2012 IOUG ENTERPRISE DATA SECURITY SURVEY
By Joseph McKendrick, Research Analyst
Produced by Unisphere Research, a Division of Information Today, Inc.
November 2012
TABLE OF CONTENTS
Executive Summary . . . .
3
Security Profiles . . . .
4
Data Protection . . . .
11
Auditing, Activity Monitoring and Blocking . . . .
17
Access Control . . . .
25
Compliance . . . .
29
IOUG Recommends . . . .
33
EXECUTIVE SUMMARY
As organizations dramatically scale up the amount of data moving across their systems and business units, the risk of data breaches and abuse grows.
Many organizations are managing more than a petabyte of data, which gets copied and proliferated for purposes of development, testing and backup. While data centers may have safeguards and best practices in place to protect data, there are no guarantees of whether other departments, business partners, or outsourced environments have the same rules and protocols.
There are also measures that need to be taken to safeguard data from internal abuse; however, preventing privileged users from negligence or malfeasance is a serious challenge.
These enterprise data security challenges, and more, are highlighted in a new survey of 350 data managers and professionals by the Independent Oracle Users Group. The survey was underwritten by Oracle Corporation and conducted by Unisphere Research, a division of Information Today, Inc.
The survey covered progress within three key areas of database security:
1. Prevention: Encryption, masking, privileged user controls. 2. Detection: Activity monitoring, network logging, database
firewalls, auditing.
3. Administration: Database lifecycle and configuration management.
Survey respondents hold a variety of job roles and represent a wide range of organization sizes and industry verticals. The largest number of respondents is represented by database administrators (38%), followed by director/manager of IT. More than one-fourth work for very large organizations with more than 10,000 employees.
The majority come from IT service providers, financial services, education, and government agencies. (See Figures 43–46 for demographic detail.)
The following findings highlight the importance of data security issues
Though corporate data security budgets are increasing this year, they still have room to grow to reach previous year’s spending. More than half of respondents say their organizations still do not have, or are unaware of, data security plans to help address contingencies as they arise. Additionally, human error has beat out internal hackers or unauthorized users as the biggest security risk.
Many organizations have multiple copies of sensitive,
motion. More than three-fifths of respondents send actual copies of enterprise production data to other sites inside and outside the enterprise.
A majority of respondents actively collect native database audits, but there has not been an appreciable increase in the implementation of automated tools for comprehensive auditing and reporting across all databases in the enterprise. In addition, this monitoring is sporadic—most would not know if their data had been breached or corrupted by an insider. There may be a great deal of attention and due diligence when it comes to auditing or monitoring database systems for unauthorized access or tampering with records, but perhaps the best—and least employed—strategy is prevention. Only about a third of respondents say they are able to prevent privileged users from abusing data, and most do not have or are not aware of ways to prevent the downloading of sensitive data to spreadsheets or other ad hoc tools.
While data security audits can help track abuses after they happen, few respondents conduct such audits on a frequent basis. More companies are moving to centralized repositories to manage audit information.
Respondents also discussed where they see data security vulnerabilities within their organizations.
“The sheer number of systems and databases…with business units operating like [a] standalone business, is a challenge for us. Plus, processes and controls are not yet consistent across the enterprise.”
—Analyst, Mid-Sized Manufacturer
“Management does not assign enough time for creating monitoring and testing suites; it cares more about increasing the customer base.”
—Chief Information Officer, Services Company
“I don’t believe management sees data as vulnerable. As long as there are no reports from higher-seated users, they think everything is performing ideally. At this point, the most pressing risks are in the developers/testers themselves and the lack of knowledge concerning the data structure/ architecture on the database—and even infrastructure— they are working with.”
—Database Administrator, Consulting Firm
Despite growing threats and enterprise data security risks,
■
■
■
■
Does it take an actual security breach to finally spur management into action, to support more funding and support for data security efforts? That’s the way it played out at one respondent’s location, who described the company’s wake-up call: “A 2011 security breach forced management action to address holes in the systems; There continues to be ongoing action to pursue tighter security.”
Fortunately, there is evidence, as shown in this survey, that management is getting more data-security conscious. While there has been no shortage of concern about data security, companies appear to be slowing their rate of spending compared to previous years. For the most part, respondents report their companies’ spending on IT security has increased over the past year. In total, 32% report increases, versus 11% who are seeing a decrease. (See Figure 1.) However, the percentage of companies increasing spending is off from previous years. (See Figure 2.)
