That nagging feeling of discomfort awakening you in the middle of the night won’t be resolved by fluffing your pillow. Not if your angst stems from the suspicion that the big bucks your organization has been spending on security may not be securing the right stuff.
However, that’s precisely the shocking conclusion of a 110-company survey, conducted by IDG Research’s CSO Custom Solutions Group and sponsored by Oracle ORCL -1.91%. “Most IT security resources in today’s enterprise are allocated to protecting network assets, even though the majority of enterprises believe a database security breach would be the greatest risk to their business,” according to the report.
What grabbed my attention isn’t any sort of charge that IT organizations are neglecting security. Far from it. The valuable service this report is providing is that it’s telling us to step back from our relentless efforts to enhance security, stop for a minute, and think about just what it is that we’re doing.
That pause for reflection spotlights the fact that the majority of everyone’s efforts for the past several years—or, at minimum, the public discussion—have centered on endpoint security. That’s completely understandable in light of the opening of BYOD floodgates. Tablets, smartphones, sensors, and the Internet of Things (IoT) have created a kind of low-level panic about the need to secure corporate networks against those 50 billion devices that’ll be connected to the internet in a few years’ time. As Oracle chief communications officer Bob Evans put it (I’m paraphrasing from this post): Will the explosion of devices transform your company, or kill it?
Flipping the Focus
Implementing “An Inside-Out Approach to Enterprise Security,” as the report is titled, is the way to embrace that transformation. Of course perimeter security is necessary. But, as it warns, in our zeal to plug virtual holes in the network dike, we sometimes lose focus on the importance of securing our business’s crown jewels. As in, securing the database. That’s where you keep your business’s most vital information—the information on your customers.
“The results of the survey show that the gap between the threat of severe damage to a database attack versus the resources allocated to protecting the database layer is significant, highlighting the disconnect in how organizations are securing their IT infrastructures,” Tom Schmidt, managing editor at CSO Custom Solutions Group, said in the press release spotlighting the report.
Schmidt’s quote illuminates whence the report’s focus—and title—arose. Inside-out security means protecting data at its source. As the report puts it: “Security teams are leaving the enterprise vulnerable to attacks from inside and attack vectors that bypass the perimeter. As such, there’s a growing imperative…to rebalance security resources to protect corporate information from the inside out.
The stats within the report show that, while there’s cause for concern, there’s also some good news. For example, nearly 66 percent of those surveyed already apply an “inside-out” security strategy. And 75 percent have either a good or excellent understanding of what data needs to be protected and why.
On the down side, the report argues that security spending doesn’t align with the database-protection imperative. “Two-thirds of IT security resources—including budget and staff time—remain allocated to protecting the network layer, with the remaining third split among applications (15%), databases (15%), and middleware (3%),” the report notes.
Internal Bad Guys
More bad news: “More than 4 in 10 respondents believe database and application data are inherently safe because they lie deep within the perimeter and therefore are more difficult to reach.” This is a dangerous assumption, the report says, pointing out all the internal users, sysadmins, and developers who have access to such apps. (This point/counterpoint begs the socially salient question as to what kind of person steals from the very employer that’s helping to put food on his or her family’s table.)
So where does this leave us? “IT security has to focus attention on the most strategic assets,” Mary Ann Davidson, Oracle chief security officer, said in the press release. “Organizations have to get the fundamentals right—which are database security, application security and identity management.”
What’s the most effective way to do that? From the perspective of Oracle and its customers, protection is available via database security products (here), identity management middleware (here), and access management (here).
Philosophically and operationally, the report prescribes a three-step approach to inside-out security:
- Align business strategy with security strategy.
- Revamp processes and privileges.
- Design for scale. (Inconsistency is the enemy of a comprehensive security policy.)