The perils of unprotected production data

The proliferation of unprotected sensitive data in enterprise databases may lead to a data breach. Are you prepared to stop it?

Storage has always been a passion of mine. In 2000, I was a card-carrying SNIA member and worked on an SNIA committee regarding certification paths for IT pros to prove their storage know-how. That was during my SAN/NAS days at CommVault Systems when I wrote "Enterprise Storage Solutions for Sybex" with Chris Wolf, a noted virtualization expert at The Burton Group. Times have certainly changed, judging from last week’s Storage Networking World, which laid bare the raft of troubles today’s organizations face when it comes to storing sensitive data.

First off, sensitive data left unprotected in the enterprise is on the rise. It is amazing the number of internal-use databases that carry Social Security numbers, credit card information, and the like. When it comes to unauthorized access, these databases -- SQL and Access in particular -- are prime and constant targets.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

"There are a number of ways enterprises and vendors have tried to address this problem," Michael Mesaros from Dataguise told me, "and they each have their strengths and weaknesses."

Security iGuide

Mesaros continued, "Application firewalls monitor database activity and seek to prevent unauthorized data access by users and malware. This does little good in preventing the spread of sensitive data accessed by authorized users and applications, however. Database encryption protects data from disclosure via direct disk access; however, data must be decrypted to be used by an application, and if the data is visible to the user, it can be stolen or compromised. Finally, data loss prevention [DLP] technologies can crawl databases to find sensitive data, index it, and create data 'fingerprints,' so the data could be recognized at an egress or endpoint. The limitation of DLP, however, is in its ability to provide managers and analysts with a view of how sensitive data is organized within the application."

In response to this increasing problem, Dataguise DgDiscover first locates, then searches the databases deployed on a company’s network, returning statistics regarding the volume and location of sensitive information, including credit card numbers, Social Security numbers, personal identifiers, and custom-defined data types. This information allows managers to track sensitive data at the application level. Also, DgDiscover provides an easy way to identify data that requires masking when copied from production servers for nonproduction use.

1 2 Page 1