Yet most companies focus their security measures on data in transit - particularly over the internet - while paying far less attention to protecting the vast amount of sensitive data at rest.
Why crack individual credit card transactions over the internet when entire repositories of private information stored in databases may be open for attack?
Not surprisingly, hackers who are able to penetrate perimeter defenses usually focus their efforts where the reward is greatest - the database. Credit card numbers, social security numbers, passwords, health records, employment records, intellectual property, proprietary source code and other sensitive information often lies virtually unprotected in large data repositories. Security breaches here can have a devastating effect on a company's business and reputation and can severely damage relationships with customers.
At one web electronics retailer, hackers were able to steal from the company's archives nearly 8,000 invoices for online credit card orders and a large inventory database. And on a larger scale, last year three men were arrested in what is believed to be the largest identity theft case in U.S. history. More than 30,000 identities were 'stolen' by helpdesk employees extracting account passwords from a database and downloading credit reports that listed bank account, credit card, mortgage and other financial information.
Legislation and standards
Increasing concerns about security and privacy have prompted the development of legislation and industry standards that are designed to encourage companies to follow tighter security practices for the protection of sensitive data. For example the European Union's 94/46/EC Directive on Data Privacy (Safe Harbor) sets data privacy standards for companies doing business in the E.U. and in the U.S., the Gramm-Leach Bliley Act (GLBA) is designed to protect personal financial information.
Other legislation focuses on specific data such as protecting personal health care information and pharmaceutical records, while the major credit card companies are also taking measures to protect customer data. Visa, for example, has introduced its Visa CISP (cardholder information security program) and will audit and fine merchants and service providers if they do not take appropriate measures to protect cardholder account and authentication data.
Databases are particularly vulnerable to attack, and while firewalls help to protect private networks from external penetration, once compromised the database itself is exposed and firewalls do nothing to prevent against internal attacks. Traditionally, companies have attempted to protect databases by using access control solutions provided by the main vendors such as Oracle, Microsoft, IBM and Sybase, or third-party software companies. But this approach has inherent limitations and cannot protect the data if these basic access control measures are circumvented. And as demand for web-based and remote access to applications and data increases, this problem becomes more complex.
Administration and management of policy is also a potential point of weakness. For example, the database administrator (DBA) typically has full access to view all data in a database. Sensitive data such as credit card numbers should only be viewable by users who need to access that data, as established by the organization's security officer, not the DBA. This policy is known as 'separation of duties' and is critical to the overall database security.
Locking up databases
So, increasingly companies are looking to add an extra level of database security through the use of encryption. In the past, attempts to integrate cryptographic security mechanisms into large database structures were largely unsuccessful as it usually involved encrypting the entire database or special schemas to provide basic functionality. As these systems were clumsy and time consuming to implement, they delivered little improvement in security but had a major negative impact on performance.
To overcome these shortcomings, fine-grained data protection and key management technologies have now been developed that only encrypt those data objects or fields specified by the security policy. So instead of building walls around servers or hard drives, a protective layer of encryption is created around individual data-items or objects.
For example, in the case of health care records it may only be necessary to encrypt data that identifies the individual. Or for storing credit card details, just the credit card number and expiration date may need to be secured.
Underpinning database encryption solutions is the use of cryptography and key management. This relies on using long-lived secret keys that need to be carefully protected to ensure the confidentiality of the data. Encrypted data is only as secure as the keys used to encrypt it and if these secret keys are compromised, the security of the database is at risk. This means that the keys need to be created, stored, distributed and changed in a manner commensurate with the value of the data being protected.
Server environments are not often designed with security as a priority, and if keys are managed and stored in memory on the database server, for example, they may well be exposed to attack. Because of the very random nature of cryptographic keys, they are easily spotted among other typical data on the server, making them susceptible to theft.
The alternative is to utilize specially designed and built tamper-resistant hardware security modules (HSMs), to protect and manage the cryptographic keys. These are devices that meet the FIPS 140 Level 3 standard for the generation, storage, disposal, archival and recovery of cryptographic keys. The management of private keys inside the secure HSM can deliver a significant improvement in both the security and manageability of a database encryption solution.
E-payments companies are also using hardware security modules for database encryption solutions. For example, iPIN (www.ipin.com), a provider of e-payment services, is protecting private information stored on Oracle databases by enabling the storage of encryption keys in an HSM. iPIN provides financial institutions, telecomm service providers, automotive component suppliers, internet service providers and e-commerce merchants with a wide range of internet payment and transaction options. As e-commerce services are rolled out, the ability to protect critical information stored in databases - such as credit card numbers, personal and corporate data, and passwords - is critical to prevent fraud and increase consumer confidence.
Taking database security seriously
iPIN is one of the first e-payment companies to implement this more comprehensive approach, securing the content of its informational databases and archives through advanced encryption techniques, as well as protecting online transactions. The Oracle database is used typically in an online transaction processing (OLTP) fashion and iPIN's commerce router processes and enters transaction information. Without hardware-protected key management technology, internal or external attackers could decrypt and access data by gaining access to the encryption keys that would be relatively unprotected on the database server.
Another company that takes database security seriously is Exostar (www.exostar.com), a service provider offering electronic marketplaces for the aerospace and defense industries. The company was founded by BAE Systems, Boeing, Lockheed Martin, Raytheon and Rolls-Royce, to connect manufacturers, suppliers and customers in a virtual marketplace. Its collaboration service, ForumPass, enables business partners to work together more effectively through shared online workspaces.
By giving extended project teams better communication and management tools, ForumPass helps companies streamline the supply chain and gain control over unwieldy product development processes - and in turn, speed time to market, improve product quality and significantly cut product development costs. To collaborate successfully, team members must have instant access to the latest project data - highly sensitive CAD drawings, product specifications, project plans, timelines and more.
In order to protect this shared intellectual property and to meet the strict security requirements laid out by the founding partners, Exostar makes advanced use of cryptography for a broad range of functions, including securing the stored data. CAD drawings, discussion threads and other metadata are encrypted while stored on a distributed Oracle database, preventing someone with database access from stealing or compromising the sensitive data.
It is impossible to guess at the volume of data stored on large database repositories around the world, but it is very clear that much of it is sensitive information of a commercial, public interest or simply personal nature. And while much of the attention has been focused on protecting data on the move, it is far easier to hit a bigger target standing still.
Stu Vaeth is director of product marketing with nCipher (www.ncipher.com)