Enterprising Developments

11 Steps to 'Save the Database, Save the World'

Joe McKendrick
Insurance Experts' Forum, June 3, 2011

Save the Database, Save the WorldThat's the title of John Ottman's new book on database security in the great age of insecurity. Ottman, who is president and CEO of Application Security, Inc., has seen and heard more than his share about the failings of data security in enterprises, and his words are something from which members of an information-intensive industry as insurance can benefit.

Here's the challenge we face: more than 10 million databases across the globe remain largely unprotected, and more than 200  million records are breached every year. And the biggest threat isn't those teenage hackers from Belarus or government agents from a hostile power – organizations need to defend their data assets against internal threats, not only disaffected workers but also trusted administrators who hold the keys.

But there are things we can do to protect the data under our control. It's called security, risk and compliance (SRC) controls, and is based on an enterprise solution architecture that enables cross-platform management from a single console, as well as a cross-platform solution architecture with the following elements:

1. Asset management: “producing a list of database assets may seem an academic exercise, but most organizations do not have a reliable process of database inventory control.”

2. Sensitive data discovery: “Sensitive data must be accurate, fully documented, and false positive identifications must be avoided.”

3. Policy management: “the policy management application is the heart of the database SRC platform and automates the classification process in a consistent fashion.”

4. Vulnerability management: “The vulnerability assessment application performs an agentless scan of database settings, entitlements, passwords, and configurations.”

5. Threat knowledgebase: “Upon discovery of new vulnerabilities, the threat knowledgebase provides reference for the SRC team to make impact and severity assessments and prioritize remediation activity.”

6. User rights management: “helps organizations establish separation of duty control and provision user rights and entitlements according to the principle of lest privilege across all enterprise databases.”

7. Configuration management: “allows organizations to create baseline configurations as standard, policy-based builds.”

8. Data masking: “technique used to to substitute confidential information with fictionalized data.”

9. Encryption: “intuitively an important database SRC solution,” but managing this process may be subject to “excessive management overhead and complexity... Encryption policies must be application aware, and managed consistently to ensure data processing continuity.”

10. Audit and threat management: “a forensic process to manage and track all activity in the database.”

11. Analytics: “ultimately, the solution value of the database SRC is realized through effective reporting.”

 

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

 

 

 

 

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

IT Spending is Healthy, But Where's the Money Going?

IT leaders expect more money for cloud, virtualization and mobile — but no staff increases.

To Quantify or Not — That is the Question with Modernization

Making the quantitative case is a long-practiced ritual in many insurance organizations.

3 Reasons DevOps Matters

Every insurer needs to compete on products and information turned around in light-speed fashion.

Coordinate Coverages to Manage Social Media Exposures

The bottom line is that no one policy will cover all the exposures in the social media realm.

The Internet of Things: Helping Insurers Make Better-Informed Decisions about Risk

The IoT is a major game changer for the insurance industry, and will likely affect every part of the insurance value chain. After all, insurance is data-driven, and that’s exactly what the IoT can deliver—relevant, actionable, real-time data that can provide an accurate picture of what is being—or may be—insured.

Software-Defined Everything

What does it take to virtualize all the key components in your data center?

Advertisement

Advertisement