Secure Your Data Before It's Too Late

By Martin Teetz

August 15, 2003 —

Most companies have their core business data stored in relational databases. And most companies have database systems in place that support advanced security and encryption technology. But do the majority of database users take advantage of the security features built into their systems?

I would guess that more than 70 percent of database installations that have advanced security features available are not using them or are using only a very small portion of them. Imagine if all customer contacts get into the hands of the competition because an administrator took a database backup copy with him when he changed jobs. Or if a hacker could create a virus that tries to read and steal data from your relational databases.

There are various possible methods which data thieves can use, such as when a hacker attacks physical database files in order to see or alter information. This occurs in the case of mobile client systems, for example, when a data thief pretends to be an authorized user of a system, a database or an application. For this purpose, there is software for the generation and automatic use of password lists. Often a simple phone call from the "user service" suffices, with a direct request for password and caller ID. Or an attacker uses an existing database connection via a network, which has been set up by an authorized user (hijacking). A sniffer intercepts uncoded information while it is being transmitted via a network.

Most database vendors have reacted to increased security needs and have released product versions that include highly increased security. Now it is up to the user to choose the right product offering for his needs and, most of all, use the powerful security technology offered.

Responsibility of administrators.Administrators have the largest responsibility in securing database systems. They need to leverage the built-in security technology of the deployed database products. They have to enable the database's security technology for central data stores, and for the peripheral databases they should standardize on secure databases, instead of insecure desktop database products.

Lost or stolen laptops of sales or service employees having important data in unsecured databases can lead to major competitive disadvantages or even dangerous situations for a country's security when government or military data gets into the hands of third parties. Just think of what happened at the end of the Iraq war. Government computers, which were present in many embassies, just disappeared. I'm sure no ambassador wants to see government data from his embassy traded on eBay!

Responsibility of users.The bigger the company, the more difficult it is to restrict access exclusively to authorized users. The problems involved in keeping security-relevant information within a restricted group of persons increase with the number of users. This is not a question of the trustworthiness of the staff, but of carelessness and unawareness on the part of the users.

Due to the number of passwords and user IDs involved, users tend to leave notes on their desk or to simplify the passwords in such a way that makes it easy for unauthorized persons to gain access to protected areas. Incorrect logging off and failure to shut down the computer mean that an unoccupied workplace offers sufficient opportunity to do damage to the company. Here self-discipline and a sense of responsibility on the part of the users are called for.

But relief is available for the user: For some time, professional databases, which encode their data independently, have existed for the PC platform. This process takes place automatically, without a cryptography tool having to be activated first. The user does not notice that anything is happening. In other words, he does not have to think about encoding any more.

Thanks to this security technology, it does not matter if a field representative's notebook is stolen-except for the value of the lost hardware-since the thief will be unable to get hold of the data on the hard disk. Unless, of course, the user was silly enough to leave his password inside the notebook case.

Imagine that you are a database administrator in a corporation where someone steals important customer data and gives that data to the competition. Now your boss asks you what investments need to be made to protect the data assets in the future. I'm pretty sure your boss would not like to hear that everything to protect the data was in place-and not enabled in the first place.

Martin Teetz is a product manager at database vendor Gupta Technologies GmbH in Munich.

Share this link: http://www.sdtimes.com/link/27362

Future of data analysis lies in tools for humans, not automatic systems Upcoming technologies like text mining are designed to make engineers more productive, not do their jobs for them

Zeichick’s Take: Can you trust the integrity of your data? A new type of electrical meter raises questions on how much control you have over the data in your own home

Data Watch: Why adopt the cloud? IDC Research performed a survey of 700 IT executives asking them for reasons why they adopted cloud services. More than half said that the need to cut costs drove them to.

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST