Independent Association of ISUG found that database administrators do not lack experience in controlling change and managing patches. According to the results study published on Wednesday, database administrators (DBAs on) all still far from perfect.
The study found that many DBAs and IT-specialists taking solutions, to recognize that not too competent in such matters of security, as monitoring changes and patch management, and auditing systems.
On behalf of Application Security Inc., The company Unisphere Research interviewed 214 administrators Corporation Sybase, relating to the International Sybase User Group (ISUG), about their experiences in security databases. The vast Most organizations lacks safeguards to preserve the information in databases in enterprise security.
“Most of the respondents admitted that implementing numerous copy of production data, but many are unable to provide direct control over the security of this data “, – reported in the results of the study. “Only one in five carries out preventive actions to hide or protect this information from unauthorized access.
According to the author of the report, analyst Joe McKendrick Unisphere Research, Review ISUG one of several reviews of the safety database held multiple user groups, including those groups that work with other platforms – such as Oracle and SQL Server. “It [the review ISUG] largely shows the same scenario, a prominent in different databases, “- said McKendrick. “The script is almost constant and is permeated with a common problem linking all the different user groups and Technology Platforms: fragmentation of management and security. ”
According to the study, one of the key issues – a lack of understanding of Organization change and patch management. The results showed that 37% respondents did not know or were not sure how long it takes to identify and rectify unauthorized changes to the database.
About 35% of respondents reported that they rarely apply updates security or fix vulnerabilities to its database, or do not know how Often, these patches are applied. 2 / 3 of organizations have no automated configuration management database or the tools to patch management.
Yet, more than half of respondents reported a low probability of leakage information from their system.
Rich Mogull, founder of analyst firm Securosis, noted that the results Review ISUG is not so surprising.
“We see a very large gap between the concepts of” database “and “Security”, which is not even going to disappear, “- said Mogull.
He is inclined to believe that lack of knowledge about the organization changes not so much a security issue. “This is for guys than working with databases Data must constantly monitor for speed control, it at least. ”
Many experts in the field of information security think organizations should make greater efforts to increase control over the data within the enterprise – it’s important for DBAs and IT professionals information security. Alex Hutton, Director of Research Risk Company Verizon Business believes that the availability of data begins with classification. “To get started is to ask yourself – where is this closed information and bank account numbers, confidential information enterprise will be stored in a database? Whether we can calculate all the databases in which are they? “- explains Hatton.” And only then we can figure out how create a management system that will prevent, detect and respond The dangerous situation in this database.
According to experts, this is only the first step. A lot of organizations it was not possible at the proper level to check its data to ensure that the protection and control work normally. According to McKendrick, a recent survey found that only 16% of organizations regularly review the work database once a month. Other 32% can not answer precisely how often Check or do not spend it all.
“Or not audited at all or, worse, carried out after precedent – checked barn-door when all the horses had been stolen, “- says McKendrick. “These checks are performed approximately every three months, thus if there was a massive leak of data in early January, the organization learns about it at the end of March. “