Database Security: The Insider Threat

Every night when I go to bed, I make sure the doors and windows in my house are locked. Itís not that I own anything particularly valuable (I havenít upgraded to that 50Ē plasma television yet) or that Iím particularly worried that someone will break in, itís just that I like the feeling of security that it gives me.

For years, thatís what most companies have been doing as wellótrying to make sure they lock all the doors and windows that might provide unauthorized access to company information, applications or IT resources. By using everything from network firewalls to access control lists theyíve been protecting their data, databases and applications from outside intruders or malicious hackers.

But things have changed. Now organizations need to think about the insider threats as well. Todayís organizations no longer need to merely ensure that unauthorized external users canít get into their systems, they need to make sure that only the appropriate personnel gain access to any of their systemsóregardless of whether those are external users or internal users.

Of course, itís not just that the risk or the incidence of unauthorized internal access has gone up, but that implications of such occurrences have become considerably more importantóprimarily because of regulatory requirements and risk management requirements.

Specifically, many organizations are being driven by the need for increased accountability and the need to response quickly and proactively to auditing requirements to take a second (and perhaps third) look at exactly how their data, their databases and their applications are secured and protected against both inside and external threats. Of particular interest for many organizations is the access that privileged users (such as super users or database administrators) have to everything from corporate data to application, database, and system log files.

For example, for years, the fundamental approach to database security revolved around AAAóauthentication, authorization and access control. Of course, those aspects are still a critical part of any good security strategy, but theyíre no longer adequate to address an organizationís security risks and needs.

On the one hand, the risk of internal attacks has risen over the years as the difficulty of external attacks has increased. For highly-valuable data, it can be more efficient for thieves or hackers to find better access points by obtaining employee cooperation (as in the recent stories about the inside theft of new product and marketing secrets by employees of Coca-Cola) or obtaining employment at a target organization. On the other hand, itís not just the exposure and loss of information or compromising of systems that organizations need to consider. Instead, due to dramatically increased regulatory requirements organizations also need to ensure they can demonstrate both appropriate data security (especially in any industry or setting that deals with customer, financial, healthcare and similar data) as well as the ability to audit those data sources and provide accurate records of what happened when, and who accessed what.

In particular, thatís where the issue of the privileged users comes in. Itís not just about whether individual employees might be a risk (which is still a concern), itís also about whether an organization and procedures and policies in place to restrict access (whether itís internal or external access) to confidential or important data and whether they can provide records that prove that access hasnít been violated. In other words, organizations need to ensure they provide a realistic and accurate audit record for IT systems and databases if (or when) theyíre confronted with an in-depth security audit.

As a result of all these increased pressures on both the security of data as well as the need to provide auditing capabilities, todayís organizations need to go beyond basic AAA security strategies. Instead, forward looking organizations are now surrounding their IT infrastructure, applications, and databases with additional security and auditing capabilities. In my next column, weíll explore some of the specific steps that organizations are and what forms the new database security technologies are appearing in.

Luckily though, for the moment, I personally donít have to worry too much about regulatory compliance issues regarding the locks on my front door or the possibility of external auditors questioning my home security procedures.

I do, however, have to deal with something even tougherómy wife. Every night I have to answer to my wife when she asks if Iíve really checked the locks all the windows and doors.

About the Author

David Kelly - With twenty years at the cutting edge of enterprise infrastructure, David A. Kelly is ebizQ's Community Manager for Optimizing Business/IT Management. This category includes IT governance, SOA governance,and compliance, risk management, ITIL, business service management,registries and more.

As Community Manager, David will blog and podcast to keep the ebizQ community fully informed on all the important news and breakthroughs relevant to enterprise governance. David will also be responsible for publishing press releases, taking briefings, and overseeing vendor submitted feature articles to run on ebizQ. In addition, each week, David will compile the week's most important news and views in a newsletter emailed out to ebizQ's ever-growing Governance community. David Kelly is ideally suited to be ebizQ's Governing the Infrastructure Community Manager as he has been involved with application development, project management, and product development for over twenty years. As a technology and business analyst, David has been researching, writing and speaking on governance-related topics for over a decade.

David is an expert in Web services, application development, and enterprise infrastructures. As the former Senior VP of Analyst Services at Hurwitz Group, he has extensive experience in translating the implications of new application development, deployment, and management technologies into practical recommendations for enterprise customers. He's written articles for Computerworld, Software Magazine, the New York Times, and other publications, and spoken at conferences such as Comdex, Software Development, and Internet World. With expertise ranging from application development to enterprise management to integration/B2B services to IP networking and VPNs, Kelly can help companies profit from the diversity of a changing technology landscape.

More by David A. Kelly

About ebizQ

ebizQ is the insiderís guide to next-generation business process management. We offer a growing collection of independent editorial articles on BPM trends, issues, challenges and solutions, all targeted to business and IT BPM professionals.

We cover BPM standards, governance, technology and continuous process improvement, as well as process discovery, modeling, simulation and optimization, among many other areas. We follow case management, decision management, business rules management, operational intelligence, complex event processing and other related topics. We closely track important trends such as the rise of social BPM, mobile BPM and BPM in the cloud. We also explore BPMís use in functional areas, such as supply chain and customer management, and in key verticals, such as financial services, health care, insurance and government.

ebizQ's other BPM-oriented content includes podcasts, webcasts, webinars, white papers, a variety of expert blogs, a lively online forum and much more.