The truth about database security

With all of the identity theft incidents lately, IÂ’ve received an inordinate number of inquiries from large organizations about database security. This makes sense since a lot of confidential data resides in rows and columns in IBM DB/2, Oracle, or MS SQL Server.

To help these baffled end-users, I've spent some time lately speaking to the database vendors themselves as well as a number of third-party security vendors offering database security tools. It's early in my discussions but here are my takeaways so far:

1. Demand is on the rise. Database security used to fly under the radar but it doesn't any more. Database providers are hearing more requests for enhanced security features from customers and 3rd party security vendors report that their phones are ringing and quarterly revenue is increasing. What's driving this demand? Regulatory compliance tops the list but risk-averse CEOs are also scared to death of becoming the next security breach poster boy like CardSystems, ChoicePoint, or Bank of America.

2. There are no absolutes. If you are in the market for a database security solution, expect to hear a wide variety of opinions on the best technical countermeasures. Of course some of this is debate is self serving for the vendors, but a lot of it has to do with the early state of the market and real technical considerations. Since there are more questions than answers, Caveat Emptor must be the rule of the day.

3. Encryption still receives too much emphasis. Most people continue to believe that database security = encryption. Yes, encryption is important but it must be accompanied by a complete security lifecycle including risk analysis, vulnerability scanning, penetration testing, and secure policies and procedures. In other words, encryption is merely one layer in a layered database defense.

It's nice to see that users and vendors are paying attention but it's also important to recognize that there is no database security panacea. Database security remains a work-in-progress right now that still requires that old IT triad (people, processes, and technologies) to be successful.