When the economy is in a downturn and the fear of layoffs loom, enforcing database security using database monitoring...
and database encryption tools is fundamental to defending against data leakage and can be implemented even on a tight budget, said Jonathan Penn, principal analyst at Forrester Research Inc.
"[The database] is a target for external attack, it's also a target for abuse and misuse by internal people," Penn said. "So protecting that is important, whether it be monitoring for large downloads by authorized people or monitoring the extent to which they're interacting with the database, whether [their activity] be suspicious or indicate they're taking information with them because they're leaving the company or worried about layoffs."
In the recent report, "TechRadar For SRM Professionals: Database and Server Data Security, Q2 2009," Forrester investigated the current state of eight significant technologies: centralized key management, data classifiers for security, data discovery scanners, database encryption, database monitoring and protecting, outbound Web application filtering and tape and backup encryption.
"We found protecting data is an incredibly complex task, and there is no single technology or process you can put in place in order to safeguard your information," Penn said. "On top of that, threats have become more sophisticated, more targeted, and the criminals behind these attacks have excellent resources at their disposal."
Penn recommended desktop, laptop and full disk encryption as some of the easiest and most cost-effective ways to manage security. However, he stressed that a cost-effective approach is not always about what you go out and buy, but can be as simple as implementing security measures on an ongoing basis.
Organizations struggle with data leakage prevention, rights management: Employee use of Web-based services and poor judgment can easily defeat the technologies. But better use of the audit, discovery and reporting features can make them more effective.
The report, authored by Forrester senior analyst Andrew Jaquith, claims brute-force technologies like encryption will remain popular and monitoring technologies will also see an uptake in adoption, yet data classification and data discovery technologies that span multiple technology domains still have complexities that need to be worked through.
Data encryption and monitoring technologies are favorable for users because they focus on targeted assets and are very specific products, Penn said. Data discovery and data classification tools require different stakeholders in an organization to come to a consensus and must be coordinated across these different groups in order to be effective, making them more complicated and expensive projects, he said.
Forrester urges security professionals to move forward on data discovery and classification projects. Security pros should work with knowledge management professionals, storage managers, business units, and information officers within their organization to define and locate customer data as well as agree on and implement an appropriate policy, Penn said.
"The need to come up with a coordinated approach is paramount to really solving this problem and we're not there yet by any means," Penn said. "It's not just the technology – it's the maturity of the organization to get to that degree of coordination."
Data discovery and data classification are also the most expensive technologies studied in the report because that state of the market requires organizations and users to adopt multiple tools to carry out the projects, Penn said.
"Data discovery and data classification tools right now are not at the level of maturity where you can buy a single tool or product to coordinate everything," Penn said. "That's why those tools will be lagging by which the speed they are adopted."
Dedicated tape and backup encryption technologies are expected to decline in the next five years, according to the report. The tools are fairly mature and are being built into storage devices instead of being purchased separately, Penn said.
In the future, Penn recommends security and risk professionals build awareness and momentum around understanding data and enforcing policy.
"I think that's the biggest challenge – getting people involved and coordinating an understanding of data," Penn said. "Security professionals have not been able to do this so far, but they need to move slowly and work with the legal department and build up support for coordinating projects together so an organization has a single view of the policy."