In addition, as found in previous surveys, there still appears to be a gap between IT managers implementing security solutions and the corporate management funding these efforts. More than a third of respondents, 34%, simply were not aware of spending in this area, potentially suggesting many respondents are not privy—or may have a limited view—to management decisions about data security spending across their enterprises.
In all cases, respondents run a multitude of databases. Only about 19% report they are smaller sites with fewer than 10 databases. A total of 55% have 100 or fewer databases, while 38% have 100 or more. (See Figure 3.)
While a majority of respondents report they keep tabs on the sensitive or regulated data that moves through their enterprises, it is nonetheless telling that there is a substantial portion who do not. A third of respondents, 33%, admit that they are not fully aware of all the databases in their organizations that contain sensitive or regulated information. (See Figure 4.)
Respondents are only too aware of the risks they incur in outsourcing arrangements. As one DBA with a global healthcare
organization explains, “Outsourcing to an offsite data center has opened our systems to additional security risks that are beyond our immediate control. Unclear definition of responsibilities between internal and external support has led to a lot of uncertainty about what is actually being monitored and who is doing the monitoring.”
While a very troubling 7% have reported that their organizations’ data has been breached, compromised, or tampered with in some way, another 23% admit they don’t know. (See Figure 5.) And confidence about the future drops considerably—28% say the likelihood of a data breach over the next 12 months is either “somewhat likely” or even “inevitable.” (See Figure 6.)
What is the greatest risk to enterprise data? A common perception is that outside hackers are the most menacing threat. But the data managers and professionals in this survey say the threat is more likely to come from within—among employees they trust the most. The greatest percentage, 38%, sees human error as a high-level threat to their operations. Internal hackers or unauthorized users rank second at 22%, followed by abuse of privileges by IT staff, mentioned by 13%. Lack of management commitment to security is cited as a “high” threat by 12%. Interestingly, only 11% regard outside hackers as their biggest problem. (See Figure 7.)
While just under half, 49%, state they have database security plans, it’s important to note that this means a majority haven't formulated such plans, or are unaware if someone else in their organization has done so. While there are considerable issues and concerns about data security, most organizations have prepared for disruptions and incidents that enables them to preserve data or roll back to previous versions. Backup and recovery plans are commonplace, with 89% of respondents stating they have such plans in place. Also, most respondents have disaster recovery plans, indicated by 78%. (See Figure 8.)
SECURITY PROFILES
Though corporate data security budgets are increasing this year, they still have room to grow to reach previous year’s spending. More than half of respondents say their organizations still do not have, or are unaware of, data security plans to help address contingencies as they arise. Additionally, human error has beat out internal hackers or unauthorized users as the biggest security risk.
Figure 1: Change in Corporate IT Security Spending Over the Past Year
Increased by more than 20%
8%
Increased 11% to 20%
7%
Increased 6% to 10%
9%
Increased up to 5%
8%
No change from previous year levels
23%
Decreased
11%
Don’t know/unsure
34%
0
20
40
60
80
100
{
Figure 2: Year-to-Year Percentages Reporting Increased
IT Security Spending
2008
2009
2010
2011
2012
50% 40% 30% 20% 10% 0%41%
28%
43%
43%
32%
Figure 3: Number of Databases at Respondents’ Companies
<10
19%
11 to 100
36%
101 to 500
18%
501 to 1,000
7%
Figure 4: Aware of all Databases With Sensitive or Regulated
Information?
Yes 67%
No 33%
Figure 5: Data Breached Over Past Year?
Yes 7%
No 70%
Figure 6: Likelihood of a Data Breach Over Next 12 Months
Inevitable
7%
Somewhat likely
21%
Somewhat unlikely
25%
Highly unlikely
17%
Don't know/unsure
29%
0
20
40
60
80
100
(Total does not equal 100% due to rounding.)
{
Figure 7: Greatest Risks, Threats, Or Vulnerabilities to Data
Human error
38%
Internal hackers or unauthorized users
22%
Abuse of privileges by IT staff
13%
Unprotected web applications
13%
Lack of management commitment
12%
/lax procedures
Malicious code/viruses
12%
Outside hackers
11%
Lack of auditability of access and changes 10%
Loss of hardware or media—e.g., disks,
10%
tapes, laptops
Abuse by outside partners/suppliers
8%
Advanced persistent threat
6%
Fines/lawsuits resulting from inadequate
6%
data security procedures
0
20
40
60
80
100
(Multiple responses permitted.)
