Enterprise data is growing and managing that data growth has resulted in the implementation of an increasing number of databases and centralisation of most critical company information in large data warehouses. As more companies aggregate all important organisational information into a data warehouse or ever larger core databases in order to improve decision making, it is possible for a single breach of data security to become a catastrophic event. However, many organisations here have been slow to adopt security controls to mitigate this risk. To compound the issue of ever growing data and immature security controls, the economic recession has created something of a perfect storm for increasing levels of e-crime and fraud. In the KPMG 2009 Worldwide E-Crime Survey, 66 percent of survey respondents “agree that an increase in out-of-work IT professionals during the recession will lead to more people with technical skills joining the cyber-criminal underground economy”. In the recently released KPMG Fraud Survey 420 companies in Australia and New Zealand were surveyed and 45 percent of them reported at least one fraud with a total value of $301 million and an average of $1.5 million per organisation. In 89 percent of the frauds, there was no recovery made and according to those surveyed, internal controls were the most effective means of detecting fraud and poor internal controls were the most important factors contributing to fraud. To manage the risk of data loss or data extraction from key databases, there are a few controls that should be considered. First, your privileged users (database administrators primarily) have extensive access to all of your data. It is appropriate to perform extensive checks into their background prior to them joining the organisation. Most companies have no controls around monitoring database administrator (DBA) activities and frequently they operate in thios country as departments of one (with relatively little oversight). A malicious DBA could extract significant proprietary, customer, or financial data for sale or to monetise in other ways without the organisation even knowing it is occurring. This brings us to the second recommendation, implementation of technical controls for database security. Database logging and database firewalls appear to be almost completely absent in New Zealand. Solutions like Audit Vault from Oracle, Database Firewall from Imperva (includes database assessment capability, database firewall and logging), or Guardium’s family of database security and auditing products, could assist an organisation with controlling the risk of both an internal or external bad "actor" attempting to gain access to the database. These solutions will need to be monitored by personnel outside of the DBA’s organisation to realise true segregation of duties. Third, organisations should implement an extensive pre-production testing programme that includes source code reviews, application assessments, database assessments, and network/security assessments as part of the process of implementing any new technology solution. These assessments should be performed by an organisation independent of the organisation performing the implementation. Lastly, begin looking into the implementation of an Information Security framework like ISO27001/27002 and Security in the Government Sector (SIGS). Section 7 of ISO 27002 is most directly on point and provides extensive recommendations for improving data security. Chapters three and four in SIGS are most on point and should be closely followed by governmental organisations. By following the recommendations in the standards and implementing common sense controls. Business, IT, Information Privacy, and Information Security leaders will be helping their organisation achieve an acceptable level of risk, while still enjoying the benefits that the largest databases can provide.
Svetcov is the managing director of SV Technology, a boutique information security consulting company located in Auckland. He is a former Information Security Director at salesforce.com and former National Service Leader for KPMG’s NZ Information Security and Business Continuity practise.