2012 Enterprise Data Security Survey Results

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved.

2012 Enterprise Data Security Survey Results

Michelle Malcher, EVP, Director of Membership IOUGWilliam Hardie, VP of Database Product Marketing, Oracle

2012 ISACA Webinar Program

2012 ISACA Webinar Program. © 2012 ISACA. All rights reserved. 2

Welcome!

• Type in questions using the Ask A Question button

• All audio is streamed over your computer– Having technical issues? Click the ? button

• Click Attachments button to find a printable copy of this presentation

• After the webinar, ISACA members may earn 1 CPE credit– Find a link to the CPE Quiz on the Attachments button– Once you pass the quiz, you’ll receive a printable CPE Certificate

• Question or suggestion? Email them to [email protected]


Michelle MalcherEVP, Dir of Membership, IOUG and

DBA Team LeadDRW Holdings

Today’s Speakers

Willie HardieVice President

Database Product MarketingOracle


Agenda

• Survey Overview• 2012 Enterprise Data Security Survey Results• Database Security Defense-in-Depth• Conclusion• Q&A


Survey Overview

• Independent Oracle Users Group• 350 respondents

– 12% government, 9% manufacturing– 9% healthcare, 9% education, 6% financial

• Organizations of all sizes– 21% 1-5K employees– 26% over 10K employees

• 39% have a DBA title• 38% responsible for over 100 databases


57% Say Data Breach Likely or Don’t Know What to Expect Over Next Year…

What is the likelihood of a data breach over the next 12 months?


What do you see as the greatest risks to your data at this time?

Greatest Risks: Human Error, Internal Hackers, and IT Staff Abuse


Only 32% Prevent Non-Database Users from Seeing/Tampering with OS Level Data

Is personal identity information (e.g., social security, credit card, national identifier numbers) stored in your databases encrypted?


71% Susceptible to Non-Database Users Seeing/Tampering Data via Network Traffic

Is application data encrypted on the network to/from your database?


Only 23% Encrypt All Backups and Exports

Do you encrypt all your online and offline database backups and exports?


Use Encryption to Protect Data From Unauthorized Users

Disk

Backups

Exports

Off-SiteFacilities

Application


1 in 4 Admit Application By-Pass Possible –Allowing Direct Access to the Database

Can database users access application data in the database directly using ad-hoc tools or spreadsheets?


69% Have No Preventive Controls on Privileged Database Users or Unsure

Can you prevent database administrators and other privileged database users from reading or tampering with sensitive information in financial, HR, or other business applications?


Enforce Security Policies Inside the Database to Prevent Privilege User Misuse

Application

Procurement

HR

Finance

ApplicationDBA

select * from finance.customers

DBA

SecurityDBA


Database Activity Monitoring - Critical Activities Remain Unmonitored

If monitoring production databases, indicate all activities you monitor


67% Use Native Auditing

Are you using native database auditing to monitor database activity?


Database Security Audits Infrequent at Best 34% Never Do, or Unsure if Ever Done

How many database security audits does your organization do per year?


Only 19% Protect Audit Trail for All Databases – Easy to Tamper With

Do you consolidate database audit data to a central secure location to protect from unauthorized access or potential tampering by privileged database users?


3 in 4 Cannot Detect Unauthorized Database Access on Most Databases

Would you or a security administrator know if someone made an unauthorized database access to your database?


74% Could Not Prove Privileged Database Users Are Not Abusing Their Privileges

Could you prove database administrators & other privileged database users at your company are not abusing their super-user privileges?


Consolidated and Secure Auditing to Monitor Database Activity in Real-Time

CRM Data

ERP Data

Databases

HR Data

Audit Data

Policies

Built-inReports

Alerts

CustomReports

!

Auditor


54% Took >24 Hours to Detect & Correct Unauthorized Access or Change

If there was unauthorized database access or change, how long would it take your organization to detect and correct?


69% Have Limited to No Network-Based Database Firewall Solution

Are you using a network-based database firewall solution for blocking unauthorized database activity?

(Total does not equal 100% due to rounding.)


Database Traffic Monitoring to Block Unauthorized Access

Block

Log

Allow

Alert

Substitute

PoliciesBuilt-inReportsAlerts Custom

Reports

Applications


76% Take Longer than 3 Months to Apply Security Patches to All Systems

How quickly do you apply Critical Patch Updates to all systems?


Secure Complete Database Lifecycle to Prevent Configuration Drift

Discover Scan and Monitor Patch


Over Half Have Production Data in Non-Production Environments

What kind of data is used within non-production environments? (e.g. staging and dev environments)


Nearly Half Outsource Database Functions to a Third-Party

Has your company outsourced or off-shored the following in the last year?


Irreversibly De-Identify Data for Non-Production Environments

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 60,000

BKJHHEIEDK 222-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production

Data Never Leaves Database


Most Subject to Data Privacy and Protection Regulatory Requirements

Which of the following compliance mandates are you required to comply with?


Database and Security Groups Must Work Together to Address Issues

Who is responsible for database security in your organization?


Transparent Data Encryption, Privileged User Controls, Multi-Factor Authorization, Data

Classification, and Change Tracking

Database Activity Auditing and Reporting, SQL Traffic Monitoring and Blocking,

Real-Time Alerting, Workflow Automation

Secure Configuration Scanning, Automated Patching, Configuration Change Control, Sensitive Data Discovery, Data Masking

Maximum Security for Oracle Databases:•Oracle Advanced Security•Oracle Database Vault•Oracle Label Security

Security for Production and Non-Production Database Environments:

•Oracle Database Lifecycle•Oracle Enterprise Manager•Oracle Data Masking

Security for Oracle and non-Oracle Databases Outside the Database:

•Oracle Audit Vault•Oracle Database Firewall

Oracle Database SecurityDefense-in-Depth


Q&A


For More Information

oracle.com/database/security

search.oracle.com

or

database security

Documents

2012 Enterprise Data Security Survey Results