Who's In Your Database?

[Excerpted from "Ensuring Secure Database Access," a new report published this week in Dark Reading's Database Security Tech Center.]

Today's databases are a prime target, both for cybercriminals and insiders who might be looking to make a buck. How secure are your most sensitive data stores? Many enterprises aren't so sure.

In the InformationWeek Reports 2010 State of Database Technology Survey, business and technology professionals gave their database security a mean average rating of 3.8 (on a scale from 1 to 5, where 1 is very dissatisfied and 5 is very satisfied). Not bad, but that shouldn't cut it when it comes to company assets and customer privacy.

There are many security measures that can and should be put into place to protect a company's database servers. The same InformationWeek Reports survey showed, for example, that 64% of respondents said their companies use some form of database encryption, 47% use a database firewall, and 74% use transaction logging on databases containing sensitive information.

While all these protections will help safeguard the information in databases, one of the most important and effective means of ensuring data integrity is user provisioning. It may seem like a no-brainer, but too many companies spend too little (if any) time determining who should have access to what data, when, and why.

While it is not a new model, roles-based access control (RBAC) is still considered the gold standard for provisioning user (and application) access. In the RBAC model, access is controlled through roles. In most companies, those roles align with job functions. Permissions are assigned to roles and roles are assigned to employees.

Read the rest of this article on Dark Reading.