Increasingly complex database environments are making it difficult for database administrators to secure systems...
and protect against a data breach, according to a new survey.
The survey, conducted by the Independent Oracle Users Group (IOUG) and funded by Oracle Corp., found that almost half of the 316 respondents were managing more than 100 databases and 20% said they managed more than 500 databases. One out of five said they expect a data breach or incident over the coming year and only one out of four said all their databases are locked down against attacks.
"The proliferation of databases is a definite concern," said Ian Abramson, president of the IOUG. "We focus on individual pieces of security instead of overall security and right now information that we wouldn't have even thought of being at risk is now being secured."
Those surveyed said insider threats posed the biggest risk to database security, well over malicious code and hackers. Abramson said many people are failing to use built-in security tools although some turn to third-party tools to handle security since they're dealing with complex heterogeneous environments.
"The DBAs are talking about it right now, but the problem is that organizations are really taking a back seat right now," Abramson said. "[Company executives] feel confident that they have enough controls in and around their data that they won't run into any problems."
Oracle offers a number of security tools to watch over insiders or "super users" that have easy access to sensitive data. The company also has encryption to lock down data and produce secure backups.
Still, the growing complexity of most company systems and the sheer size and scope of many databases is making it difficult to maintain and secure, Abramson said. The survey found 67% of those surveyed had most, or all of their databases securely configured. Thirty-two percent said their databases were either partially or not securely configured and some didn't know about their database security configuration.
While a high number of those surveyed are confident of their security configuration, Abramson said it's likely that holes still exist.
"I think that there are a lot of risks and a lot of potential access points that could be exploited," Abramson said.
Database encryption is also still used sparingly. The survey found that one out of four sites covered in this survey does not encrypt data within their databases, and close to one out of five are not even sure if encryption takes place. In addition, backup data is also at risk. Thirty-four percent of respondents said their company sends unencrypted backups offsite.
Abramson said he expects people to deploy encryption in greater numbers. Performance issues are almost nonexistent, he said, and the cost is coming down. Sometimes security features, such as auditing causes an increase in performance load, but it's very minimal, Abramson said .
"I think the concern with encryption is that it's going to limit performance, but Oracle's done a pretty good job with their encryption," Abramson said. "I almost never see performance issues caused by security features."