2012 IOUG Enterprise Data Security Survey - Oracle · 2 Closing the Security Gap: 2012 IOUG...

Produced by

CLOSING THE SECURITY GAP2012 IOUG ENTERPRISE DATA SECURITY SURVEY

By Joseph McKendrick, Research AnalystProduced by Unisphere Research, a Division of Information Today, Inc.

November 2012

Sponsored by

Thomas J. Wilson, President

2

Closing the Security Gap: 2012 IOUG Enterprise Data Security Survey was produced by Unisphere Research and sponsored by Oracle. Unisphere Research is the market research unit of Unisphere Media, a division of Information Today, Inc., publishers of Database Trends and Applications magazine and the 5 Minute Briefing newsletters. To review abstracts of our past reports, visit www.dbta.com/About_Us#Unisphere. Unisphere Media, 630 Central Avenue, Murray Hill, New Providence, NJ 07974; 908-795-3701, Email: [email protected], Web: www.dbta.com.

Data collection and analysis performed with SurveyMethods.

TABLE OF CONTENTS

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Security Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Data Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Auditing, Activity Monitoring and Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

IOUG Recommends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Demographics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

3



EXECUTIVE SUMMARY

As organizations dramatically scale up the amount of datamoving across their systems and business units, the risk of databreaches and abuse grows.

Many organizations are managing more than a petabyte of data, which gets copied and proliferated for purposes ofdevelopment, testing and backup. While data centers may havesafeguards and best practices in place to protect data, there are noguarantees of whether other departments, business partners, oroutsourced environments have the same rules and protocols.

There are also measures that need to be taken to safeguarddata from internal abuse; however, preventing privileged usersfrom negligence or malfeasance is a serious challenge.

These enterprise data security challenges, and more, arehighlighted in a new survey of 350 data managers andprofessionals by the Independent Oracle Users Group. The surveywas underwritten by Oracle Corporation and conducted byUnisphere Research, a division of Information Today, Inc.

The survey covered progress within three key areas of databasesecurity:1. Prevention: Encryption, masking, privileged user controls.2. Detection: Activity monitoring, network logging, database

firewalls, auditing.3. Administration: Database lifecycle and configuration

management.

Survey respondents hold a variety of job roles and represent a wide range of organization sizes and industry verticals. Thelargest number of respondents is represented by databaseadministrators (38%), followed by director/manager of IT.More than one-fourth work for very large organizations withmore than 10,000 employees.

The majority come from IT service providers, financialservices, education, and government agencies. (See Figures 43–46 for demographic detail.)

The following findings highlight the importance of datasecurity issues

Though corporate data security budgets are increasing thisyear, they still have room to grow to reach previous year’sspending. More than half of respondents say their organizationsstill do not have, or are unaware of, data security plans to helpaddress contingencies as they arise. Additionally, human errorhas beat out internal hackers or unauthorized users as thebiggest security risk.Many organizations have multiple copies of sensitive,unencrypted production data moving both within and outsidetheir enterprise, increasing the risk of data breaches. Less thana third of respondents encrypt all sensitive data on disk or in

motion. More than three-fifths of respondents send actualcopies of enterprise production data to other sites inside andoutside the enterprise.A majority of respondents actively collect native databaseaudits, but there has not been an appreciable increase in the implementation of automated tools for comprehensiveauditing and reporting across all databases in the enterprise. Inaddition, this monitoring is sporadic—most would not know if their data had been breached or corrupted by an insider.There may be a great deal of attention and due diligence whenit comes to auditing or monitoring database systems forunauthorized access or tampering with records, but perhapsthe best—and least employed—strategy is prevention. Onlyabout a third of respondents say they are able to preventprivileged users from abusing data, and most do not have orare not aware of ways to prevent the downloading of sensitivedata to spreadsheets or other ad hoc tools.While data security audits can help track abuses after theyhappen, few respondents conduct such audits on a frequentbasis. More companies are moving to centralized repositoriesto manage audit information.

Respondents also discussed where they see data securityvulnerabilities within their organizations.

“The sheer number of systems and databases…withbusiness units operating like [a] standalone business, is achallenge for us. Plus, processes and controls are not yetconsistent across the enterprise.”