Figure 8: Contingency Plans
Backup/recovery plan
89%
Disaster recovery plan
78%
Database security plan
49%
Performance test plan
42%
None of the above
2%
Don't know/unsure
5%
0
20
40
60
80
100
Additionally, 41% report having three or more copies of production data across the enterprise. (See Figure 9.)
Only about a third of respondents, 32%, could say personally identifiable information (e.g., Social Security, credit card, and national identifier numbers) is encrypted across all databases within their environment. More than one in five says there is no encryption at all, while 36% report limited encryption capabilities. (See Figure 10.) There has been no increase in the adoption of encryption since the first survey was conducted in 2008. (See Figure 11.).
Likewise, a relatively limited number of respondents say that application data is encrypted on the network as it travels to or from databases. Only 29% say they encrypt all their database traffic. By contrast, 58% admit that only some or none of their data traffic is protected this way. (See Figure 12.)
Along with encrypting data moving out of production environments, another challenge is ensuring the security of backed-up or archived data. Only 23% could say the bulk of their online and offline database backups and exports are encrypted. Close to two-thirds, 62%, say that such encryption is either limited or non-existent. (See Figure 13.)
Among the more security-conscious enterprises in the survey (those more tightly regulating privileged user access cited in Figure 30), there is more widespread adoption of data encryption measures in all phases of the data lifecycle. More than two-fifths of security-conscious companies report all stored personally identifiable information within their walls is encrypted, versus 28% of less-security-conscious organizations. Likewise, while 41% of security-aware enterprises encrypt all data in motion across their networks, only 25% share this practice among less-secure organizations. For encrypting data back-ups,
the difference is 32% of security-aware companies, versus 19% that don’t have measures to limit insider abuse. (See Figure 14.)
The risk of maintaining unencrypted backup data within an enterprise is high enough; exacerbating the issue is the nearly one-third of respondents who send unencrypted database backups offsite, to places such as third-party storage sites or other data centers. (See Figure 15.)
Enterprises often send production data offsite to third parties for development, data management services, or backup and storage. Just over a third of respondents, 35%, indicate they outsource some aspects of their database management. (See Figure 16.) Sending data offsite, or copying production data into non-production environments can be useful for development, testing and QA purposes, but it can put data at risk because live production data is often used so that systems and applications continue to work. A majority of respondents, 55%, say they use actual copies of enterprise production data in non-production environments, while almost one-third use “outdated” production data. (See Figure 17.) Unfortunately, data considered outdated can oftentimes contain sensitive data that is never truly outdated, such as social security and passport numbers.
Data de-identification, or masking, is a technique employed to help prevent data breaches in non-production environments; however, among enterprises that employ such processes, it typically is regarded as a one-off process. Close to one-third indicate they use custom scripts to de-identify data, while 21% say they de-identify on an ad hoc basis. Only 21% say regular data de-identification is a standardized procedure. Close to half, 46%, indicate they either do not de-identify data, or simply don’t know if they do. (See Figure 18.)
DATA PROTECTION
Many organizations have multiple copies of sensitive, unencrypted production data moving both within and outside their enterprise, increasing the risk of data breaches. Less than a third of respondents encrypt all sensitive data on disk or in motion. More than three-fifths of respondents send actual copies of enterprise production data to other sites inside and outside the enterprise.
Figure 9: Number of Copies of Production Data Across Enterprises
One copy outside production databases
9%
Two copies
25%
Three copies
19%
Four copies
7%
Five or more copies
15%
Don’t know/unsure
15%
0
20
40
60
80
100
{
41%
Figure 10: Encrypt Stored Personal Identifiable Information?
Yes, in all databases
32%
Yes, in some databases
36%
No
21%
Don’t know/unsure
9%
0
20
40
60
80
100
Figure 11: Year-to-Year Percentages Reporting Full Encryption
of Stored Data
2008
2009
2010
2011
2012
50% 40% 30% 20% 10% 0%36%
28%
29%
30%
32%
Figure 12: Encrypt Application Data Moving Across the Network?
Yes, all database 29%
traffic is encrypted
Don’t know/unsure 13%
Some database traffic 37%
is encrypted
No, database traffic 21%
is not encrypted
Figure 13: Encrypt Database Backups and Exports?
