Organizations are most concerned about protecting the network against external attacks, but actual breaches are pointing to culprits dwelling within the corporate walls.
A survey of 83 IT decision-makers conducted by Forrester Research revealed that while insider breaches topped the list of attacks in 2005, this kind of risk is only a mid-level concern among organizations.
There is a “clear misalignment” between what enterprises perceive as risks and the real risks in data security, wrote Forrester analyst Jonathan Penn in his report entitled, Aligning Data Protection Priorities with Risks.
“[Survey respondents] underinvested in protecting against (attacks by) authorized users, and overinvested in protecting against attacks exploiting network and system vulnerabilities,” said Penn.
Thirty-four per cent of the companies surveyed by Forrester suffered at least one data breach in 2005, and of those, 53 per cent were caused by insider attacks. Only seven per cent reported Web site, network or system attacks last year.
New offerings from Oracle Corp. and EMC Corp. aimed at strengthening internal controls to protect against insider attacks.
Oracle’s new Database Vault, for instance, enforces preventive controls by rationalizing access to the database by so-called “super users,” such as database administrators (DBAs), based on their specific duties.
“While you have a lot of controls on basic user population, you (also) have super users like the DBAs who are completely unrestricted; they can go anywhere and everywhere in the system…whether it’s relevant to their jobs or not,” said Wynn White, senior director, security and identity, Oracle in Redwood Shores, Calif.
Oracle’s Database Vault sets realms that are essentially “protection zones” that define an application or a particular object in a database that an administrator can have access to, said White.
Rules are then set around that realm that further restricts access based on operational requirements, he added. EMC Corp. has taken an “information-centric” strategy to security, said Dennis Hoffman, EMC’s vice-president of information security in Hopkinton, Mass.
“Perimeter-centric security is necessary, but it’s not sufficient to actually protect the data,” Hoffman stressed.
EMC packaged a number of its products and services to offer a four-step approach to information security that includes an assessment of an organization’s level of information security, securing the information infrastructure, directly protecting sensitive data, and managing information security deployments to measure their effectiveness.