Database security is crucial, experts say

SAN FRANCISCO -– The rise in security breaches in which critical information has been exposed has prompted organizations to better secure corporate databases where much of the data resides, said security experts at the RSA Conference here.

Companies have done a lot to protect the perimeter of their networks, but have not done enough to protect against threats from inside their organizations, said Hasan Rizvi, vice president of identity management and security products at Oracle. Rizvi gave a keynote presentation on Feb. 7, filling in for his boss, Larry Ellison, chief executive officer of Oracle, who could not make it because of the flu.

Rizvi said that currently access controls do not apply to database administrators, who can access all data that resides in databases, ranging from financial to human resource information. Many DBAs don’t want to have this type of access, he said.

Oracle’s Database Vault product can restrict access to corporate databases, Rizvi said. Database Vault gives DBAs full control of database operations. They can start, stop and back up databases, but they don’t have access to data, he said. The product can also trigger alerts for suspicious activity, for example, if someone is trying to access the corporate database from home.

Another area of concern for security managers is how they can manage access to hundreds of applications and information systems in an environment that is constantly changing. An automated approach is the key, Risvi noted.

Oracle Identity and Access Management automates the process of managing user identities and access privileges. DBAs can manage user identities across all enterprise resources, both within and outside the corporate firewall.

Oracle executives also demonstrated Oracle Secure Enterprise Search. That product allows users to search and find public, private, and shared content across Intranet web servers, databases, files on local disk or file servers, e-mail, document management systems and portals.

“Oracle is strong in identity and access control, but lacks vulnerability scanning” and intrusion detection for databases, said Ted Julian, vice president of marketing and strategy with Application Security, Inc. (AppSecInc).

AppSecInc launched DbProtect, an integrated suite of database security tools at the RSA Conference. The suite builds on the company’s vulnerability scanning and intrusion detection products AppDetective and AppRadar.

DbProtect provides discovery, vulnerability scanning, real-time monitoring, auditing and optional encryption.

The suite is broken into three categories:

• Tamper Evident Privileged Activity Monitoring helps defend against misuse, fraud and abuse from internal and external users. 
• Patch Gap Management aids with the prioritization of database vulnerability patches and provides real-time activity monitoring to identify and defend against attacks.
• Application Awareness allows organizations to more effectively secure their databases and bolster compliance by leveraging business knowledge of critical assets.