The greatest challenge to database security may actually come from organizational issues, rather than nefarious or accidental acts, according to a survey presented by Application Security.
In most cases, database security is overseen by both database and security teams, thereby yielding a disconnect in ownership responsibilities as well as a lack of consensus on top priorities. According to respondents, Management, while showing increasing signs of threat awareness, continues to offer inadequate financial support.
Significant to the study was that the vast majority of those surveyed (81%) indicated that data security risks posed to their organizations have increased over the past three years. Among those that feel there is a greater risk today, four in five acknowledged that the greater technical proficiency and overall boldness of outside hackers and other malicious third parties was the leading factor contributing to the growing challenges.
Management awareness is growing, commitment is not
It was not surprising to learn that the recent onslaught of hacktivist activity from those such as Anonymous and LulzSec have caused more than half of the respondents’ organizations to step up their data security efforts. A majority (51%) report that news of these prominent attacks has led to increased protection. Thirty-six percent of respondents increased audit frequency as a result of the more dangerous threat environment.
Hacktivism generated additional security measures in 34% of the respondent companies due to increased concern among top management and board members. However, only 14% of companies in the survey reported additional funding for data security technologies and just 11% experienced additional staffing or consulting support. So, while there is increased management concern, it does not appear as if it has translated into additional support and commitment. As a result, DBAs and security pros are faced with the expectations of doing more with less.
Head in the clouds? Yes, but not “the” cloud
Data security issues are a major concern when organizations are faced with the challenge of moving data into the cloud. The survey’s results revealed that 19% of respondents have tested the waters in deploying databases in private cloud or virtualized environments, but just 2% are operating in the public cloud. Nearly two-thirds (63%) say that data security issues are the number one challenge when considering public cloud deployments. The group was more comfortable with private cloud deployments, although 45% still cited security as the top concern.
The survey results indicate that organizations still have plenty of work to do in traditional environments before taking on newer initiatives. Despite two-thirds of respondents contending that their companies did not have a confidential data breach over the past 12 months, only 12% felt confident enough to say that it is “highly unlikely” that they will experience one in the next 12 months.
Of those surveyed whose organizations did suffer a data breach and had knowledge of the resulting costs, roughly one-third (32%) stated that it cost their companies over $100,000 and 11% reported that costs exceeded $1 million.
Alarmingly, 83% of respondents concede that not all of their databases are adequately protected or unsure whether they are. Similarly, less than one quarter (24%) feel as if all of their confidential data is adequately protected.
It’s not all bad news
On a positive note, incremental progress is being made as it relates to database security, albeit at a slow pace. Two-thirds of organizations from the survey do conduct database security audits or assessments at least once per year and nearly half of the companies (44%) are currently using automated tools to monitor production databases for security issues.
Among companies that regularly conduct audits, more than half (53%) experience audit findings each time and one-third (32%) were unsure of the findings. A slim 11% indicated that they experienced no audit findings. Among the more prevalent audit findings were configuration issues (24%) and default IDs and passwords not changed (22%).
The complete report is available here (registration required).