|
Encrypt. As with monitoring, the key is understanding where your critical data lives and encrypting what's important. But don't underestimate the magnitude of the job. Key management is crucial and difficult: rotating and revoking keys without disruption, making sure the right people have the right keys, and ensuring they aren't lost--and access to your data with them.
"Realize how hard crypto is--the time frame should be years," says Loyalty Lab's Engel. "There are performance considerations, key management, and recovery. The architecture alone--rollouts take a long time."
Separation of duties is an important consideration. It's not that you don't trust DBAs, but best practice means that you have two systems--one providing access to data and one providing keys--managed by different people. Finally, encryption is just part of a layered solution. Many organizations leapt at encryption as a quick fix to satisfy regulatory pressures, but it is neither easy nor a complete fix. Encryption ensures that the external hacker or someone who finds or steals a laptop or backup tape can't read your data. However, the insider threat remains, and encryption won't stop a malicious user who has legitimate access.
Grab low-hanging fruit. Attention to the little things, eliminating the simplest, most obvious risk factors, pays big dividends. You'd find a surprising number of databases still using default admin passwords and IDs.
"Understand and manage easy targets--like blank passwords. If you scan for that, you'd be stunned," says Giambruno. "You've got to fix the basics; that's where protecting data really starts. Follow the top 10 basic security rules, and you'll be fundamentally secure."w
|
