Today, fast-growing organizations are generating data at a breakneck pace, and building up diverse database environments in order to store and share data more effectively. While these activities are the sign of a thriving business, governing and securing all this data rarely meets the pace of new business initiatives. This is especially true as companies make significant investments in migrating critical applications and systems to off-premises modern databases, such as cloud and big data repositories.
Security professionals are rarely included in the business decisions to deploy these initiatives. For organizations great and small that are growing giant data estates, database security should be the name of the game to preserve and retain the business value they have created. Unfortunately, for many security teams this is not the case. The business continues to push forward with faster, cheaper development requiring more and large data sources without a corresponding effort to secure it, yet organizations still expect their security teams to protect it all.
Historically, organizations in general have gotten away with paying very little attention to the database security domain. Only large, well-funded enterprises have had the staff and resources to acquire the tools required for database security. For everyone else, as long as security teams could monitor the small segment of the data estate that ensured regulatory compliance, organizations felt their security posture was sufficient. And to be fair, until recently there weren’t that many databases to worry about. In this light, it makes sense why most organizations left database security out of their core security strategies.
Today new considerations and challenges have emerged along with the data explosion that are changing the security landscape. To meet new challenges, all organizations need to make database security, not just compliance, the core objective of their data protection strategy. Even for organizations that have implemented traditional compliance-focused strategies for protecting data, this approach is no longer sufficient. At Imperva, we have delivered data protection technology to more than 6,200 enterprise customers for nearly 20 years. We can say with confidence that continuing to ignore the database security domain is a critical mistake.
Database compliance is not database security
Every day, more organizations come to realize that simply checking the compliance box is not database security and not going to protect their businesses. Those well-funded enterprises that have already made sizable investments in database security want to get more business value. They have spent a great deal of money and get hardly anything out of the investment beyond compliance reports. The result is a growing motivation in these organizations and many others to apply more security principles around the giant data estates they have amassed.
Legitimately securing entire data estates required a great deal of work that the overwhelming majority of organizations have yet to do. Very few organizations do enough at the database layer to secure data. Even the 10-20% of the market that has invested in database security tools fails to protect data at the database layer. Most companies that claim to have a comprehensive program in place for database security don’t actually have one. In most instances, “database security” is a misnomer – what these organizations really have are database compliance programs. Very few actually derive security benefit from their programs. Their tools were never architected to meet the degree of complexity that exists in today’s data security environment. The security components featured in these tools were not really effective, not actual security controls, and not widely used.
The degree of difficulty for database security has exploded with data estate growth
The data security landscape is getting more challenging in a number of different dimensions and is compounding the degree of difficulty in protecting data. For example, the pressures on security visibility across the board are growing. Seeing what you need to see for compliance is not enough to stop data breaches. Most organizations that have fallen prey to high-profile data breaches were actually in regulatory compliance. Also, the diversity of the database landscape is growing. Until recently, most organizations standardized on a handful of on-premise databases and used native logging or database activity monitoring to ensure those environments complied with data protection regulations. Today, data must be shared across dozens of databases and connecting applications and users, leading to a loss of control over quality and standards as management is distributed across teams. Simultaneously, consumers have become increasingly aware of how the services they use are capturing and storing their information. As a result, organizations are under immense pressure to protect data from theft, abuse and exfiltration. Lastly, the dynamics of the landscape (e.g., rapidly changing privacy requirements) are growing. For example, data privacy regulations like GDPR and CCPA now hold organizations more accountable and give consumers more control over how their personal data is used. No matter what industry you are in, if you retain Personally Identifiable Information (PII) you must be able to comply with new data privacy rules. These regulations raise the accountability for failure through costly audits, penalties and fines, and damage to your brand reputation.
Need to shift from a tactical to a strategic mindset on database security
Historically, organizations have treated database security as a series of tactical investments to deal with discrete issues. For example, when an organization needs SOX compliance reporting, they buy a tool that can deliver it. Next, they need PCI reporting. They want to know if they use the same tool. Today’s new security world requires organizations to look at database security strategically, in a manner in which they can both solve for immediate needs and plan for a changing landscape to ensure a sufficiently future-proof security posture. In other words, a strategy that prepares for challenges that you can see, and for the challenges you cannot even envision yet.
Even for organizations that have programs in place capable of meeting today’s compliance requirements, a strategic approach to database security enables them to keep their system and add new technology to make it future proof.
Get strategic database security insights from the industry’s best
In the webinar Get Beyond Compliance and Achieve Real Database Security, Imperva Fellow and SVP Terry Ray explains that to keep pace with the database activity explosion that has accompanied recent rapid technology innovations, you must rethink your strategy for securing data assets. Meeting compliance requirements is not enough. You must develop new approaches that enable complete visibility into your entire data estate to achieve real data security today and in the future. Watch this webinar on-demand.
Try Imperva for Free
Protect your business for 30 days on Imperva.