—Analyst, Mid-Sized Manufacturer

“Management does not assign enough time for creatingmonitoring and testing suites; it cares more about increasingthe customer base.”

—Chief Information Officer, Services Company

“I don’t believe management sees data as vulnerable. Aslong as there are no reports from higher-seated users, theythink everything is performing ideally. At this point, themost pressing risks are in the developers/testers themselvesand the lack of knowledge concerning the data structure/architecture on the database—and even infrastructure—they are working with.”

—Database Administrator, Consulting Firm

Despite growing threats and enterprise data security risks,organizations that do implement appropriate detective,preventive, and administrative safeguards are seeing significantresults.

■

■

■

■

■

4



Does it take an actual security breach to finally spurmanagement into action, to support more funding and supportfor data security efforts? That’s the way it played out at onerespondent’s location, who described the company’s wake-up call: “A 2011 security breach forced management action toaddress holes in the systems; There continues to be ongoingaction to pursue tighter security.”

Fortunately, there is evidence, as shown in this survey, thatmanagement is getting more data-security conscious. While therehas been no shortage of concern about data security, companiesappear to be slowing their rate of spending compared to previousyears. For the most part, respondents report their companies’spending on IT security has increased over the past year. In total, 32% report increases, versus 11% who are seeing adecrease. (See Figure 1.) However, the percentage of companiesincreasing spending is off from previous years. (See Figure 2.)

In addition, as found in previous surveys, there still appears to be a gap between IT managers implementing securitysolutions and the corporate management funding these efforts.More than a third of respondents, 34%, simply were not aware of spending in this area, potentially suggesting many respondentsare not privy—or may have a limited view—to managementdecisions about data security spending across their enterprises.

In all cases, respondents run a multitude of databases. Onlyabout 19% report they are smaller sites with fewer than 10databases. A total of 55% have 100 or fewer databases, while 38% have 100 or more. (See Figure 3.)

While a majority of respondents report they keep tabs on thesensitive or regulated data that moves through their enterprises,it is nonetheless telling that there is a substantial portion who do not. A third of respondents, 33%, admit that they are not fully aware of all the databases in their organizations that contain sensitive or regulated information. (See Figure 4.)

Respondents are only too aware of the risks they incur inoutsourcing arrangements. As one DBA with a global healthcare

organization explains, “Outsourcing to an offsite data center hasopened our systems to additional security risks that are beyondour immediate control. Unclear definition of responsibilitiesbetween internal and external support has led to a lot ofuncertainty about what is actually being monitored and who is doing the monitoring.”

While a very troubling 7% have reported that theirorganizations’ data has been breached, compromised, ortampered with in some way, another 23% admit they don’tknow. (See Figure 5.) And confidence about the future dropsconsiderably—28% say the likelihood of a data breach over thenext 12 months is either “somewhat likely” or even “inevitable.”(See Figure 6.)

What is the greatest risk to enterprise data? A commonperception is that outside hackers are the most menacing threat.But the data managers and professionals in this survey say thethreat is more likely to come from within—among employeesthey trust the most. The greatest percentage, 38%, sees humanerror as a high-level threat to their operations. Internal hackers or unauthorized users rank second at 22%, followed by abuse ofprivileges by IT staff, mentioned by 13%. Lack of managementcommitment to security is cited as a “high” threat by 12%.Interestingly, only 11% regard outside hackers as their biggestproblem. (See Figure 7.)

While just under half, 49%, state they have database securityplans, it’s important to note that this means a majority haven'tformulated such plans, or are unaware if someone else in theirorganization has done so. While there are considerable issues andconcerns about data security, most organizations have preparedfor disruptions and incidents that enables them to preserve dataor roll back to previous versions. Backup and recovery plans arecommonplace, with 89% of respondents stating they have suchplans in place. Also, most respondents have disaster recoveryplans, indicated by 78%. (See Figure 8.)

SECURITY PROFILES

Though corporate data security budgets are increasing this year, they still have room to grow to reach previous year’sspending. More than half of respondents say their organizations still do not have, or are unaware of, data security plans to helpaddress contingencies as they arise. Additionally, human error has beat out internal hackers or unauthorized users as thebiggest security risk.

