By Gerrit-Jan Albers, Service Delivery Manager at RDB Consulting
Database security is possibly the most important and complex implementation project any organisation will undertake. Not only is it critical to ensure that information contained within the database is secure from a host of external threats, including viruses, phishing scams and the like, the need for internal security is also increasing. With the rise in incidences of identity theft, corporate espionage and fraud, internal security tools such as identity and access management, amongst others, have become increasingly important on the corporate agenda.
The database is mission critical in the majority of modern organisations. It touches every system, every process and every person within an organisation, making security a crucial aspect. However without input from business, IT may secure systems to such an extent that the IT infrastructure does not provide the functionality needed by business. As a result, security implementations cannot simply be viewed as an IT project or as a business imperative, but as a combination of both.
Adequate preparation is critical in ensuring a successful database security implementation. This preparation can be broken down into five major areas that need to be tackled, namely: security policies and guidelines; business process analysis; people; planning and forecasting; and security infrastructure.
Security policies and guidelines
Simply buying technology without a solid understanding of the risks posed and organisation’s needs is pointless. Risk assessments should be conducted in every area of operations. These assessments and identified risk areas need to be documented and turned into security policies, which must be approved by the Board of Directors.
Rules and parameters such as security policies need to be set otherwise it remains unclear exactly what security solutions need to accomplish, making it impossible to gauge whether or not security is meeting business requirements. Policies and guidelines also help to ensure that staff members know what is expected of them regarding security and in turn, this helps to ensure compliance. Without rules, compliance is impossible.
Business process analysis
Security must take into account the requirements of the business and accommodate the normal business functions without major disruption. Security solutions should also be secure enough to prevent breaches, while remaining flexible enough to enable people to still do their jobs. This is a delicate balancing act that cannot be achieved without analysis and understanding of business processes. Business process analysis should be the starting point to any IT rollout and implementation, and database security is no exception.
Security must take into account not only technology, but people and processes as well, and the reality is that few organisations manage to get this right. Much focus has been given to securing the database from external threats that internal threats are ignored, and yet the majority of fraud cases and data theft occur on the inside. Access and Identity Management are critical to ensure that employees (and partners) have access only to the data they need to enable them to do their jobs, without compromising sensitive information.
Employees can prove to be the undoing of even the most stringent and comprehensive security system. They must be educated not only on how to use the technology, but also to gain an understanding of the reasons for security and policies. This requires buy-in and guidance from senior management levels, since any educational and change management programme should be driven from the top down. Without top level buy-in and education, employees will fail to see the relevance of policies and procedures and will likely ignore them, leaving the organisation vulnerable.
Planning and forecasting
Security implementations can be a time-consuming affair and it is vital to understand what the desired future state of the database security should be. A roadmap needs to be in place to forecast the next stages of the project to ensure that implementations will run on time, on budget and will meet the expectations of the organisation.
As with any IT solution, a proper plan makes the implementation itself far easier, shortening the rollout time and cutting down on costs. If planning is not done upfront, the likelihood is that systems will have to be reworked because they are not delivering as expected. Any hiccup in the implementation process can cause negative perceptions of the project, hindering adoption. Planning helps to avoid such scenarios. It also ensures the right balance between business functionality and security is achieved.
Infrastructure is the heart of the database. Systems need to support standards and policies and enable security solutions to function optimally. It is one thing to have multiple standards and policies in place, but these need to be enforced if they are to be successful. However, infrastructure also needs to be ‘fit for purpose’ and implemented correctly otherwise it will be unable to deliver as expected.
Just how valuable is your data?
These five steps work in harmony with each other to help organisations plan and deliver successful database security implementations. While they do not necessarily need to be completed in order, they all need to be tackled as each phase is necessary to ensure a secure environment and to prevent any breaches.
When faced with the complexity of a database security implementation, many organisations argue that the cost outweighs the benefit, and that their data simply is not valuable enough to justify the time and spend on security. A good rule of thumb is to switch off the database for a day. If the organisation can still function and is not losing money, then security is not crucial. However if business cannot operate as usual and continue to be profitable, then the database is a critical part of the organisation and needs to be adequately secured.