Database security: protecting the crown jewels

As companies like Deutsche Telekom have learned, attackers are going after databases, reports Deb Radcliff.

Universities, banks, SMBs and large brands alike are waking up to the fact that their databases are no longer safe inside their perimeter firewalls, intrusion prevention systems and other edge protections.

"One of the main concerns we hear from our clients is security of their databases," says Steven King, CTO of Data Intensity, a US-based managed IT services provider that manages databases, including enterprise resource programs (ERP), and other sensitive database applications. "At the end of the day, our clients know that the database is where their crown jewels are."

Database security awareness has reached the point where some sort of database logging and auditing now occurs at 83 percent of organisations, based on a survey of 260 IT professionals sponsored by encryption vendor, Vormetric, released in October.

The question is, how and what are they logging and auditing? And how are they handling the remaining security areas - access controls and assessment - particularly in light of what Noel Yuhanna, principal analyst at Forrester, calls a "security gap" in current database technologies.

"Right now, database topologies are not flexible enough to differentiate between a user and an attacker," Yuhanna says. "If there's a suspicious activity around user queries - say, they're querying sensitive data a hundred times - the database doesn't care, so long as the user has a valid name and password. All database vendors have the same gap."

Third-party providers, including Imperva, Guardium, Tizor and others, are first on the scene to fill this gap. These companies represent a $180 million market, which Yuhanna says is likely to double over the next three years.

Meanwhile, database vendors themselves are making improvements. Oracle and IBM, in particular, have advanced security features, Yuhanna continues. And, according to the Vormetric survey, native database encryption is being used more than third-party products. Of the 46 percent that used encryption, 79 percent used database vendor encryption, according to the survey.

Where it is going
It may take years to get there, but bringing security to data at its source - inside the database - is exactly what needs to be done, says Chris Clifton, associate professor of computer science at Purdue University, who is involved in research around this topic.

In particular, the database needs to support fine-grained access controls internally to prevent a compromised application - through SQL injections and other methods - from getting to all the data within that application. With the right access controls inside the database, the only thing a successful intruder (or authorised user) could see is the data sets assigned to that individual user.