Until recently, to get their security compliance “checkbox” most companies only had to manage a handful of on-premise database types, typically with native logging or database activity monitoring (DAM) tools. To facilitate business innovation and growth, companies today have been compelled to add dozens of new database types, each with a different structure and management rules. Technology has driven a database activity explosion for most enterprises, making traditional agent-based data logging, monitoring, and auditing far too difficult and expensive to be practical. In addition, GDPR, CCPA, and various other emerging privacy laws require companies to be more accountable for maintaining the security of sensitive consumer data and for retaining data for much longer.
Many organizations think passing a compliance audit is database security. This is outmoded thinking. There are plenty of companies that routinely pass compliance audits and are still the victims of costly data breaches. The tools they use to ensure compliance were not designed to detect security threats and orchestrate automated responses. To achieve actual database security, you must become better at deriving value from the data you collect.
Cloud-based data sources make security even harder
Many companies, lured by the cost-efficient pay-as-you-go models and scalable database capabilities offered by cloud environments are moving many workloads and the databases that support them into the cloud, adding a new dimension to the threat landscape in the process. The substantial technology investments that companies have made to pass compliance audits for on-premise databases cannot help achieve database security in the cloud. To meet the challenge, companies are now under increasing pressure to move away from a compliance model and adopt a data-centric security model. The cloud uses new and different technologies and there are even more database types to learn about, making the database security skills gap that already existed in many organizations more pronounced. The cloud affords greater flexibility, but that flexibility becomes a double-edged sword because things move much more quickly, and databases are more susceptible to human error. Cloud vendors provide security, but it’s not their responsibility to ensure your security controls are being extended to cloud environments, it’s yours. You must have visibility and oversight over how your sensitive data is being protected.
This problem is so acute that many organizations struggling with database security are slowing down the migration of workloads to the cloud. They are just not comfortable enough with the level of security controls on the cloud side because they are not comparable to the security controls they have invested so much in on the on-premise side.
Solving the value imbalance in database security
Shifting from a compliance-driven focus to a database security-driven focus requires you to make sense of a great deal of raw data from potentially dozens of sources. Most organizations dump the data into a repository somewhere and hope there is a method downstream for distilling that data into meaningful information they can respond to, but that is not often the case. You can’t just declare victory once you have the data captured in a repository, because with database security that’s when the work begins. Solving for the interpretation of the data, and not just collecting it, needs to be an integral part of your database security strategy. The good news is there are new analytics technologies that have emerged in the marketplace that have been built to provide enterprises with a great opportunity to meaningfully interpret their data.
There is a basic flaw in how organizations allocate resources to achieve the database security program goals. Most enterprises have invested an overwhelming percentage of their time and resources on building the foundation of visibility – capturing of the data and placing it in an area where it can be evaluated and analytically processed. They spend so much time on the foundation that they don’t have the resources left to focus on the high-level contributors to real database security – actionable analytics and the orchestration and automation of controls. In the cloud, this challenge becomes even more pronounced because of the diversity and complexity of new databases in the mix.
To re-balance your efforts, you need to make it much easier to collect data and reduce the time and effort required to do it. Apply a “policy lens” with the aperture open as wide as possible to see everything that’s happening in your environments. Even if you are not sure what data you are looking for, you have access to facilities downstream that enable you to make sense of it. You must get to a point where you can take for granted that you have all the data you need to fully characterize what’s happening at the database layer from all your on-premise and cloud sources. Then you can make this data available the operations and analytics teams as well as for things like forensics. When you establish this level of visibility, the information becomes valuable to many different stakeholders – not just for compliance purposes but also for database security purposes.
Unlocking visibility into the data and empowering different groups to access it leads to the next strategic step, taking advantage of analytics technologies to convert terabytes of raw data per day into the handful of manageable and actionable events that drive database security. A good database security system does distillation processes like that for you and gives you the opportunity to leverage the data for analytics.
Every one of these processes features a variety of flows that today involve quite a bit of manual effort but are ripe for process automation. Some of the techniques that are being widely adopted today under the banner of SOAR (security orchestration, automation, and response). In this case, it’s not SOAR as it relates to event response but it’s SOAR in terms of how you engage with the applications owners and how you engage with the appropriate DBAs and others so they can have direct access to the information that’s meaningful to them. This helps key stakeholders remediate issues and improve the overall security posture of the applications and their underlying databases.
Database security is within reach
Many enterprises have gone beyond compliance and succeeded in developing a valuable, effective database security system that complements their overall enterprise data security strategy and so can you. The first step, as with every challenge, is recognizing that there is a problem and taking the appropriate actions to manage it. In the best case, with the right innovation, communication, and leadership you can create true database security for your enterprise.