AberdeenGroup. The Importance of Database Vulnerability Assessments. Business Value Research Series. September 2005

Transcription

1 e AberdeenGroup The Importance of Database Vulnerability Assessments Business Value Research Series September 2005

2 Executive Summary Why a Vulnerability Assessment is Important A mid all the gains of the Information Age comes an increasingly threatening trade-off: the exposure of confidential, sensitive information that can wound a company or person. With increased government regulation covering such areas as corporate disclosure and information privacy, it s necessary for businesses to make sure the information residing in their databases is secure. Aberdeen research has found that senior executives are making best security practices a major improvement initiative for three key reasons: avoiding fallout from customer and corporate data leakages (especially from within the company), passing regulatory audits, and maintaining agility in a rapidly changing global economy. All the more reason to ensure data is protected. That s why many organizations rely on database vulnerability assessments as part of their information security strategies to guard against information theft that could expose a company to liability. A database vulnerability assessment hunts for weaknesses in databases and searches for anything out of the ordinary, allowing organizations to act before they re subjected to a devastating attack. Policies and Procedures First Organizations must first establish policies and procedures for accessing information, since a vulnerability assessment can make sure they re being followed. When they re not, an assessment can help alert the company to potential attacks and risks to company data. Automated assessment tools can do the job, and with the heavily increased focus on information security, automation is yielding strong, positive results and allowing IT to focus more of its energy elsewhere. In a recent Aberdeen report, Best Practices in Security: Information and Access, some firms employing best practices in securing information and access to their databases came to realize that automation found hundreds of vulnerabilities, and plugged gaps in complying with growing government regulations, especially Sarbanes-Oxley. Also, automated improvements in auditing helped slash audit deficiencies by 20% to 45%. Aberdeen believes strongly that regular vulnerability assessments of corporate databases should be a cornerstone of sound, ongoing management of database security, and of overall security strategy. The stakes are too high to ignore them, with growth, market share, profitability, brand image, and compliance in an expanding regulatory environment all near the top of many corporate agendas. Automating assessments has the potential to offer a comprehensive way of doing the job, providing much savings in time, labor, and money. Aberdeen believes that specific solutions that test for database vulnerabilities and information risks constitute a best practice. ii AberdeenGroup

3 Aberdeen Recommendations Aberdeen recommends that organizations take the following actions: Test and validate databases and configuration vulnerabilities where critical customer and business data reside. Be sure any tool you re considering is based on industry-accepted best practices and is customizable to meet business needs in supporting as many of your organization s internal security policies and procedures as possible. The degree of competition your organization faces, its brand image, and the degree of government and industry regulation it must follow should dictate how often it should conduct a vulnerability assessment. For instance, a financial services organization should check more often; so should any organization that must adhere to Sarbanes-Oxley. AberdeenGroup iii

4 Table of Contents Executive Summary... ii Why a Vulnerability Assessment is Important...ii Policies and Procedures First...ii Aberdeen Recommendations...iii Chapter One: What is a Database Vulnerability Assessment?...1 Policies and Procedures First... 2 Why Frequent Database Vulnerability Assessments Are Important... 3 Checking for Vulnerabilities... 4 Chapter Two: Aberdeen Recommendations...5 Appendix A: Research Methodology...6 Appendix B: Related Aberdeen Research & Tools...7 About AberdeenGroup...8 Figures Figure 1: Focus of Business Improvements to Automate Information Access...2 AberdeenGroup

5 Chapter One: What is a Database Vulnerability Assessment? T he Information Age has, without question, changed the workplace in numerous ways, creating a near universal reliance on electronic devices that can make it easier to work. The trade-off, however, is the exposure of confidential, sensitive information that can wound a company or person. With increased government regulation covering such areas as corporate disclosure and information privacy, it has become necessary for businesses to make sure that the information residing within their databases is locked down tightly. That applies especially to data on customers. The key constituency provided with access to this information is a corporation s customers. This makes sense. After all, it s the customers whom employees should be interacting with in order to produce positive financial results. The percentage of companies automating access to information for customers supersedes automation in other focus areas of business improvement (Figure 1). This should not be surprising given the strong linkage between customer sales and service, and the business imperative to increase customer retention and efforts to improve top-line growth. So, there s little reason why Aberdeen research has found that senior executives are making best security practices a major improvement initiative for three key reasons: avoiding fallout from customer and corporate data leakages (especially from within the company), passing regulatory audits, and maintaining agility in a rapidly changing global economy. All the more reason to ensure data is protected. That s why many organizations rely on database vulnerability assessments as part of their information security strategies to guard against internal information theft that could expose a company to liability. A database vulnerability assessment hunts for weaknesses in databases and searches for anything out of the ordinary, allowing organizations to act before they re subjected to a devastating attack. AberdeenGroup 1