5



Figure 1: Change in Corporate IT Security Spending Over the Past Year

Increased by more than 20% 8%

Increased 11% to 20% 7%

Increased 6% to 10% 9%

Increased up to 5% 8%

No change from previous year levels 23%

Decreased 11%

Don’t know/unsure 34%

0 20 40 60 80 100

{32%

6



Figure 2: Year-to-Year Percentages Reporting Increased IT Security Spending

2008 2009 2010 2011 2012

50%

40%

30%

20%

10%

0%

41%

28%

43% 43%

32%

Figure 3: Number of Databases at Respondents’ Companies

<10 19%

11 to 100 36%

101 to 500 18%

501 to 1,000 7%

>1,000 13%


0 20 40 60 80 100

7



Figure 4: Aware of all Databases With Sensitive or RegulatedInformation?

Yes 67% No 33%

Figure 5: Data Breached Over Past Year?

Yes 7%

No 70%


8



Figure 6: Likelihood of a Data Breach Over Next 12 Months

Inevitable 7%

Somewhat likely 21%

Somewhat unlikely 25%

Highly unlikely 17%

Don't know/unsure 29%

0 20 40 60 80 100(Total does not equal 100% due to rounding.)

{28%

9



Figure 7: Greatest Risks, Threats, Or Vulnerabilities to Data

Human error 38%

Internal hackers or unauthorized users 22%

Abuse of privileges by IT staff 13%

Unprotected web applications 13%

Lack of management commitment 12%/lax procedures

Malicious code/viruses 12%

Outside hackers 11%

Lack of auditability of access and changes 10%

Loss of hardware or media—e.g., disks, 10% tapes, laptops

Abuse by outside partners/suppliers 8%

Advanced persistent threat 6%

Fines/lawsuits resulting from inadequate 6%data security procedures

0 20 40 60 80 100(Multiple responses permitted.)

(Percentage indicating “high” threat)

10



Figure 8: Contingency Plans

Backup/recovery plan 89%

Disaster recovery plan 78%

Database security plan 49%

Performance test plan 42%

None of the above 2%



11



Additionally, 41% report having three or more copies ofproduction data across the enterprise. (See Figure 9.)

Only about a third of respondents, 32%, could say personallyidentifiable information (e.g., Social Security, credit card, andnational identifier numbers) is encrypted across all databaseswithin their environment. More than one in five says there is no encryption at all, while 36% report limited encryptioncapabilities. (See Figure 10.) There has been no increase in theadoption of encryption since the first survey was conducted in2008. (See Figure 11.).

Likewise, a relatively limited number of respondents say thatapplication data is encrypted on the network as it travels to orfrom databases. Only 29% say they encrypt all their databasetraffic. By contrast, 58% admit that only some or none of theirdata traffic is protected this way. (See Figure 12.)

Along with encrypting data moving out of productionenvironments, another challenge is ensuring the security ofbacked-up or archived data. Only 23% could say the bulk of theironline and offline database backups and exports are encrypted.Close to two-thirds, 62%, say that such encryption is eitherlimited or non-existent. (See Figure 13.)

Among the more security-conscious enterprises in the survey (those more tightly regulating privileged user access cited in Figure 30), there is more widespread adoption of dataencryption measures in all phases of the data lifecycle. More than two-fifths of security-conscious companies report all stored personally identifiable information within their walls isencrypted, versus 28% of less-security-conscious organizations.Likewise, while 41% of security-aware enterprises encrypt all datain motion across their networks, only 25% share this practiceamong less-secure organizations. For encrypting data back-ups,

the difference is 32% of security-aware companies, versus 19%that don’t have measures to limit insider abuse. (See Figure 14.)

The risk of maintaining unencrypted backup data within anenterprise is high enough; exacerbating the issue is the nearlyone-third of respondents who send unencrypted databasebackups offsite, to places such as third-party storage sites or other data centers. (See Figure 15.)

