One of the best ways to improve database security is to carefully monitor the very people entrusted to manage them, database administrators (DBAs), a report has concluded.
Perhaps not surprisingly, the Aberdeen Group study of 120 mostly large companies around the globe found a correlation between adopting a range of database security practices and frequency of data breaches.
Companies ranked as using ‘best practice' suffered eight percent fewer incidents of data loss compared to those not adopting such measures, and ended up with 10 percent fewer of a range of audit deficiencies.
However, one of the defining characteristics of companies rated as having good security was a strict management of the managers. This means that database staff are monitored in some form, there is a separation of duties between different managers, and certain kinds of database access are blocked or restricted.
"In this study, respondents estimated that databases are the repository for nearly two-thirds of their sensitive data, so it's no surprise that the results show organisations that monitor privileged user activity suffer fewer data losses," said Aberdeen group's Derek E. Brink.
"The payoff for monitoring insiders can be significant from several perspectives, including security, risk management, compliance and cost."
"This Aberdeen report establishes and quantifies the risk organisations are taking by not monitoring the actions of privileged insiders, as well as the payback for companies that implement database activity monitoring," said Mark Kraynak of database security company, Imperva, one of the report's three co-sponsors.
Aberdeen makes a number of basic recommendations for companies worried about the topic, such as making sure to eliminate shared and default database admin accounts, monitoring ad-hoc queries the better to detect unusual requests, and restricting developer privileges.
If this sample is representative, database security, including the monitoring of the DBAs, is actually a fairly well established principle. Fifty-seven percent said they monitored DBA activities, 61 percent enforced separation of duties between privileged users, and 59 percent audited database access in order to detect unusual intrusions.
The report, Protecting the Database, can be downloaded without charge, for a limited period, by visiting Aberdeen's website.