The pandemic has brought the world online – resulting in organisations investing more on their databases to ensure continued connectivity. However, this does not include an increased investment in their database security.
According to a study conducted by Imperva Research labs, it was discovered nearly half of all on-premises databases globally are vulnerable to attack, and APAC countries have shown themselves to rank above the global average in terms of how vulnerable their databases are.
“Too often, organisations overlook database security because they’re relying on native security offerings or outdated processes,” said Elad Erez, Chief Innovation Officer at Imperva.
“Although we continue to see a major shift to cloud databases, the reality is that most organisations rely on on-premises databases to store their most sensitive data. This is a concern given that nearly one out of two on-prem databases is vulnerable, it is likely that the number of reported data breaches will continue to grow, and the significance of these breaches will grow too.”
Regarding APAC’s increased vulnerability compared to other regions, Erez shares his theory that this could be potentially linked to existing regulations – countries that are not as highly regulated have more vulnerabilities.
|
Country |
% of databases with at least one known vulnerability |
Average number of vulnerabilities per database |
|
France |
84% |
72 |
|
Australia |
65% |
20 |
|
Singapore |
64% |
62 |
|
UK |
61% |
37 |
|
China |
52% |
74 |
|
Japan |
50% |
53 |
|
Peer country average |
39% |
56 |
|
USA |
37% |
25 |
|
Canada |
32% |
37 |
|
Germany |
19% |
64 |
|
Mexico |
19% |
70 |
|
Brazil |
19% |
14 |
“Our research shows that nearly every country has reason to pause,” added Erez. “In Germany, for example, which has a relatively low percentage of vulnerable databases (19%), the average number of vulnerabilities is concerningly high. Thus, improvements are still needed.”
Not enough focus put into security
Despite the increased number of organisations in APAC having gained a heightened sense of awareness of the importance of data security, Erez revealed that like in other parts of the world, the security of data is generally deprioritised and underfunded.
“Database security and sensitive data access management were traditionally very segmented in organisations,” shared Erez.
“Different people or teams had access to each database, and were usually solely responsible for that database's security and updating. This caused huge problems, as not every system follows healthy processes − such as vulnerability and misconfiguration scanning, privilege assessment and frequent patch management process − thus allowing for differing security vulnerabilities.
“One of the key challenges is understanding who should own the responsibility − is it the security team, the GRC team, or actually the application owners? Many organisations assume data security is hard to solve, so it often gets pushed to the bottom of the agenda.”
Nevertheless, Erez believes that the responsibility of securing a database starts and ends with the organisation using the database.
“Organisations own their data, and legal mandates exist for organisations to protect many types of data,” added Erez. “Technology and security leaders need to ensure they are up to par with the latest industry standards and best practices when protecting their data, no matter where it lives.”
Different people or teams had access to each database, and were usually solely responsible for that database's security and updating. This caused huge problems, as not every system follows healthy processes − such as vulnerability and misconfiguration scanning, privilege assessment and frequent patch management process − thus allowing for differing security vulnerabilities.
- Elad Erez, Chief Innovation Officer at Imperva
According to Erez, there are 3 ways a company can build an effective database security strategy:
1. Get visibility
It’s impossible to protect data in order to have an overview of all the places where data is being stored across the organisation, including discovery of databases that have been set up outside the purview of security − on-prem and cloud.
The complexity of modern business means that data has become more diffuse than ever, and therefore it’s essential to automate this discovery and classification process to ensure that nothing has been inadvertently missed.
2. Prioritise the crown jewels
In an ideal world, security teams would have time to patch every vulnerability in every database as soon as it’s issued. However, given the onslaught of other tasks from across the business and the restrictions on when patches can be issued, this is becoming harder and harder to manage.
Therefore, security teams need to make sure they’re prioritising their time correctly, both in terms of mitigating the most serious vulnerabilities, but also in terms of which data is being protected. Having tools that can identify which databases hold sensitive customer data (e.g. credit card numbers or passport numbers) means that security teams can understand where the crown jewels are and secure them accordingly.
3. Understand the risks of digital transformation
Across all industries, businesses are pressing ahead with digital transformation initiatives and shifting data to the cloud. However, managing on-prem security is already incredibly challenging even before the complexity of securing data in the cloud is considered. The bottom line is that while digital transformation is essential to maintain competitiveness, businesses need to develop a clear and cohesive strategy for protecting data, and all paths to it, wherever it resides.
Future of on-premise databases
“We are seeing more organisations move their data to the cloud, and expect that trend to continue at pace,” said Erez.
“However, that doesn’t mean all data is being stored in the cloud. Also, this transformation will take time. What we hear from customers − even those that are on the leading edge of innovation − is that some data, particularly the most sensitive of data, will remain stored on-prem given that these environments are assumed to be more secure.
“This research suggests that organisations aren’t aware of just how vulnerable those on-prem environments are. We hope this research will shed light on the risk and spur necessary change in data security in APAC.”
With regard to cloud environments, Erex revealed that despite patching being less of a concern as vendors maintain these updates attentively, there are still security risks that organisations face in the cloud, such as misconfigurations.
“Our initial research found a higher rate in misconfigurations in cloud databases compared to on-prem databases. While the cloud makes it easier to store and analyse data, organisations shouldn’t overlook the complexity of securing these environments. With just one errant click, an organisation can expose an entire database to the public.
“Gartner predicts that through 2025, at least 95% of cloud security failures will be the fault of the company using the cloud service.
“The challenges around data security will only increase as the speed of digital transformation accelerates and IT environments become more complex. Security teams will be increasingly challenged to know where all their data is across all environments, how it's used, and who has access, making it difficult to apply the appropriate controls.”