6 Figure 1: Focus of Business Improvements to Automate Information Access Source: AberdeenGroup, June 2005 Policies and Procedures First Organizations must first establish policies and procedures for accessing information, since a vulnerability assessment can make sure those processes are being followed. When they re not, an assessment can help alert the company to potential attacks and risks to company data. To be sure, there are knowledgeable information security consultants who can do the job and provide solid advice for organizations whose security practices need tune-ups or overhauls. But they would need some time to become familiar with a client s information security policies and procedures as well as its competitive and regulatory landscapes before probing the databases. Then, of course, there s the separate issue of whether they are available for the time slot in which you would need them. But there are automated assessment tools that can do the job. With a heavier focus on information security, automated tools are helping companies yield strong, positive results, and allowing IT to focus more of its energy elsewhere. In a recent Aberdeen report, Best Practices in Security: Information and Access, some firms employing best practices in securing information and access to their databases came to realize that automation found hundreds of vulnerabilities and plugged gaps in complying with growing govern- 2 AberdeenGroup

7 ment regulations, especially Sarbanes-Oxley. Also, automated improvements in auditing helped slash audit deficiencies by 20% to 45%. All companies in the report also cite data and knowledge as their most critical tools for improving the performance of their security programs. The stance these sites take: What you don t know is much more important than what you do know. Some of these sites track and aggregate data from their information and access procedures, creating real-time risk management dashboards. What s interesting to note is that all companies are discovering the benefits security is providing business operations, especially lower costs in support and IT operations. Further, almost all the companies rate protection, segmentation, and monitoring of customer and corporate data among the most important criteria for their security programs. Why Frequent Database Vulnerability Assessments Are Important According to the report, many firms cite regulatory audit pressures for moving ahead with greater controls over access to information. Firms are also concerned about protecting their brands, especially in such data-intensive and regulation-heavy industries as finance, healthcare, and financial services. Along with that comes external factors that impact database security, such as software upgrades, application changes, a constant flow of patches, and an omnipresent hacker community that s much quicker at exploiting new, patched, and upgraded software and gaining access into an organization s information jewels. But the largest problem may lie with people, the end users who handle most of the information that rests within corporate databases. They may use data either maliciously, or accidentally, say, by leaving a password on a desk for someone else to write down, or downloading software onto a desktop that opens a security hole. All this points up to the importance of vulnerability assessment tools. Aberdeen considers the use of them a best practice, especially those dedicated to corporate databases that can protect data on a wide variety of devices and media. Consider a vulnerability assessment as an occasional checkup in which the organization is being tested for potential illnesses (data loss), warning signs that could presage a potential illness (a security hole), and if the organization is doing the right things to guard against illness. They may include such operations standards as making sure employees are adhering to information security policies and procedures and that the IT organization is doing its part, such as monitoring software upgrades and password refreshes. Indeed, the inverse of accelerated information sharing, the security controls imposed on who can access what information, under what circumstances, and when, depend on the nature of three critical inputs: 1) The organization s polices and standards 2) The need to keep the firm s name out of the media by avoiding mishandling of customer data 3) The need to pass a number of different audits A financial services company profiled in the Aberdeen report deployed a wide range of vulnerability assessment technologies to identify weaknesses. As part of this evolution, AberdeenGroup 3

8 the firm decided to automate security scanning, vulnerability assessment, and remediation for its databases, where most core data resides. The company has been able to verify the locations of core data, vulnerabilities in its databases and their underlying operating systems, and the changes to data. The firm is using alerts for conditions that exceed its risk thresholds, while ensuring that configuration mistakes and security vulnerabilities in the databases are fixed. In addition, the company has been able to identify and eliminate inappropriate privilege conditions, authorized and unauthorized access to data, and suspicious behavior regarding its most valuable IT assets: its data and customers data. If your organization considers top-line growth, global competitiveness, and increased regulation among its foremost concerns, automated vulnerability assessments make sense, conducted regularly, make sense. Checking for Vulnerabilities Before devising a strategy for vulnerability assessments, evaluate the business risks involved with data leakage, including the potential of lost and disaffected customers, the costs of legal action, regulatory compliance problems, delays that may be caused in sourcing products, and lost business opportunity due to stolen product designs. Then, do a complete mapping of the technology infrastructure by major business processes to understand how the systems, networks, applications, and information flows should be operating to support business operations. For companies with Sarbanes-Oxley programs underway, this additional effort should not have to be too extensive. All firms should pinpoint where sensitive data resides in their organizations and develop a gap analysis between the desired and actual conditions. After evaluating the business risk impact, find and fix the security blind spots in your organization by identifying and resolving vulnerabilities in key databases. A tool that can store your organization s information security policies, especially role-based access controls, can determine if those policies are being followed and be especially helpful in detecting potential vulnerabilities within the company. 4 AberdeenGroup

