In the not too distant past, Gartner's data management analysts didn't get many inquiries about data security issues from the IT managers and other corporate professionals they advise, but that has changed.
With database security threats taking on new dimensions in the big data era, data management teams are asking more security-related questions, according to Gartner analyst Merv Adrian. The volume is still relatively small -- only one-quarter the level of inquiries about the Hadoop processing framework, for example. "But it's up from almost nothing 18 months ago to dozens per month," Adrian said during a presentation at the 2017 Pacific Northwest BI & Analytics Summit in Grants Pass, Ore.
The increased focus on security is well-founded, even if it remains far from universal, Adrian said in a follow-up interview with SearchDataManagement. In addition to the threat of incursions into databases and big data repositories by attackers, he pointed to new laws that make solid data security and privacy protections a must -- particularly the European Union's General Data Protection Regulation (GDPR), which is due to take effect in May 2018. In the interview, Adrian also discussed database security tools and best practices for managing efforts to strengthen database defenses.
Is dealing with database security threats becoming a bigger issue for user organizations? And, if so, why?
Merv Adrian: In the first half of 2017, security inquiries to Gartner's data management analysts were up dramatically. I attribute that partly to increased awareness of the data security and privacy impact that the GDPR will have on large, multinational clients, as well as to concerns about the security of 'new' data stored in data lakes and other big data environments.
Following up on that, do most companies seem to be paying sufficient attention to securing their databases?
Adrian: No. Although database security functionality is strong in the leading DBMS [database management system] offerings, newer products often lack security features; some don't even enforce password protection for new database instances. In addition, the creation of new data stores is often conducted outside of IT and corporate data governance processes, even in companies where such processes are well-established in existing systems.
We've heard a lot about database security threats involving NoSQL technologies -- in MongoDB, for example. Is there a difference in the maturity of the security protections in relational databases vs. NoSQL ones?
Merv AdrianGartner analyst
Adrian: Yes. In general, the older relational database offerings are more mature on security, and they've been used for many years by companies with stringent data security requirements. Equally important, though, is that database creation and use is increasingly taking place outside of IT, as I mentioned before. As a result, even secure database products can be used in insecure ways -- and they often are.
Oracle, Microsoft and other database vendors have made a point of building up -- and touting -- their security capabilities in recent product releases. In general, which of the security features now available are particularly useful for database administrators?
Adrian: Since data is constantly moving around between systems both in on-premises data centers and the cloud, the use of data encryption is becoming increasingly important. We're also seeing greater use of database activity monitoring tools as companies recognize that even well-intentioned end users who are authorized to access data can be a source of privacy and security problems. Machine learning algorithms that can identify patterns of unusual activity in databases are seeing increasing use, as well.
Is data security also a big issue for users of Hadoop systems? Or is it less so in Hadoop-based big data environments?
Adrian: It's even more so because Hadoop, being based on a file system, lacks many of the routine security capabilities that database management systems provide. In addition, Hadoop clusters are often used to process and store data that isn't vetted, whose ownership isn't known and whose provenance isn't clear, by people who have neither interest in checking the data's reliability, quality and conformance with corporate governance policies nor the expertise to do so.
What advice do you have for companies on best practices for protecting the data in their databases and guarding against database security threats?
Adrian: Audit and classify your data -- now. Understand where the risks are, and map your database security investments and efforts to addressing the biggest exposures first. And if you don't have the required expertise, get funding and assign resources to obtain it. Also, ensure that your security strategy has awareness and support at the most senior executive levels in the company.
GDPR compliance may depend on new data governance mechanisms
A nine-step process to follow when evaluating database security tools
Marketing analytics on big data raises security and privacy concerns