Shattering the five barriers to database security

With over two-thirds of ANZ CIOs citing a spike in digital innovation funding last year alone¹, it’s no secret many business leaders are looking to accelerate digital transformation efforts and drive more agile and streamlined operations.

While there are many versions of the ‘recipe for success’ when embarking on this journey, an often-overlooked ingredient is the importance of database security. An effective cybersecurity strategy ensures your data is protected at all times — from implementation phase through to ongoing operations and optimisation.

For many business leaders there are typically a series of internal barriers preventing delivery of a well-rounded database security strategy. From a lack of executive advocacy and understanding, to siloed data and difficulty proving return-on-investment, let’s take a closer look at some of these obstacles and how IT leaders can seek to overcome them.

1. Educating beyond encryption and compliance

When it comes to managing database security, the focus has historically been on database encryption and compliance of data. Yet a solid database security strategy should enable businesses to educate on value beyond this. Encrypting data at rest is an essential control, however it doesn’t prevent data from being stolen, exfiltrated or misused by users with credentials (often compromised credentials) that have permission to access to it. The first step should be removing complexity around understanding what is happening at the database access layer. This makes it much easier to turn mountains of raw database events and activity into usable information. Furnished with rich, contextual information, security teams can leverage analytics to provide focused insights that deliver real database security, not just exceptionally large and often difficult to interpret audit trails for compliance.

As businesses expand their data sources to include private, public and hybrid cloud environments as well as larger groups of on-premise data sources, complexity increases and a technology skills gap can materialise. It doesn’t help that we seemingly hear about a new enterprise or cloud database vendor and flavour at almost a weekly cadence. Each data source flavour has its own structure, often using its own SQL language variant or an entirely alternative mechanism to query and interact with data. An enterprise data security solution should aim to provide a normalised, redacted and enriched view of activity across all these disparate database technologies and environments. Part of your database security strategy should be to centralise activity from disparate data stores into a single, comprehensive view. This unified view eliminates the need for SOC teams to learn specific skills required to understand each data source and helps to close the skills gap.

2. Driving executive advocacy

It’s tough to initiate a real database security program without some executive advocacy. A CISO can ensure a board’s compliance efforts are aligned with existing and new government regulations or client requirements.

To ensure their database security strategy addresses issues beyond compliance, a CISO on the board can explain how to sequence and prioritise the extension of security controls that are data centric and bring the appropriate level of urgency and funding to bear on the project.

3. Breaking down silos

In many organisations, business divisions operate in a siloed manner and have purpose-built teams that manage their own data stores. This makes a holistic approach to database security extremely difficult. Security, risk and compliance teams are often unable to gain insight into threats and exposures that exist within these siloed data repositories. Even something as simple as gaining visibility of when another data store asset (potentially holding sensitive data) is added to the environment can be challenging.

An enterprise-wide data security strategy must transcend an organisation’s business siloes and divisional constructs. A 360-degree view of all database activity and related risks should be the goal. Centralising database activity into a single-view platform helps overcome this challenge.

4. Finding “the one”

Adopting multiple cloud platforms affords businesses the irresistible combination of cost-efficient pay-as-you-go models and scalable database capabilities, but there is the inevitable question: what about security?

As mentioned, each database platform often has its own structure, SQL language variant and/or alternative mechanisms to query and interact with data. They also vary greatly in the way they report and log activity against the database. So the “right security tool” is usually several different tools that each only work with their respective data source.The potential for database security is “there”, but the chances of achieving it are slim. You get some assurance that you’ll be able to meet a compliance requirement by checking a box but being able to put real database security in place for each database platform requires a lot of time and work. Rather than trying to pick the right security tool, the right security platform is needed. To achieve real database security, choose a solution that enables you to extend security controls to all data stores from a single platform.

5. Identifying and measuring ROI

Validation of compliance is easy. You know you have achieved it because the auditors tell you that you have. What needs to happen to get from the compliance checkbox to something more valuable as a security control? How do you measure the effectiveness of real database security? Have you set the proper expectations and benchmarks? ROI is demonstrated differently for database security.

With unlimited time, budget and manpower, any business can achieve complete coverage in regards to auditing and securing their current, growing and evolving number of data stores. However, building an entire team within your business to undertake this activity requires sourcing many highly skilled resources in an area that is acknowledged as already having a skills shortage. It is also a massive distraction from your own business and revenue producing activities.

Data security and more specifically database security requires understanding the intricate differences between each data store and how event and activity data is produced, building data store specific event collection systems, normalizing, redacting and enriching event data into contextually rich information. It’s then critical to store this vast amount of data and meet ongoing compliance reporting and security response functions, as well as building and maintaining the analytics required to identify anomalous user behavior around data access.

After considering all these points and understanding the complexities and ongoing commitments required for such a solution, few would dare to build their own ‘home grown’ solution to achieve this. But you don’t have to, and you don’t need to. With the right platform, you can achieve 100 per cent coverage of all data sources and provide your teams with ready-to-use data for analytics, automation and security control orchestration. You can start small and see how easy it is to manage a platform that unifies several data sources, optimising the process as you go forward.

From “wait and see” to getting ahead of it

Perhaps one of the most difficult challenges is getting started and knowing how. The key to the success of seamless, secure digital transformation is peer collaboration and clear communication.

Understanding what regulatory and compliance requirements need to be met when moving data to the cloud is usually well defined. What security controls should be in place around our data stores and how to implement them at scale and in a manner that seamlessly integrates into our devops processes is less understood. Often transformation teams take the ‘wait and see’ approach to implementing database security. Usually because they simply don’t understand what controls should and could be put in place.

Rather than adopting a “wait and see” approach where leaders let pressure from a data breach or sub-par financial and operational performance be the catalyst for change, successful digital transformation needs to be born out of innovation and proactivity. This starts with a centralised view of all data access activity in a single-view platform. This enables teams to gain invaluable, data-driven insights — unlocking actionable security analytics, delivering out-of-the box functionality for reducing and preventing database risks, and operationalising security controls.

For more information: https://www.imperva.com/products/sonar-cyber-security-platform/.

¹ 28 October 2020, Gartner, Gartner CIO Survey Reveals 54% of Australian and New Zealand Organizations Increased Investment in Digital Innovation During the Pandemic.

Image credit: ©stock.adobe.com/au/bluebay2014