Yes, all database 23%
backups/exports are encrypted
Don’t know/unsure 14%
Some database 30%
backups/exports are encrypted
No, database backups/ 32%
exports are not encrypted
(Total does not equal 100% due to rounding.)
Figure 14: Encryption Trends—By Level of Enterprise Security
Awareness
* Respondents indicating they can prevent privileged users from reading or tampering with sensitive information in financial, HR and other business application databases. (See Figure 30.)
Secure*
All Others
Personal identifiable information—all databases
43%
28%
Application data moving across the network—all databases
41%
25%
Figure 16: Approaches for De-identifying Data Used Within
Non-Production Environments
Use custom scripts to de-identify data
32%
De-identify on ad hoc basis
21%
De-identify as standard procedure
21%
Using third party tools to de-identify data 11%
We do not de-identify data
27%
Don’t know/unsure
19%
Other
1%
0
20
40
60
80
100
Figure 15: Are Unencrypted Database Backups or Exports Sent Offsite?
Yes 31%
No 52%
Don’t know/unsure 17%
Figure 17: Data Functions Outsourced
Database application development
26%
Database administration
22%
Database application testing
19%
Database infrastructure:
13%
We don't outsource any database
56%
functions
Don't know/unsure
8%
Other
1%
0
20
40
60
80
100
Database auditing and activity monitoring are key detective security practices that can help spot suspicious or errant activity in order to ward off potential threats. One-fifth state that they are using native database auditing to monitor database activity across most of their databases and 46% use auditing across some of their databases. (See Figure 18.)
Exploring this further, two out of three respondents report they regularly monitor all production databases for security issues such as unauthorized access to data or configuration changes. Many are employing automated or systematic methods and technologies to provide this capability, but there are also many respondents still employing manual methods. Most of those who monitor data abuse—37% of the survey total— say it is done with automated tools, versus 30% who do it manually. (See Figure 19.)
While this is a practice that yields enormous efficiencies— sifting through logs and reports for suspicious or unusual activities—there has been no appreciable increase in adoption of automated solutions in recent years. (See Figure 20.)
What do enterprises look for in the information they are tracking on database usage? In most cases, they make the effort to track all privileged user activities. A majority also look for failed logins, as well as new account creation. (See Figure 21.)
Within organizations that more proactively manage privileged user access (cited in Figure 30), there is hyper-vigilance toward monitoring the activities that may flag suspicious activity. Three-fourths of these more security-conscious organizations closely track all privileged user activities, versus 45% of more lax organizations. Strikingly, a majority of respondents in more vigilant enterprises report monitoring activities from failed logins to account creation and logins, across the board. (See Figure 22.)
While a majority of respondents indicate they are monitoring and tracking for issues, this coverage is sporadic at best in many organizations. Most respondents, 74%, wouldn’t know if someone made an unauthorized database change across most of their databases. (See Figure 22.) Among those who say they are aware of unauthorized changes to databases, many refer to the practice of keeping and checking logs of database activities—
which may only provide clues after the damage is done. Some report being more proactive, but making hard and fast identifications of those committing a data breach is often not possible. “Access to make database changes is restricted by user profile,” notes one respondent. “But changes have been made in the past, and there was no way to identify who made the change. Our profiles are generic and controlled by assignment.”
In addition, only 27% say they are aware of unauthorized access across the bulk of their organizations’ databases. (See Figure 24.) Among respondents who can track and monitor unauthorized access, many indicate that alerts are built into their systems to make administrators aware of problems. As one respondent notes: “All access to powerful accounts is tracked.” Another indicates that administrators would be “notified by our third-party monitoring system.”
Even when database abuses are discovered, they typically cannot be immediately remedied. In the event of an unauthorized database access or change, 18% of respondents say it would take a day or more for their organization to detect and correct the problem, while 28% say it would take between one to twenty-four hours. Over one-third indicate they don’t know, or are unsure, how long it would take. (See Figure 25.)
In addition to detective measures, organizations should also apply preventive measures to block unauthorized threats. Measures taken by segments of respondents include ensuring all applications (internet and intranet accessible) are not subject to SQL injection attacks (35%), and using a network-based database firewall solution for blocking unauthorized database activity (30%). (See Figures 26 and 27.)