Enterprises often send production data offsite to third partiesfor development, data management services, or backup andstorage. Just over a third of respondents, 35%, indicate theyoutsource some aspects of their database management. (SeeFigure 16.) Sending data offsite, or copying production data intonon-production environments can be useful for development,testing and QA purposes, but it can put data at risk because liveproduction data is often used so that systems and applicationscontinue to work. A majority of respondents, 55%, say they useactual copies of enterprise production data in non-productionenvironments, while almost one-third use “outdated” productiondata. (See Figure 17.) Unfortunately, data considered outdatedcan oftentimes contain sensitive data that is never truly outdated,such as social security and passport numbers.

Data de-identification, or masking, is a technique employed to help prevent data breaches in non-production environments;however, among enterprises that employ such processes, ittypically is regarded as a one-off process. Close to one-thirdindicate they use custom scripts to de-identify data, while 21%say they de-identify on an ad hoc basis. Only 21% say regulardata de-identification is a standardized procedure. Close to half,46%, indicate they either do not de-identify data, or simply don’tknow if they do. (See Figure 18.)

DATA PROTECTION

Many organizations have multiple copies of sensitive, unencrypted production data moving both within and outside theirenterprise, increasing the risk of data breaches. Less than a third of respondents encrypt all sensitive data on disk or in motion.More than three-fifths of respondents send actual copies of enterprise production data to other sites inside and outside theenterprise.

12



Figure 9: Number of Copies of Production Data Across Enterprises

One copy outside production databases 9%

Two copies 25%

Three copies 19%

Four copies 7%

Five or more copies 15%


0 20 40 60 80 100

{41%

Figure 10: Encrypt Stored Personal Identifiable Information?

Yes, in all databases 32%

Yes, in some databases 36%

No 21%



13



Figure 11: Year-to-Year Percentages Reporting Full Encryption of Stored Data

2008 2009 2010 2011 2012

50%

40%

30%

20%

10%

0%

36%

28%

29% 30%32%

Figure 12: Encrypt Application Data Moving Across the Network?

Yes, all database 29%traffic is encrypted Don’t know/unsure 13%

Some database traffic 37%is encrypted

No, database traffic 21%is not encrypted

14



Figure 13: Encrypt Database Backups and Exports?

Yes, all database 23%backups/exports are encrypted Don’t know/unsure 14%

Some database 30%backups/exports are encrypted

No, database backups/ 32%exports are not encrypted

(Total does not equal 100% due to rounding.)

Figure 14: Encryption Trends—By Level of Enterprise SecurityAwareness

* Respondents indicating they can prevent privileged users from reading or tampering with sensitive information in financial, HR and other business application databases.(See Figure 30.)

Secure* All Others

Personal identifiable information—all databases 43% 28%

Application data moving across the network—all databases 41% 25%

Data backups and exports—all databases 32% 19%

15



Figure 16: Approaches for De-identifying Data Used WithinNon-Production Environments

Use custom scripts to de-identify data 32%

De-identify on ad hoc basis 21%

De-identify as standard procedure 21%

Using third party tools to de-identify data 11%

We do not de-identify data 27%


Other 1%

0 20 40 60 80 100

Figure 15: Are Unencrypted Database Backups or Exports Sent Offsite?

Yes 31%

No 52%


(Multiple responses permitted.)

16



Figure 17: Data Functions Outsourced

Database application development 26%

Database administration 22%

Database application testing 19%

Database infrastructure: 13%

We don't outsource any database 56%functions


Other 1%


17



Database auditing and activity monitoring are key detectivesecurity practices that can help spot suspicious or errant activityin order to ward off potential threats. One-fifth state that they areusing native database auditing to monitor database activity acrossmost of their databases and 46% use auditing across some oftheir databases. (See Figure 18.)

Exploring this further, two out of three respondents reportthey regularly monitor all production databases for securityissues such as unauthorized access to data or configurationchanges. Many are employing automated or systematic methodsand technologies to provide this capability, but there are alsomany respondents still employing manual methods. Most ofthose who monitor data abuse—37% of the survey total—say it is done with automated tools, versus 30% who do itmanually. (See Figure 19.)