9 Chapter Two: Aberdeen Recommendations A berdeen believes strongly that regular vulnerability assessments of corporate databases should be a cornerstone of sound, ongoing management of database security and of overall security strategy. The stakes are too high to ignore them, with growth, market share, profitability, brand image, and compliance in an expanding regulatory environment all near the top of many corporate agendas. Automating assessments has the potential to offer a comprehensive way of doing the job, providing much savings in time, labor, and money, and Aberdeen believes that specific solutions that test for database vulnerabilities and information risks constitute a best practice. Aberdeen offers the following recommendations: Test and validate databases and configuration vulnerabilities where critical customer and business data reside; Be sure that any tool you re considering is based on industry-accepted best practices and can be customized to meet business needs in supporting as many of your organization s internal security policies and procedures as possible; and The degree of competition your organization faces, its brand image, and the degree of government and industry regulation it must follow should dictate how often it should conduct a vulnerability assessment. For instance, a financial services organization should check more often; so should any organization that must adhere to Sarbanes-Oxley. AberdeenGroup 5

10 Appendix A: Research Methodology P rimary quantitative research that contributed to this report includes benchmark research programs conducted with more than 500 qualified respondents, along with more than 100 in-depth interviews. Further research was conducted with more than 200 companies known to be operating at best-in-class levels by Aberdeen. 6 AberdeenGroup

11 Appendix B: Related Aberdeen Research & Tools Related Aberdeen research that forms a companion or reference to this report includes: Best Practices in Security: Information and Access (June 2005) Best Practices in Security: Network and Infrastructure (June 2005) Best Practices in Security: Governance (June 2005) The Automating Information Access Benchmark Report (September 2004) The Security Spend Management Benchmark Report (December 2004) Information on these and any other Aberdeen publications can be found at AberdeenGroup 7

12 About AberdeenGroup Our Mission To be the trusted advisor and business value research destination of choice for the Global Business Executive. Our Approach Aberdeen delivers unbiased, primary research that helps enterprises derive tangible business value from technology-enabled solutions. Through continuous benchmarking and analysis of value chain practices, Aberdeen offers a unique mix of research, tools, and services to help Global Business Executives accomplish the following: IMPROVE the financial and competitive position of their business now PRIORITIZE operational improvement areas to drive immediate, tangible value to their business LEVERAGE information technology for tangible business value. Aberdeen also offers selected solution providers fact-based tools and services to empower and equip them to accomplish the following: CREATE DEMAND, by reaching the right level of executives in companies where their solutions can deliver differentiated results ACCELERATE SALES, by accessing executive decision-makers who need a solution and arming the sales team with fact-based differentiation around business impact EXPAND CUSTOMERS, by fortifying their value proposition with independent fact-based research and demonstrating installed base proof points Our History of Integrity Aberdeen was founded in 1988 to conduct fact-based, unbiased research that delivers tangible value to executives trying to advance their businesses with technology-enabled solutions. Aberdeen's integrity has always been and always will be beyond reproach. We provide independent research and analysis of the dynamics underlying specific technologyenabled business strategies, market trends, and technology solutions. While some reports or portions of reports may be underwritten by corporate sponsors, Aberdeen's research findings are never influenced by any of these sponsors. 8 AberdeenGroup

13 AberdeenGroup, Inc. 260 Franklin Street Boston, Massachusetts USA Telephone: Fax: AberdeenGroup, Inc. All rights reserved September 2005 Founded in 1988, AberdeenGroup is the technologydriven research destination of choice for the global business executive. AberdeenGroup has over 100,000 research members in over 36 countries around the world that both participate in and direct the most comprehensive technology-driven value chain research in the market. Through its continued fact-based research, benchmarking, and actionable analysis, AberdeenGroup offers global business and technology executives a unique mix of actionable research, KPIs, tools, and services. The information contained in this publication has been obtained from sources Aberdeen believes to be reliable, but is not guaranteed by Aberdeen. Aberdeen publications reflect the analyst s judgment at the time and are subject to change without notice. The trademarks and registered trademarks of the corporations mentioned in this publication are the property of their respective holders.