[Report] Data Security At An Inflection Point: Best Practices and Challenges
There’s no question that data security has become a major concern for many enterprises, particularly since the internet opened up for business almost two decades ago. In recent times hackers have grown increasingly sophisticated, and able to target enterprises with an array of approaches, ranging from outright intrusions to the release of viruses and malicious code that either brings down networks, or sits stealthily, collecting sensitive data.While awareness of these external threats has heightened—even at the boardroom level—enterprises still engage in lax practices regarding the way data is moved around within the organization, and out to external business partners.
These are some of the findings from a new survey of 524 enterprise IT and data managers, conducted by Unisphere Research, a division of Information Today, Inc., and sponsored by Application Security, Inc. (AppSecInc). Emails were sent to subscribers of Database Trends and Applications, as well as AppSecInc customers, which directed them to the survey instrument posted on a website. The survey was conducted in October 2011.
Key findings from the study include the following:
Risks to databases have only increased in recent years, an overwhelming majority of respondents agree. Hackers and other malicious third parties are becoming bolder and more technically proficient, making the jobs of data managers increasingly difficult. While many data managers have lost sleep over the years worrying about data security, recent high-profile hacker attacks have put organizations en more on guard. In addition, data security has gained more attention from management.
Close to one-third know or suspect their organizations may have experienced a data breach, and even more expect a data breach over the coming year. However, few understand the costs of such breaches to their organizations. Organizational issues impede efforts to address database security. In most cases, security is overseen by both database and security teams. Adding to the challenge is the need to store data for long periods of time—a majority of respondents maintain data well beyond the required storage limits. One out of four respondents now maintains data environments within private clouds, but a majority are concerned about security in these environments as well. Respondents are divided as to whether their organizations’ existing data security controls provide an adequate level of protection against database breaches and attacks. Most companies have multiple copies of production data in their enterprises, and often don’t have direct control of all copies. Database security audits are few and far between. When audits are conducted, issues typically uncovered include access control and configuration mistakes. Vendors’ security patches are applied infrequently. Monitoring and configuration solutions are prevalent, but other security technologies such as encryption are only seen at a minority of companies.
Respondents are predominantly Microsoft SQL Server and Oracle shops, with about one-third also running MySQL. The largest segment of respondents, 24%, are database administrators, while 19% are IT executives and managers and 18% are developers and analysts. Respondents represent a range of organizations, from small firms with fewer than 100 employees (17%) to large organizations with more than 10,000 employees (30%). A wide range of industry groups is also represented, including IT service and software firms (19%), government agencies (16%), financial services (15%), and education (8%).
As will be discussed throughout this report, data security not only relies on good technology, but also effective and committed management. The ability to “sell” data security best practices to management is often a challenge for IT and data executives and managers. “We face a lack of urgency in data security at all levels of management, including the CEO and CIO,” says one respondent. “Our database security has been ad hoc and delivered primarily through one individual. We face huge risk through unsecured web applications, unmonitored database activity, and poorly and undefined security mandates.” On the following pages are the latest findings on how enterprises are responding—or not responding—to these challenges.