While this is a practice that yields enormous efficiencies—sifting through logs and reports for suspicious or unusualactivities—there has been no appreciable increase in adoption of automated solutions in recent years. (See Figure 20.)

What do enterprises look for in the information they aretracking on database usage? In most cases, they make the effort to track all privileged user activities. A majority also look forfailed logins, as well as new account creation. (See Figure 21.)

Within organizations that more proactively manage privilegeduser access (cited in Figure 30), there is hyper-vigilance towardmonitoring the activities that may flag suspicious activity. Three-fourths of these more security-conscious organizations closelytrack all privileged user activities, versus 45% of more laxorganizations. Strikingly, a majority of respondents in morevigilant enterprises report monitoring activities from failed loginsto account creation and logins, across the board. (See Figure 22.)

While a majority of respondents indicate they are monitoringand tracking for issues, this coverage is sporadic at best in manyorganizations. Most respondents, 74%, wouldn’t know ifsomeone made an unauthorized database change across most oftheir databases. (See Figure 22.) Among those who say they areaware of unauthorized changes to databases, many refer to thepractice of keeping and checking logs of database activities—

which may only provide clues after the damage is done.Some report being more proactive, but making hard and fastidentifications of those committing a data breach is often notpossible. “Access to make database changes is restricted by userprofile,” notes one respondent. “But changes have been made inthe past, and there was no way to identify who made the change.Our profiles are generic and controlled by assignment.”

In addition, only 27% say they are aware of unauthorizedaccess across the bulk of their organizations’ databases. (SeeFigure 24.) Among respondents who can track and monitorunauthorized access, many indicate that alerts are built into their systems to make administrators aware of problems. As onerespondent notes: “All access to powerful accounts is tracked.”Another indicates that administrators would be “notified by ourthird-party monitoring system.”

Even when database abuses are discovered, they typicallycannot be immediately remedied. In the event of an unauthorizeddatabase access or change, 18% of respondents say it would take a day or more for their organization to detect and correct theproblem, while 28% say it would take between one to twenty-fourhours. Over one-third indicate they don’t know, or are unsure,how long it would take. (See Figure 25.)

In addition to detective measures, organizations should alsoapply preventive measures to block unauthorized threats.Measures taken by segments of respondents include ensuring all applications (internet and intranet accessible) are not subject to SQL injection attacks (35%), and using a network-baseddatabase firewall solution for blocking unauthorized databaseactivity (30%). (See Figures 26 and 27.)

The survey finds enterprises are becoming more adept athandling audit data from across the enterprise. Close to one-fifthof respondents state that they consolidate database audit data to acentral secure location. (See Figure 28.) This reflects a growingtrend—seen in survey data over a three-year period—towardestablishing a centralized secure and scalable repository to enableanalysis, reporting, and threat detection on audit data. (SeeFigure 29.)

AUDITING, ACTIVITY MONITORING AND BLOCKING

A majority of respondents collect native database audits, but there has not been an appreciable increase in the implementationof automated tools for comprehensive auditing and reporting across all databases in the enterprise. In addition, this monitoring issporadic—most would not know if their data had been breached or corrupted by an insider.

18



Figure 18: Use Native Database Auditing to Monitor Database Activity?

Yes 21% Don’t know/unsure 15%

On some databases 46%

No 18%

Figure 19: Monitor All Production Databases for Security Breaches?

Yes, run tools on a regular basis 25%

Yes, run tools on an ad hoc basis 12%

Yes, manually monitor on an ad hoc basis 17%

Yes, manually monitor on a regular basis 13%

No 19%


0 20 40 60 80 100

19



Figure 20: Year-to-Year Percentages Employing Automated SecurityMonitoring (Tools Run on a Regular Basis)

2009 2010 2011 2012

50%

40%

30%

20%

10%

0%

18%

25% 26% 25%

20



Figure 21: Database Activities Monitored

All privileged user activities 54%

Failed logins 54%

New account creation 52%

Privilege grants 49%

Login/logout 48%

Database definition changes 48%

Writes to sensitive tables/columns 39%

Read of sensitive tables/columns 33%


Other 1%


21



Figure 22: Database Activities Monitored—By Level of EnterpriseSecurity Awareness


Secure* All Others

All privileged user activities 75% 45%

Failed logins 62% 54%

New account creation 59% 48%

Privilege grants 56% 46%

Login/logout 58% 48%

Database definition changes 56% 45%

Writes to sensitive tables/columns 56% 32%

Read of sensitive tables/columns 47% 28%

Don't know/unsure 8% 17%

Other 2% 1%

(Multiple responses permitted.)

