By Bert Latamore
October 27, 2006
Probably 80% of the threats to corporate data come from outside the
company walls, but organizations should have those pretty well under
control today," says Jerald Murphy, senior vice president and director
of research operations at The Robert Frances Group.
"The 20% of risk that comes from inside the organization -- people doing
illegitimate things with data they have legitimate access to -- is much
less well contained," Murphy says. "Consequently, this is one of the
greatest sources of data security vulnerability -- and one of the
hardest to defend against -- that organizations face today."
A DBA makes a perfect industrial spy. He has unfettered access to data
of all kinds, and he spends his days working with and on that data. He
can easily copy corporate secrets or employee and client personal
information for nefarious purposes.
However, security violations don't have to be purposeful. An employee
with legitimate access to sensitive data could download that information
to a laptop and take it home or on a business trip to work on, or he
could inadvertently put it into a presentation or business e-mail
attachment and send it to a legitimate business contact outside the
Detecting such activities is difficult. At least when an outside
malefactor exploits a flaw in enterprise defenses, IT usually knows
something illicit is happening. Employees can steal or accidentally lose
sensitive data, or, perhaps worse, change it, and no one may know.
Fortunately, Murphy says, software is available which can help guard
data from internal threats.
Murphy suggests a four-step program to combat internal security risks:
1. Screen employees for sensitive positions like DBAs to ensure they are
The rigor of those background checks will depend on the degree of risk.
Also, companies need to create specific policies to protect secrets and
educate employees in the methods and reasons behind security and of the
penalties for violations. And employees need periodic reminders and
2. Pay attention to what DBAs are doing.
This means reviewing log files for suspicious activities. "If a DBA is
doing a lot of seeks at 11 p.m., for instance, I have to wonder what he
is doing." Applications from companies like Guardium can monitor
activity automatically and identify suspicious patterns for manager
3. Encrypt the data in the database (encryption at rest) as well as when
it is sent over the Internet (encryption in motion).
While organizations commonly use virtual private networks (VPN), Secure
Socket Layer (SSL) and other encryption technologies to protect their
data on the Internet, many databases themselves remain unencrypted.
Encryption adds a layer of protection, making it difficult for
unauthorized individuals to read the data should they succeed at gaining
access to it.
The leading database engines (Oracle, DB2, etc.) have built-in
encryption capabilities. Murphy, however, recommends using third-party
encryption utilities from vendors such as Protegrity or Ingrian Networks
for two reasons.
First, if the encryption is done by the database engine, the DBA has
access to the key, and if the DBA is stealing the data, this will not
Second, the keys will be stored in the database, and if they become
corrupted, data recovery will be difficult. Third-party encryption
removes the keys from the DBA's purview, allowing the separation of
responsibilities between database management and security. These
third-party solutions keep the keys outside the database and have
sophisticated key management, making recovery simpler should the keys
4. Attack information leakage.
"Organizations focus on restricting access to the corporate network from
exploitations coming in," says Murphy. "They need to pay attention to
what is going out as well."
Extrusion solutions intercept sensitive data on its way out of the
corporate network and either prevent it from crossing the corporate
boundaries or notify a designated individual, such as the corporate
security officer, of what is being sent to whom by whom. Vontu focuses
on e-mail, including attachments; Fidelis Security Systems encompasses
all files. "This is the opposite of a firewall, and it is important for
catching the mistakes of well-meaning employees that are behind 80% of
corporate data security breaches."
"Best practice is to look at the total life cycle of the data -- who
creates it, where it is stored, who uses it and how it is used," says
Murphy. "The reality is there is no silver bullet for data protection.
It is one thing to expect IT professionals to adhere to good data
protection and quite another to try to get every end-user to line up
behind security policy.
Bert Latamore is a journalist with 10 years' experience in daily
newspapers and 25 in the computer industry. He has written for several
computer industry and consumer publications. He lives in Linden, Va.,
with his wife, two parrots and a cat.
Visit the InfoSec News store!