Is your database compliant and safe?

In an increasingly regulated world, various industries, particularly financial services, have had to take a hard look at the way information resides within their organisations and more importantly, whether it leaves them open to risk.

Pertinent to this issue has been the recent draft release of the King III code on good corporate governance, which for the first time looks in detail at IT governance in the context of risk management.

The code states: In IT governance, one seeks confidentiality; integrity and availability of the functioning of the system; possession of the system, authenticity of system information; and assurance that the system is usable and useful. Concerns are unauthorised use, access, disclosure, disruption or changes to the information system.

Information security deals with the protection of information, in its electronic and paper-based forms, as it progresses through the information lifecycle for capture, processing, use, storage, and destruction.

The above touches on a myriad of IT infrastructure issues; some blatantly obvious such as the need for a robust, enterprise-wide security infrastructure, and others like database risk, which are not so obvious.

"Unobtrusive and silent, very few organisations realise that databases represent the very lifeblood of their organisations including confidential information and intellectual capital - two components highly sought after by hackers and competitors," says Amy Thomas, Fortinet product manager at Zycko.

In a nutshell, it represents one of the most pertinent concerns of the King III code: risk management: addressing the safeguarding of IT assets, disaster recovery and continuity of operations;

However, in order for organisations to meet the above requirements, they need to take one step back: focusing, if you will, on the animal that is a database.

Comments Phil Close, Regional Sales Manager at Fortinet: "A good place to start is to take ownership of you database. Ensure that you understand the importance of your database, the risk and then start looking at the drivers that understates the need for a strong database security solution.

"Key database security drivers include compliance; data leak prevention; meeting the requirements of King III, Basel II and Sarbanes Oxley (SoX) for those listed on the Nasdaq; and operational frameworks such as ITIL, ISO and CoBIT."

The drivers are quite a mouthful and unfortunately, as mentioned, a lot of companies have lost sight of databases' importance, only focusing on their network security, which is a marketplace flooded with mature solutions.

"A database security breach can be downright devastating and a blow to a company's reputation," says Thomas. For example, the recent breach of Heartland Payment Systems, one of the US's largest processing companies, database saw more than 100 million credit card transactions impacted and instances of fraud reported within days.

The breach also prompted the Washington Credit Union League to push legislation requiring data protection controls for all merchants and third parties that process payment card data.

Another instance saw TJ Maxx, a clothing retailer in the US, exposing in 2007 almost four years of client debit and credit card information to a malicious attacker, resulting in millions of dollars in damages to the company.

Comments Thomas: "Database security is of utmost importance and can not only impact their organisation within but also shareholders and stakeholders who have a vested and monetary interest in a company."

Adds Close: "We, unfortunately, still find that organisations tend to hold up their hands when a breach does take place, blaming it on the original database manufacturers of or even external parties. Furthermore, they are downright surprised when a breach takes place; surely only one's network can be vulnerable?

"The reality is the necessary controls and security solutions should have been in place to prevent a database breach. The database forms as much part of the organisational security infrastructure as any other connected network devices."

So, what should you look for in a database security solution provider? "For one, partner with an expert that specialises in database security. Next, ensure that they offer a risk analysis of your organisation, giving you an honest report on just how exposed your database is," explains Thomas.

"The reality is if you do not understand the risk, you will not know how to mitigate it. Ensure you opt for a solution that offers centrally-managed, 24x7 monitored, enterprise-scale functionality that will enable you to implement a security solution that is not only compliant but also effective."

Concludes Close: "While no solution is the silver bullet to all your database woes, it will provide you with a strong first-line defence; mitigate the risk and ensure you have the time to take the necessary steps to ensure that a malicious attacker does not wreak complete havoc on your database."