Figure 23: Aware of Unauthorized Database Changes?

Yes, on most databases 25%Don’t know/unsure 18%

On some databases 32%No 24%


22



Figure 24: Aware of Unauthorized Database Access?

Yes, on most databases 27%Don’t know/unsure 18%



Figure 25: Length of Time to Detect and Correct UnauthorizedDatabase Access or Change

<1 hour 17%

1 to 24 hours 28%

1 to 5 days 14%

>5 days 4%



23



Figure 26: Taken Steps to Prevent SQL Injection Attacks?

Yes 35%


No 24%


Figure 27: Use Network-Based Database Firewall Solution?

Yes, on most databases 30% Don’t know/unsure 18%



Figure 28: Consolidate Database Audit Data to Central Secure Location?

Yes, for all databases 19%


On some databases 27%

No 40%

24



Figure 29: Year-to-Year Percentages Reporting Fully ConsolidatedAudit Data Repositories

2010 2011 2012

50%

40%

30%

20%

10%

0%

13% 17%

19%

25



Though nearly a third of respondents, 32%, say they canprevent privileged users from reading or tampering with sensitiveinformation in financial, HR and other business applicationdatabases (See Figure 30.), this is a marked improvement overprevious years when only 24% indicated they had such acapability. (See Figure 31.)

Numerous security holes are evident, the survey shows. Amajority of respondents, 56%, state that users are blocked fromaccessing application data stored in databases directly using adhoc tools or spreadsheets—effectively by-passing applicationaccess controls. Yet, it’s notable that close to half the respondents,44%, either say they can’t control such abuse, or simply don’tknow if this capability exists at their sites. (See Figure 32.)

This is a problem many respondents are attempting toaddress, however, as one respondent noted, “only privileged users with specific rights can access data outside of applications,including development staff and DBAs.” Still, another respondentadmitted that “more effort is needed here to make sure thatsensitive data is treated on a need-to-know basis, and thatprivileged accounts are used correctly.

Those security-conscious enterprises, exemplified by theability to manage access by privileged users (cited in Figure 30)are more likely to also have controls in place regulating datadumps into spreadsheets and other tools. Close to three-fourthsof these more security-conscious companies are able to preventsuch abuse, compared to less than half of less-security-consciousorganizations. (See Figure 33.)

Not all abuse occurs from malicious hackers or data thieves,whether internal or external. As noted earlier, human error ranksas the leading data risk. Unfortunately, only about one-fourth,26%, state their systems include safeguards that help preventdatabase administrators or developers from accidentallydropping a table or unintentionally causing harm to criticalapplication databases. (See Figure 34.)

Along with not being able to prevent abuse by privilegedusers, most enterprises in the survey reveal they do not have themeans to track or uncover such abuse after it happens. Only 26%state they can actually prove that privileged database users attheir organizations are not abusing their super-user privileges.(See Figure 35.)

Those organizations with more stringent measures to preventpotential abuse by privileged users (cited in Figure 30) are threetimes more likely to be able to document when such abuse doesoccur, the survey also finds. Close to half of these more security-conscious companies, 49%, are better able to prevent suchincidents, compared to only 16% of less-security-consciousorganizations. (See Figure 36.)

A systems administrator with a mid-size retailer summarizedit best: “Identify, monitor, and analyze information-relatedvulnerabilities as much as possible. Determine methods tomanage or resolve data security risks. Identify potential dataprivacy and security compliance related issues. Prioritizeremediation steps into an effective plan based on company’sspecific goals, schedule, and budget.”

