As more organizations seek to fill their security compliance gaps these days, many of them are finding the most glaring holes are in the database. As the prime repositories of all of that sensitive data that regulations such as SOX, HIPAA and PCI DSS were designed to protect in the first place, databases continue to get short shrift in security attention at most organizations.
“A lot of times the operating system is pretty well locked down—system administrators have been dealing with information security audits for quite some time—and the application is fairly locked down,” says Scott Laliberte, global leader of information security assessment services for Protiviti, a Menlo Park, Calif.-based consultancy with ample experience in security consulting. “But often the database is not locked down in great detail and typically is not very well understood (from a security perspective).”
According to statistics compiled by PCI assessors at VeriSign, 70 percent of organizations that fail their PCI audits do so because they fail to monitor and track access to cardholder data. That figure hardly raises Laliberte’s eyebrows. Protiviti not only offers consulting advice for some customers, but also runs third-party audits. He frequently finds organizations that pass most of their security layer assessments still fail miserably once Protiviti starts examining their database set-ups.
“We’ll go in and do an assessment where the OS is hardened and has good controls on it, the ERP system has had segregation of duties review done, all of these different security settings within the actual application are great, but (the data is) sitting on a default database install,” he says. “I’ve actually done several reviews like that, where there were default accounts, default passwords on some of those accounts, where the datbase had not been hardened, logging and log settings in the database weren’t turned on and so on. It was just a mess, complete mess.”
These frequent database gaffes present a prime opportunity for channel partners to swoop in and save the day. Both resellers and consulting partners have the chance to offer a blend of services and tools that can greatly improve their client’s overall security and keep the auditors at bay in the process.
When it comes to locking down the database, the three biggest risk factors organizations face (and that auditors check for) include database configurations rife with vulnerabilities and missing patches, weak access control policies and procedures and a lack of visibility into database activities. Sell solutions for these risk factors and you’ll help your customers improve their audit results while bolstering your own bottom line.
Vulnerability and Configuration Management
While the concept of frequent patching and vulnerability management has largely resonated with most enterprises at this point when it comes to operating systems and most applications, within the database these best practices are still left by the wayside. According to a survey by the Independent Oracle Users Group conducted in 2008, 11 percent of organizations have never patched their Oracle databases and an additional 26 percent take over six months to patch them.
This is a common and debilitating practice that leaves customers vulnerable and ultimately will cause them to fail an audit.
“Production databases don’t get patched nearly often enough, because they’re busy database servers and people will say, ‘If it isn’t broken, don’t fix it,’” says Adam Muntner, partner at QuietMove, a Phoenix, Ariz.-based security consultancy that frequently finds customers with databases that are rarely patched when it conducts penetration testing and vulnerability assessments.
He’s one of many in the security industry who believes that shoring this up should be priority number one.
“I think basic configuration and vulnerability assessment of databases is a key starting point for enterprises,” says Josh Shaul, vice president of product management for Application Security Inc. “And it’s not hard to do that. It’s pretty simple to either write scripts or get a tool that is going to take a look at databases and make sure that the really big gaping holes have been filled and the basic security measures are in place.”
Access Control
As a partner, when you’re trying to shore up clients’ database security practices for better audit results, Laliberte says the ‘gimmes’ include the elimination of default accounts within the database, improving password controls and stepping up the client’s account management game.
“Those type of things we typically see not as well controlled at the database level as they are at the operating system or application level,” Laliberte says.
Shaul agrees, stating that too many organizations favor performance over security when implementing database access controls.
“The database security settings don’t mean an awful lot if the database is configured with guest access, if anybody can get in there, and if it’s kind of wide open,” Shaul says.
Once the low-hanging fruit has been eliminated, partners could better position their clients by helping them evolve to a role-based access controlled environment, assigning permissions based on what the employee’s job is at the client organization. This allows for that ever-important task of segregation of duties within the database, a key activity auditors look seek.
“Segregation of duties in the end is a cornerstone of the regulations that folks are trying to deal with,” Shaul says, stating that a lack of segregation of duties is what “gets organizations every time.”
Monitoring the Database
Organizations who have implemented role-based access policies and controls and who have hardened their databases to vulnerabilities still may flag an audit if they have no visibility into when and how users are accessing the data stores. After all, even users with legitimate access to data can abuse their privileges.
Channel partners who offer up database activity monitoring tools within their arsenal of database security tools give customers a powerful microscope into how data is being accessed and changed.
“Not having those elements turned on can not only make it difficult to monitor for inappropriate access,” Laliberte says, “but also to figure out from a forensics standpoint of what went on and if there was an actual breach or if something inappropriate occurred.”