Oracle DBAs cite lack of security measures

By Robert Westervelt, News Editor 29 Sep 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Increasingly complex database environments are making it difficult for database administrators to secure systems and protect against a data breach, according to a new survey.

[Company executives] feel confident that they have enough controls in and around their data that they won't run into any problems. Ian Abramson, president, Independent Oracle Users Group

The survey, conducted by the Independent Oracle Users Group (IOUG) and funded by Oracle Corp., found that almost half of the 316 respondents were managing more than 100 databases and 20% said they managed more than 500 databases. One out of five said they expect a data breach or incident over the coming year and only one out of four said all their databases are locked down against attacks.

"The proliferation of databases is a definite concern," said Ian Abramson, president of the IOUG. "We focus on individual pieces of security instead of overall security and right now information that we wouldn't have even thought of being at risk is now being secured."

Those surveyed said insider threats posed the biggest risk to database security, well over malicious code and hackers. Abramson said many people are failing to use built-in security tools although some turn to third-party tools to handle security since they're dealing with complex heterogeneous environments.

"The DBAs are talking about it right now, but the problem is that organizations are really taking a back seat right now," Abramson said. "[Company executives] feel confident that they have enough controls in and around their data that they won't run into any problems."

Oracle offers a number of security tools to watch over insiders or "super users" that have easy access to sensitive data. The company also has encryption to lock down data and produce secure backups.

Still, the growing complexity of most company systems and the sheer size and scope of many databases is making it difficult to maintain and secure, Abramson said. The survey found 67% of those surveyed had most, or all of their databases securely configured. Thirty-two percent said their databases were either partially or not securely configured and some didn't know about their database security configuration.

While a high number of those surveyed are confident of their security configuration, Abramson said it's likely that holes still exist.

"I think that there are a lot of risks and a lot of potential access points that could be exploited," Abramson said.

Database encryption is also still used sparingly. The survey found that one out of four sites covered in this survey does not encrypt data within their databases, and close to one out of five are not even sure if encryption takes place. In addition, backup data is also at risk. Thirty-four percent of respondents said their company sends unencrypted backups offsite.

Abramson said he expects people to deploy encryption in greater numbers. Performance issues are almost nonexistent, he said, and the cost is coming down. Sometimes security features, such as auditing causes an increase in performance load, but it's very minimal, Abramson said .

"I think the concern with encryption is that it's going to limit performance, but Oracle's done a pretty good job with their encryption," Abramson said. "I almost never see performance issues caused by security features."

Tags: Database Security Management,  Disk Encryption and File Encryption,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research Disk Encryption and File Encryption Database monitoring, encryption vital in tight economy, Forrester says Sophos integrates encryption into endpoint security Cryptography for the rest of us Encryption in data management should never be ignored, expert says The difference between AES encryption and DES encryption Security budget issues to resonate at RSA Conference Portable security storage device could replace OTP devices Mass. officials explain new data protection regulations A simple substitution cipher vs. one-time pad software Are encrypted, self-deleting USB storage drives worth the investment? Enterprise Data Governance Risk management must include physical-logical security convergence Simple information security mistakes can cause data loss, says expert Organizations struggle with data leakage prevention, rights management Encryption in data management should never be ignored, expert says Attackers cash in on fundamental data handling mistakes, Verizon finds Data loss prevention benefits in the real world Mass., Nev. data protection laws wrong, ineffective Cybersecurity hearing highlights inadequacy of PCI DSS Enforcing a vendor risk assessment to avoid outsourcing security risks How to Secure Cloud Computing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary