Fiddling around with database security might end on a sour note
Databases are the lifeblood of most IT architectures, and the data they contain on customers, patients, products, financial records and the like makes them inviting targets for malicious hackers. But in many organizations, database security plays second -- or maybe third -- fiddle to network and endpoint security efforts.
How is that working out? Not so well, perhaps. In a 2016 survey of senior security executives conducted by 451 Research, 26.1% of the 1,105 respondents said their organizations had suffered a data breach during the previous 12 months, while a total of 67.8% said their systems had been breached at some point.
Even so, the survey didn't find a sudden rush to boost security in databases. To the contrary, tools for encrypting data that's at rest in databases ranked last among five types of security software on planned investments in 2017, according to a report published jointly by 451 Research and Thales E-Security. Network and endpoint security tools topped the spending plans list. "The sobering news is that the spending still favors old habits," 451 analyst Garrett Bekker wrote.
At the same time, the growing use of cloud databases and NoSQL systems adds new pieces to the database security puzzle. "You need to shift your approach when securing databases run on cloud services," Securosis LLC analyst Adrian Lane wrote in a November 2016 blog post. Among other things, he pointed to architectural changes that "lead to more segmented deployment, with more granular control over access to data" than on-premises systems provide.
More alarmingly, many NoSQL databases "place availability over confidentiality and integrity of the stored data," said Tony Robinson, a senior security analyst at Hurricane Labs, in a January 2017 blog post. This handbook looks more closely at that issue and other aspects of security in databases.