”
Rising regulation calls for tighter database security
It is best practice to treat all data stores with the same level of security, and in the case of databases, there are growing reasons to bring them up to speed with other parts of your environment.
In Australia regulation is lagging compared to other nations so there definitely needs to be more focus on monitoring and securing large customer databases. However, authorities are also clamping down on organisations that expose sensitive data like payment and customer details.
Regulations like the Notifiable Data Breaches (NDB) scheme and the Security Legislation Amendment (Critical Infrastructure) Act, oblige relevant organisations to notify authorities of any incidents, including the details of the data breach.
With increasing regulation comes the increasing possibility of penalties for lax database security, not to mention the reputation and business impact of a database breach.
Historically, only large organisations such as the big banks and telcos were investing in database security technology. At Imperva we are seeing a growing trend of tier-2 financial service and retail companies wanting to better protect their databases.
Integrating application and data security
It is now time for IT leaders to combine traditional application and system-level security rigour to the database for a new approach to data security.
While a WAF is important, for your data to remain secure, it needs to be backed by an all-encompassing application security platform. The data in the database can be subject to a system-level attack or a business logic attack (BLA) and Australia’s IT leaders need to stay in front of all vulnerabilities.
Start by identifying what is needed to manage and protect your databases, do determine if any are vulnerable to data breaches and develop a plan for how to protect the organisation from various forms of attacks, including those designed to compromise SQL databases.
A data security platform should support many types of data repositories, including databases, file storage, messaging services, and cloud services. Integration with numerous other services, such as SIEM, SOAR, IAM, and DLP is also desirable.
Data security will help improve your capability across data discovery and classification; data activity monitoring; and data protection and response.
A key capability of data risk analytics is to identify data breach threats without all the noise. Data risk analytics considers what database, table, user access, user roles, whether the data is sensitive or not, and what the user does with it. By correlating all this event information, data risk analytics contextually determines if an activity is simply an anomaly without risk, or an actual serious threat to sensitive data before generating an alert.
Here is a quick checklist of what a data security platform should deliver.
- Clear summaries that explain complex issues in plain language
- Faster problem resolution times
- Attacks categorized and prioritized by real risks, rather than anomalies
- The ability to spot bad actors before they cause damage
- No false positives, enabling the SOC team to focus on the critical issues
It is time for IT leaders to stop thinking about application security, data security, and privacy as separate entities. Each feed into the other, so tackle them as one.
Learn more at imperva.com