The survey finds enterprises are becoming more adept at handling audit data from across the enterprise. Close to one-fifth of respondents state that they consolidate database audit data to a central secure location. (See Figure 28.) This reflects a growing trend—seen in survey data over a three-year period—toward establishing a centralized secure and scalable repository to enable analysis, reporting, and threat detection on audit data. (See Figure 29.)
AUDITING, ACTIVITY MONITORING AND BLOCKING
A majority of respondents collect native database audits, but there has not been an appreciable increase in the implementation of automated tools for comprehensive auditing and reporting across all databases in the enterprise. In addition, this monitoring is sporadic—most would not know if their data had been breached or corrupted by an insider.
Figure 18: Use Native Database Auditing to Monitor Database Activity?
Yes 21%
Don’t know/unsure 15%
On some databases 46%
No 18%
Figure 19: Monitor All Production Databases for Security Breaches?
Yes, run tools on a regular basis
25%
Yes, run tools on an ad hoc basis
12%
Yes, manually monitor on an ad hoc basis 17%
Yes, manually monitor on a regular basis
13%
No
19%
Don’t know/unsure
14%
Figure 20: Year-to-Year Percentages Employing Automated Security
Monitoring (Tools Run on a Regular Basis)
2009
2010
2011
2012
50% 40% 30% 20% 10% 0%18%
25%
26%
25%
Figure 21: Database Activities Monitored
All privileged user activities
54%
Failed logins
54%
New account creation
52%
Privilege grants
49%
Login/logout
48%
Database definition changes
48%
Writes to sensitive tables/columns
39%
Read of sensitive tables/columns
33%
Don't know/unsure
14%
Other
1%
0
20
40
60
80
100
Figure 22: Database Activities Monitored—By Level of Enterprise
Security Awareness
* Respondents indicating they can prevent privileged users from reading or tampering with sensitive information in financial, HR and other business application databases. (See Figure 30.)
Secure*
All Others
All privileged user activities
75%
45%
Failed logins
62%
54%
New account creation
59%
48%
Privilege grants
56%
46%
Login/logout
58%
48%
Database definition changes
56%
45%
Writes to sensitive tables/columns
56%
32%
Read of sensitive tables/columns
47%
28%
Don't know/unsure
8%
17%
Other
2%
1%
(Multiple responses permitted.)
Figure 23: Aware of Unauthorized Database Changes?
Yes, on most databases 25%
On some databases 32%
No 24%
Figure 24: Aware of Unauthorized Database Access?
Yes, on most databases 27%
Don’t know/unsure 18%
On some databases 33%
No 21%
(Total does not equal 100% due to rounding.)
Figure 25: Length of Time to Detect and Correct Unauthorized
Database Access or Change
<1 hour
17%
1 to 24 hours
28%
1 to 5 days
14%
>5 days
4%
Don’t know/unsure
6%
0
20
40
60
80
100
Figure 26: Taken Steps to Prevent SQL Injection Attacks?
Yes 35%
Don’t know/unsure 40%
No 24%
(Total does not equal 100% due to rounding.)
Figure 27: Use Network-Based Database Firewall Solution?
Yes, on most databases 30%
Don’t know/unsure 18%
On some databases 27%
No 24%
(Total does not equal 100% due to rounding.)
Figure 28: Consolidate Database Audit Data to Central Secure Location?
Don’t know/unsure 14%
On some databases 27%
Figure 29: Year-to-Year Percentages Reporting Fully Consolidated
Audit Data Repositories
2010
2011
2012
50% 40% 30% 20% 10% 0%13%
17%
19%
Though nearly a third of respondents, 32%, say they can prevent privileged users from reading or tampering with sensitive information in financial, HR and other business application databases (See Figure 30.), this is a marked improvement over previous years when only 24% indicated they had such a capability. (See Figure 31.)
Numerous security holes are evident, the survey shows. A majority of respondents, 56%, state that users are blocked from accessing application data stored in databases directly using ad hoc tools or spreadsheets—effectively by-passing application access controls. Yet, it’s notable that close to half the respondents, 44%, either say they can’t control such abuse, or simply don’t know if this capability exists at their sites. (See Figure 32.)
This is a problem many respondents are attempting to address, however, as one respondent noted, “only privileged users with specific rights can access data outside of applications, including development staff and DBAs.” Still, another respondent admitted that “more effort is needed here to make sure that sensitive data is treated on a need-to-know basis, and that privileged accounts are used correctly.
