IT Professionals Losing Database Security, Study Says

Jun 12, 2007 3:10 PM

           

Databases are among the most widely deployed, complex, and fastest growing technologies in corporate infrastructures, according to Dark Reading, a security news source for enterprise IT and network security professionals. Stocked with vast amounts of business-critical, sensitive records, they're now the focal point in highly-damaging data breaches. It's a safe bet that perpetrators will target databases even more in the days ahead.

Yet, as businesses rush to provide real-time information flow inside and outside their organizations, database security remains one of the least understood and most under-funded aspects of corporate security -- and IT is yelling for help.

These are some of the key findings in a new study Ponemon Institute LLC released in conjunction with Application Security. It queries 649 highly experienced IT professionals, more than 70 percent of which are responsible for managing all or part of their organization's IT budget -- a solid barometer for corporate priorities.

Of the 2007 total corporate IT budget, respondents said they have allocated 34 percent for database infrastructure and 20.6 percent for IT security overall. More than 53 percent believe their databases are critical to their businesses.

But only 15 percent said that extending security best practices to the database is a "critical priority" for 2007. Higher priorities included upgrading applications (25 percent), improving the efficiency of IT (20 percent), and consolidating IT infrastructure (19 percent). Upgrading security overall (13 percent) finished slightly lower, as did supporting Sarbanes-Oxley (10 percent) and upgrading disaster recovery capabilities (9 percent).

Ninety-two percent of respondents are seeking a better tool to help them identify and analyze risk factors that exist within their systems or IT infrastructure. This makes sense says Dark Reading, particularly as a majority of respondents plan to, or only slight, increases in IT staff in 2007.

According to the study results, IT security practitioners are fairly confident they can stop hackers from compromising their systems (68 percent), but they are far less certain that they can prevent malicious insiders (43 percent) and negligence (45 percent).

Respondents in larger organizations are more confident than those in smaller-sized companies when it comes to their ability to control these threats.

There is a lot of valuable data in corporate databases. Some 55 percent of respondents said their databases contain customer data, 54 percent said databases contain employee data, and 50 percent contain confidential business data. Intellectual property -- the most highly-guarded data in the survey -- resides in 38 percent of respondents' databases.

Respondents' database environments are of substantial scale and complexity -- a majority of respondents manage more than 500 databases. Twenty-nine percent have many different database types and technologies. Another 38 percent said their IT environment consists of a few different types of databases. Only 24 percent of respondents stated that their organization utilizes one primary database technology. One of the biggest challenges, then, is coordinating database security across the enterprise.

SQL, Oracle, and DB2 are the most frequently used database solutions for respondent companies. In addition, the results show that both Oracle and DB2 are the most likely to be used for critical or high-priority data. MySQL and Sybase were the least likely to be used for critical data.

What are the features most important to respondents when purchasing a database security software application or tool? Robust access controls, ease of integration, and the ability to identify unauthorized access are viewed as the three most important features. Real time alerts and preformatted policies for Sarbanes Oxley or PCI compliance ranked low on the list.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

SUBSCRIBE

Select an Issue April 1, 2008 March 1, 2008 February 1, 2008 January 1, 2008 December 1, 2007 November 1, 2007 October 1, 2007 September 1, 2007 August 1, 2007 July 1, 2007 June 1, 2007 IP Security Supplement May 1, 2007 April 1, 2007 March 1, 2007 February 1, 2007 January 1, 2007 School Security December 1, 2006 November 1, 2006 October 1, 2006 September 1, 2006 August 1, 2006 July 1, 2006 June 1, 2006 May 1, 2006 April 1, 2006 March 1, 2006 February 1, 2006 January 1, 2006 December 1, 2005 November 1, 2005 October 1, 2005 September 1, 2005 August 1, 2005 July 1, 2005 June 1, 2005 May 1, 2005 April 1, 2005 March 1, 2005 February 1, 2005 January 1, 2005 December 1, 2004 November 1, 2004 October 1, 2004 September 1, 2004 August 1, 2004 July 1, 2004 July 1, 2004 June 1, 2004 May 1, 2004 April 1, 2004 March 1, 2004 February 1, 2004 January 1, 2004 December 1, 2003 November 1, 2003 October 1, 2003 September 1, 2003 August 1, 2003 July 1, 2003 June 1, 2003 May 1, 2003 April 1, 2003 March 1, 2003 February 1, 2003 January 1, 2003 December 1, 2002 November 1, 2002 October 1, 2002 September 1, 2002 August 1, 2002 July 1, 2002 June 1, 2002 May 1, 2002 April 1, 2002 March 1, 2002 February 1, 2002 January 1, 2002 December 1, 2001 November 1, 2001 October 1, 2001 September 1, 2001 August 1, 2001 July 1, 2001 June 1, 2001 May 1, 2001 April 1, 2001 March 1, 2001 February 1, 2001 January 1, 2001 December 1, 2000 November 1, 2000 October 1, 2000 September 1, 2000 August 1, 2000 July 1, 2000 June 1, 2000 May 1, 2000 April 1, 2000 March 1, 2000 February 1, 2000 January 1, 2000 December 1, 1999 November 1, 1999 October 1, 1999 September 1, 1999 August 1, 1999 July 1, 1999 June 1, 1999 May 1, 1999 April 1, 1999 March 1, 1999 February 1, 1999 January 1, 1999 December 1, 1998 November 1, 1998 October 1, 1998 September 1, 1998 August 1, 1998 July 1, 1998 June 1, 1998 May 1, 1998 April 1, 1998 March 1, 1998 February 1, 1998 January 1, 1998 December 1, 1997 November 1, 1997 October 1, 1997 September 1, 1997 August 1, 1997 July 1, 1997 June 1, 1997 May 1, 1997 April 1, 1997 March 1, 1997 February 1, 1997 January 1, 1997

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue