In this three-part series, you’ll hear first-hand from security architects on the front lines about what it takes to move organizations from a compliance-centric to a mature data-centric database security model. You’ll gain insight into the challenges associated with retaining, accessing and searching long-term data, and identifying sensitive customer data to comply with stricter compliance regulations. In parts two and three, you’ll see how other security professionals are managing their executive teams, security teams, and other stakeholders through the transition from compliance-centric to data-centric security.
Reporting on data for compliance beyond several weeks requires a new approach to retention
As organizations add complex new databases to their data estate and new regulations call for organizations to retain database activity for as long as seven years, gaining access to and reporting on archived data has emerged as one of the security architecture team’s principal challenges. Most organizations can only retain logging data for a few weeks, even in organizations that have invested heavily in database activity monitoring (DAM) tools. This is sufficient for a compliance-centric security model built to respond to relatively few regulatory requirements. Today, however, organizations must prepare for stricter, more comprehensive laws governing compliance, privacy and sensitive data, and that requires much longer data retention capabilities. One security architect commented, “Using our current system, restoring older data from archives for reporting can take weeks. We’ve been asking for longer retention, but there is a cost issue, so we haven’t gotten it. Pretty soon, we’ll need to be able to access older data and report on it in seconds. This is no joke, data storage has become a real crisis.”
Many organizations’ executive management don’t truly understand the bigger picture around the data retention challenge. Another security architect we work with explains: “Management thinks because the data is in the database there’s nothing else to do. But that’s not the point. The tool you use to monitor databases also needs to track who has privileged access to the databases, including DevOps and DBAs. That’s the reason for requiring years of retention. If you don’t have the right tool to take data out of the database, the process can really bog down even a medium-sized company.” This is a critical point because there are countless examples of organizations not knowing when their data was breached. They must go back into the data and look for indications of when it happened. This usually takes a long time and considerable resources. In a secure database, the data is not compressed. So when a security specialist pulls it out and puts it into a suitable log monitoring tool, it is secure. They can quickly search years’ worth of retained data. “If you don’t have searchable access to three to six years of data”, the security architect added, “you could be in big trouble.”
The data bears this out. A recent NOMINET Survey* of 408 CISOs reveals how frequently this happens. Sixty percent of participating CISOs admitted to finding malware on their infrastructure which had been there for an unknown period. “For a security architect, this finding is not a surprise. If you don’t have a secure, searchable log monitoring tool for large volumes of data, you are forced to manage aggregators and deal with servers jumping from collector to collector. It is almost impossible to locate data, let alone search it. With the right tool in place, you can run a search, solve the mystery in a few minutes and avoid a real problem,” the security architect that we interviewed concludes.
If you don’t know what sensitive data you have, how it got there, or where it is, you cannot manage database security
Most organizations really don’t know where all their sensitive data is or how it flows into the company. If you don’t know your data or who can see your data, you can’t secure it. To get data-centric security right, in the event of a data security breach, a security architect needs to know what was taken and who had access to it. “You need to be able to answer these questions right out of the box,” commented another security architect. “If you cannot, that is a huge problem. Not only does it hamstring your compliance effort, it makes real database security impossible. Knowing that information helps you fine-tune your security and protect your data. If you don’t know that, you can’t secure the data.”
The aforementioned NOMINET Survey reveals that it takes the average organization about two weeks just to discover a security incident. The security architect we interviewed explains how this could easily happen: “In a prior role, my organization was using a DAM tool. To discover and identify data, I had to manually write regular expressions, then conduct a search and deal with the validations, which was complicated and time-consuming. I always wondered if I wrote the expression correctly. Even if the expression was good, a lot of things can go wrong in the process. Take drivers’ license data, for example. Everyone would agree that this is personal data. Single US states can have several formats in that one field. In my organization, to validate those fields I was compelled to ask for special permission and get set up to access this data for a specific period. Then I was required to log in and try to find the field. Why are these rules so strict? They must be, as this process is not just about identifying and classifying sensitive data. In the end, I was still responsible to protect everyone with any privileged level of access as well as the data itself. With my DAM tool, we were doing sample sizes of 50,000 records. Unfortunately, the DAM tool couldn’t tell me what records they found, or where they came from. It was just raw data and it made the process even more challenging.”
Next time, our security architects discuss managing organizational leadership through the transition to data-centric security…stay tuned.
*The security architects’ quotes in this piece are not from the NOMINET Survey and are in no way affiliated with or related to it.
Try Imperva for Free
Protect your business for 30 days on Imperva.