Those security-conscious enterprises, exemplified by the ability to manage access by privileged users (cited in Figure 30) are more likely to also have controls in place regulating data dumps into spreadsheets and other tools. Close to three-fourths of these more security-conscious companies are able to prevent such abuse, compared to less than half of less-security-conscious organizations. (See Figure 33.)
Not all abuse occurs from malicious hackers or data thieves, whether internal or external. As noted earlier, human error ranks as the leading data risk. Unfortunately, only about one-fourth, 26%, state their systems include safeguards that help prevent database administrators or developers from accidentally dropping a table or unintentionally causing harm to critical application databases. (See Figure 34.)
Along with not being able to prevent abuse by privileged users, most enterprises in the survey reveal they do not have the means to track or uncover such abuse after it happens. Only 26% state they can actually prove that privileged database users at their organizations are not abusing their super-user privileges. (See Figure 35.)
Those organizations with more stringent measures to prevent potential abuse by privileged users (cited in Figure 30) are three times more likely to be able to document when such abuse does occur, the survey also finds. Close to half of these more security-conscious companies, 49%, are better able to prevent such incidents, compared to only 16% of less-security-conscious organizations. (See Figure 36.)
A systems administrator with a mid-size retailer summarized it best: “Identify, monitor, and analyze information-related vulnerabilities as much as possible. Determine methods to manage or resolve data security risks. Identify potential data privacy and security compliance related issues. Prioritize remediation steps into an effective plan based on company’s specific goals, schedule, and budget.”
ACCESS CONTROL
There may be a great deal of attention and due diligence when it comes to auditing or monitoring database systems for unauthorized access or tampering with records, but perhaps the best—and least employed—strategy is prevention. Only about a third of respondents say they are able to prevent privileged users from abusing data, and most do not have or are not aware of ways to prevent the downloading of sensitive data to spreadsheets or other ad hoc tools.
Figure 30: Capable of Preventing Enterprise Data Abuse
By Privileged Users?
Yes 32%
Don’t know/unsure 31%
No 37%
Figure 31: Year-to-Year Percentages Reporting Fully Consolidated
Audit Data Repositories
50% 40% 30% 20% 10%
24%
24%
32%
Figure 32: Can Users Bypass Access Controls
With Ad Hoc Tools or Spreadsheets?
Yes 25%
Don’t know/unsure 19%
No 56%
Figure 33: Bypass Access Controls—By Level of Enterprise
Security Awareness
* Respondents indicating they can prevent privileged users from reading or tampering with sensitive information in financial, HR and other business application databases. (See Figure 30.)
Secure*
All Others
No, users cannot bypass controls with ad hoc tools or spreadsheets
72%
49%
Figure 34: Safeguards Against Administrator or Developer
Data-Handling Errors?
Yes 26%
Figure 35: Able to Prove Privileged User Abuse of Data
Yes 26%
No 48%
Don’t know/unsure 19%
(Total does not equal 100% due to rounding.)
Figure 36: Ability to Prove Privileged User Abuse of Data
—By Level of Enterprise Security Awareness
* Respondents indicating they can prevent privileged users from reading or tampering with sensitive information in financial, HR and other business application databases. (See Figure 30.)
Secure*
All Others
Increasingly, organizations need stricter database security profile auditing to better meet compliance requirements, and provide greater assurance to customers and other stakeholders. However, there are wide gaps in audit frequency; this enables long-term abuse of sensitive data. About 17% perform database security audits at least monthly. (See Figure 37.) This is up from the survey conducted a year ago when only 13% were conducting monthly audits. The long-term trend suggests that there has not been an appreciable movement toward more frequent auditing. (See Figure 38.)
Less than one-third of respondents say that they only conduct such assessments annually, and 34% either never do such exercises, or simply don’t know if they’re even conducted at all. This is unchanged from previous surveys.
How long does it take organizations to prepare for a database security assessment/audit? Respondents are divided over the amount of time required. About a third, 31%, report that it takes more than a day, while another 31% claim it can be done within 24 hours. Another 37% simply don’t know how long it takes. (See Figure 39.)
The key driver behind data security audits are industry and government regulations, or mandates. Half of the respondents, 50%, say they are required to meet Sarbanes-Oxley Act
requirements, making this the leading mandate data managers continue to face. Another 42% are concerned with local state or provincial data protection laws. More than a third of respondents, 34%, are affected by HIPAA/HITECH, which deals with the privacy and handling of healthcare data. Another 29% say they need to comply with the Payment Card Industry statutes. (See Figure 40.)