ACCESS CONTROL

There may be a great deal of attention and due diligence when it comes to auditing or monitoring database systems forunauthorized access or tampering with records, but perhaps the best—and least employed—strategy is prevention. Only about a third of respondents say they are able to prevent privileged users from abusing data, and most do not have or are not aware ofways to prevent the downloading of sensitive data to spreadsheets or other ad hoc tools.

26



Figure 30: Capable of Preventing Enterprise Data Abuse By Privileged Users?

Yes 32%


No 37%

Figure 31: Year-to-Year Percentages Reporting Fully ConsolidatedAudit Data Repositories

2010 2011 2012

50%

40%

30%

20%

10%

0%

24% 24%

32%

27



Figure 32: Can Users Bypass Access Controls With Ad Hoc Tools or Spreadsheets?

Yes 25%


No 56%

Figure 33: Bypass Access Controls—By Level of Enterprise Security Awareness


Secure* All Others

No, users cannot bypass controls with ad hoc tools or spreadsheets 72% 49%

Figure 34: Safeguards Against Administrator or Developer Data-Handling Errors?

Yes 26%


No 52%

28



Figure 35: Able to Prove Privileged User Abuse of Data

Yes 26%

No 48%

Don’t know/unsure 19%(Total does not equal 100% due to rounding.)

Figure 36: Ability to Prove Privileged User Abuse of Data—By Level of Enterprise Security Awareness


Secure* All Others

Yes, users have capability 49% 16%

29



Increasingly, organizations need stricter database securityprofile auditing to better meet compliance requirements, andprovide greater assurance to customers and other stakeholders.However, there are wide gaps in audit frequency; this enableslong-term abuse of sensitive data. About 17% perform databasesecurity audits at least monthly. (See Figure 37.) This is up fromthe survey conducted a year ago when only 13% were conductingmonthly audits. The long-term trend suggests that there has notbeen an appreciable movement toward more frequent auditing.(See Figure 38.)

Less than one-third of respondents say that they only conductsuch assessments annually, and 34% either never do such exercises,or simply don’t know if they’re even conducted at all. This isunchanged from previous surveys.

How long does it take organizations to prepare for a databasesecurity assessment/audit? Respondents are divided over theamount of time required. About a third, 31%, report that it takesmore than a day, while another 31% claim it can be done within24 hours. Another 37% simply don’t know how long it takes. (SeeFigure 39.)

The key driver behind data security audits are industry andgovernment regulations, or mandates. Half of the respondents,50%, say they are required to meet Sarbanes-Oxley Act

requirements, making this the leading mandate data managerscontinue to face. Another 42% are concerned with local state orprovincial data protection laws. More than a third of respondents,34%, are affected by HIPAA/HITECH, which deals with the privacyand handling of healthcare data. Another 29% say they need tocomply with the Payment Card Industry statutes. (See Figure 40.)

Such regulatory compliance audits over the past 12 monthshave not flagged database security issues at most companies;only 13% indicate that issues have been identified. (See Figure41.) Some note that the issues identified in audits were “falsepositives.” Another indicated their company was flagged for“using production data in dev and test environments.” Anotherwas cited for unsupported versions of software that are nolonger getting security updates, and password complexity andexpiration time. Additionally red flags included missing patchesor configurations issues.

Finally, respondents were asked how quickly they applyOracle Critical Patch Updates to their environments. Close toone-fifth apply these essential updates as soon as they arereleased, and another one-fifth have the new software in placewithin a three-to-five month timeframe. However, there is a fullone-third that either don’t apply the patches or are unaware ofwhether they are applied. (See Figure 42.)

COMPLIANCE

While data security audits can help track abuses after they happen, few respondents conduct such audits on a frequent basis.More companies are moving to centralized repositories to manage audit information.

