By Jaroslav Cerny, CEO at RDB Consulting
Over the course of recorded history wealth has been measured by different things, from agriculture and land in the Middle Ages to manufacturing and industry at the beginning of the 19th century and the capitalist economy of 20th century. Towards the latter part of the 20th century, computers began to emerge as a powerful force to be reckoned with, and as the 21st century continues it has become increasingly clear that information has become the new currency and data can be regarded as a measure of wealth in today’s world.
With the increased value of data there is a corresponding increase in the type of crime we experience as people, organisations and countries vie for power. In the middle ages the power belonged to those who conquered other lands, expanding their empires. When industry came to the fore, stealing ideas was the criminal’s way of getting ahead, and those who had the best ideas first were the most powerful and profitable. Today, however, empires are built on information, and the biggest losses experienced by organisations and even governments revolve around data theft and data loss.
The reality is that criminals will always exploit vulnerabilities in order to make money, and companies’ with vulnerabilities within their data security are the latest victims. From national intelligence agencies to the stock market and every organisation in between, adequate data protection has become of utmost importance in a world where wars are now being fought over information.
The on-going Wikileaks scandal is a well-known example of exactly what can happen when information falls into the wrong hands, but this is far from an isolated incident and there have been multiple examples over the years from across the globe. Months before a UK car manufacturer planned to launch their new model car, an identical vehicle appeared in Asia. This incident was the result of plans being stolen from the manufacturer and sold to the highest bidder, and ended up costing the organisation a fortune in lost revenue and position. In Luxembourg, a database administrator at a bank managed to find a way to trace anonymous offshore accounts back to their owners in Germany, and created CDs of this information which he offered to the German government for millions of Euros.
Even South Africa has not escaped this phenomenon, with the recent RICA registration process coming under fire for inadequate security resulting in cell phone users’ information being accessed by identity thieves and unscrupulous marketers.
The most frightening similarity between all of these security breaches is the fact that they were perpetrated by internal employees. Hacking, while it still happens and must be prevented, has become out-dated, and security breaches more often than not originate within the organisation itself, where users have no need to hack but simply ask for permission to access. Having central databases to house information makes sense from a business perspective, but this also makes securing the database more important than ever. And while many organisations wait for a breach to happen before they take steps to address vulnerabilities, this reactive approach is often too late and the damage to reputation, profitability and competitiveness has already been done.
The biggest vulnerability within the database is people, since administrators often have access to all of the data contained in the database and controls are not put into place. This is precisely what happened in the Wikileaks incident, where the perpetrator simply copied all of the sensitive information onto disks and walked out with it. Other issues include weak usernames and passwords, unnecessarily extensive user and group privileges and access to features, unpatched databases and unencrypted sensitive data to name but a few.
Some of these security vulnerabilities are a simple matter to solve, particularly the password and username problems, but others require a more sophisticated technique. Measures need to be put into place to control what people can do with information they are permitted to access. It is also important to trace the actions of people who access the data with a system that does not allow for the deletion of log files, so that an audit trail can be created to assist in forensic investigations after a breach has happened.
An XML database firewall monitor is another necessary security measure, as this will monitor all requests to the database and block and flag irregular or malicious requests whilst checking employees’ access rights and permissions.
However, in order for this to function adequately it is necessary to create rules to define requests as regular or otherwise, and these need to be constantly updated and maintained as the organisation changes and grows.
Database security is not a once off project, since new vulnerabilities will always be emerging, and needs to become a dynamic, constantly updated process that is a vital part of the business.
If database security is properly designed, it requires minimal human intervention and maintenance, which as a result makes it even more secure.
In order to achieve proper design of database security, the database itself needs to be correctly set up, so that firewall rules can be created correctly to provide maximum usefulness. Data within the database also needs to be correctly classified, otherwise the authentication and authorisation aspects of security will not work.
When it comes to implementing adequate database security, there are five aspects that should be considered:
1. Policies must be put into place to manage permissions, access and actions that may be taken with data.
2. People need to be trained, educated and adapted to the culture change of a security aware organisation. There is no blanket approach to this, since every organisation is different.
3. Automation is necessary to remove the element of human error and to provide faster responses, better security and better governance, risk and compliance.
4. Planning and analysis, including forecasting, are vital to plan for the future and adapt the system to changing conditions as well as to ensure continuity independent of individual employees.
5. The correct IT infrastructure to support the whole security concept.
It is important to bear in mind that database security is also not the sole domain of the IT department, and needs to be driven from the business aspect. Database security protects the business itself from losses but having more stringent controls can impact the way people work. For example, they may not have the ‘freedom’ that they previously enjoyed on the network.
It is therefore important to educate the staff and incorporate change management by communicating the rationale behind these restrictions and why they are necessary. This requires the involvement of people within the organisation and buy-in from the top level for change management to be successful. Security is also a vital component of any governance, risk and compliance initiative, which again is a business venture and requires business buy-in.
Setting up this database correctly and then ensuring that it is adequately protected is vital for any organisation today. However, this is a highly specialised skill, since it needs to be done in a cohesive and all-encompassing manner to ensure that vulnerabilities are minimised.
Outsourcing database setup, maintenance and security to the experts makes sense given the skills shortage in South Africa and the importance of getting this setup right to prevent data theft, data loss and negative impacts to productivity and profitability.
In the today’s world, where information is king and data has become currency, the database is the heart of any business, and database security should be top of mind when it comes to addressing security concerns.