Such regulatory compliance audits over the past 12 months have not flagged database security issues at most companies; only 13% indicate that issues have been identified. (See Figure 41.) Some note that the issues identified in audits were “false positives.” Another indicated their company was flagged for “using production data in dev and test environments.” Another was cited for unsupported versions of software that are no longer getting security updates, and password complexity and expiration time. Additionally red flags included missing patches or configurations issues.
Finally, respondents were asked how quickly they apply Oracle Critical Patch Updates to their environments. Close to one-fifth apply these essential updates as soon as they are released, and another one-fifth have the new software in place within a three-to-five month timeframe. However, there is a full one-third that either don’t apply the patches or are unaware of whether they are applied. (See Figure 42.)
COMPLIANCE
While data security audits can help track abuses after they happen, few respondents conduct such audits on a frequent basis. More companies are moving to centralized repositories to manage audit information.
Figure 37: Frequency of Database Security Assessments or Audits
A few times a month
6%
At least once a month
11%
Quarterly
18%
Annually
30%
Never
7%
Don't know/unsure
27%
Other
1%
0
20
40
60
80
100
Figure 38: Year-to-Year Percentages Reporting Data Security Audits
Once a Month or More
50% 40% 30% 20% 10%
13%
16%
13%
17%
{
17%
Figure 39: Length of Time to Prepare Database Security
Assessment/Audit
<1 hour
10%
1 to 24 hours
21%
1 to 5 days
23%
>5 days
8%
Don’t know/unsure
37%
0
20
40
60
80
100
(Total does not equal 100% due to rounding.)
Figure 40: Compliance Mandates
Sarbanes-Oxley Act (SOX)
50%
Local state data protection laws
42%
HIPAA/HITECH
34%
Payment Card Industry (PCI)
29%
SAS/SSAE 16
14%
FISMA
9%
ITAR
7%
Massachusetts 201 CMR 17.00
5%
NERC
4%
Other
10%
{
31%
Figure 41: Audits Flag Any Database Security Issues Over Past Year?
Yes 13%
No 54%
Don’t know/unsure 33%
Figure 42: When Quarterly Oracle Critical Patch Updates
Are Applied to All Databases
Typically before the next CPU is released 19%
(within 1 to 3 months)
One cycle late (3 to 6 months)
20%
Two cycles late (6 to 9 months)
9%
Three cycles late (9 to 12 months)
4%
Four or more cycles late
5%
(more than a year)
Within 1 year
5%
We have never applied a
6%
Critical Patch Update
Apply an enterprise-wide security strategy. This is considered by many data security experts as the best means of combating data breaches. Database security requires multiple layers of defense that include the following security controls:
· Preventive: taking steps to deter a problem before security is compromised
· Detective: providing evidence after security is compromised · Administrative: managing operational and accountability
procedures that provide an acceptable level of protection for computing resources.
Get business buy-in and support. Data security only works if it is backed through executive support. The business needs to help determine what protection levels should be attached to data stored in enterprise databases.
Provide training and education. Often, business users do not understand or grasp the importance of data security policies and procedures. Technology goes a long way to securing data, but it also takes a well-engaged and knowledgeable organization to help make security a reality.
The findings from this latest IOUG member survey show that many organizations are challenged with not only keeping out outside hackers, but also ensuring that data remains well secured as it moves within the walls of the organization. Performing due diligence and taking the right measures to ensure data remains secure will go a long way in avoiding potential issues.
IOUG RECOMMENDS
Securing data across the enterprise requires the ability to not only track and monitor suspicious activity, but also prevent the activity in the first place. This requires effective management and deployment of security tools, as well as policies and procedures that can assure that data can be moved securely both within and outside the enterprise. IOUG recommends the following approaches to meet these critical requirements for ensuring data security at all levels:
Figure 43: Responsibility for Database Security
Database group
63%
Security group
57%
Systems management group
32%
Application group
21%
Development group
16%
No one
2%
Don’t know/unsure
6%
Other
4%
0
20
40
60
80
100
Figure 44: Respondents’ Organizations—By Number of Employees
1 to 100 employees
18%
101 to 500 employees
15%
501 to 1,000 employees
9%
1,001 to 5,000 employees
21%
5,001 to 10,000 employees
11%
>10,000
26%
0
20
40
60
80
100
(Includes all locations, branches, and subsidiaries)