30



Figure 37: Frequency of Database Security Assessments or Audits

A few times a month 6%

At least once a month 11%

Quarterly 18%

Annually 30%

Never 7%


Other 1%

0 20 40 60 80 100

Figure 38: Year-to-Year Percentages Reporting Data Security AuditsOnce a Month or More

2009 2010 2011 2012

50%

40%

30%

20%

10%

0%

13%16%

13%17%

{17%

31



Figure 39: Length of Time to Prepare Database SecurityAssessment/Audit

<1 hour 10%

1 to 24 hours 21%

1 to 5 days 23%

>5 days 8%



Figure 40: Compliance Mandates

Sarbanes-Oxley Act (SOX) 50%

Local state data protection laws 42%

HIPAA/HITECH 34%

Payment Card Industry (PCI) 29%

SAS/SSAE 16 14%

FISMA 9%

ITAR 7%

Massachusetts 201 CMR 17.00 5%

NERC 4%

Other 10%


{31%

32



Figure 41: Audits Flag Any Database Security Issues Over Past Year?

Yes 13%No 54%


Figure 42: When Quarterly Oracle Critical Patch Updates Are Applied to All Databases

Typically before the next CPU is released 19%(within 1 to 3 months)

One cycle late (3 to 6 months) 20%

Two cycles late (6 to 9 months) 9%

Three cycles late (9 to 12 months) 4%

Four or more cycles late 5%(more than a year)

Within 1 year 5%

We have never applied a 6%Critical Patch Update


Other 5%

0 20 40 60 80 100

33



Apply an enterprise-wide security strategy. This is consideredby many data security experts as the best means of combatingdata breaches. Database security requires multiple layers ofdefense that include the following security controls:

· Preventive: taking steps to deter a problem before security iscompromised

· Detective: providing evidence after security is compromised· Administrative: managing operational and accountability

procedures that provide an acceptable level of protection forcomputing resources.

Get business buy-in and support. Data security only works if itis backed through executive support. The business needs to helpdetermine what protection levels should be attached to data storedin enterprise databases.

Provide training and education. Often, business users do notunderstand or grasp the importance of data security policies andprocedures. Technology goes a long way to securing data, but italso takes a well-engaged and knowledgeable organization tohelp make security a reality.

The findings from this latest IOUG member survey showthat many organizations are challenged with not only keepingout outside hackers, but also ensuring that data remains wellsecured as it moves within the walls of the organization.Performing due diligence and taking the right measures toensure data remains secure will go a long way in avoidingpotential issues.

IOUG RECOMMENDS

Securing data across the enterprise requires the ability to not only track and monitor suspicious activity, but also prevent theactivity in the first place. This requires effective management and deployment of security tools, as well as policies and proceduresthat can assure that data can be moved securely both within and outside the enterprise. IOUG recommends the followingapproaches to meet these critical requirements for ensuring data security at all levels:

34



DEMOGRAPHICS

Figure 43: Responsibility for Database Security

Database group 63%

Security group 57%

Systems management group 32%

Application group 21%

Development group 16%

No one 2%


Other 4%


35



Figure 44: Respondents’ Organizations—By Number of Employees

1 to 100 employees 18%

101 to 500 employees 15%

501 to 1,000 employees 9%

1,001 to 5,000 employees 21%

5,001 to 10,000 employees 11%

>10,000 26%

0 20 40 60 80 100

(Includes all locations, branches, and subsidiaries)


36



Figure 45: Respondents’ Primary Industries

IT services/consulting/system integration 14%

Government (all levels) 12%

Healthcare/medical 9%

Education (all levels) 9%

Manufacturing 9%

Software/application development 9%

Utility/telecommunications/transportation 7%

Financial services 6%

Business services 5%

Retail/distribution 4%

Insurance 3%

Consumer services 2%

High-tech manufacturing 2%

Other 8%


37



Figure 46: Respondents’ Job Titles

Database administrator (DBA) 38%

Director/manager of IS/IT 10%

Analyst/systems analyst 8%

Programmer/developer 7%

CIO/CTO/vice president of IT 4%

Data architect 4%

Systems administrator 4%

Project manage 4%

Executive/management level 3%

IT operations manager 2%

IT consultant—IT service/integration firm 2%

IT consultant—independent contractor 2%

Manager of a business unit 1%

Applications administrator 1%

Security manager 1%

Other 8%


2012 IOUG Enterprise Data Security Survey - Oracle · 2 Closing the Security Gap: 2012 IOUG...

Documents

Transcript of 2012 IOUG Enterprise Data Security Survey - Oracle · 2 Closing the Security Gap: 2012 IOUG...