The hacker-resistant database

  How many identities will be stolen or  corporate assets commandeered before you build as strong a fortress around your database as you do around the perimeter? Millions? Dare I say, billions

Consider these statistics from the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group in San Diego. Between Feb. 15, 2005, and May 7, 2006, recorded data breaches across the country compromised the personal information of more than 55 million individuals. That's a whole lot of Social Security, credit card, banking and driver's license information floating around unprotected.

University databases, full of student information, are favorite hacker targets. Boston College, Carnegie Mellon, Duke, Georgetown, Northwestern, Purdue, Tufts, USC - these are only a few of the universities that have fessed up to being hacker victims. But such corporate icons as CitiFinancial, Ford Motor and Time Warner have reported data losses, too - from hackings, insider theft, and lost or stolen laptops and tapes. (See the Clearinghouse's comprehensive listing of reported incidents.)

At this point, you shouldn't need another data theft headline to get you moving. Any decent New Data Center architectural plan should include a way to button down your enterprise databases.

Don't rely exclusively on the security and management features native to your big IBM DB2, Microsoft SQL Server or Oracle 10g databases. They're gaining in sophistication and functionality, but still they meet only basic security requirements.

So if you haven't already, the time has come to bring in the big guns. All enterprises should implement database vulnerability assessment, data-at-rest encryption, intrusion detection and in-depth auditing, recommends Forrester Research in a November 2005 trend report.

The tools, available largely from start-ups, are plentiful enough, and many have already been deployed at hundreds of enterprises. For example, take Application Security's AppDetective vulnerability assessment scanner, one of the earliest database protection tools. Application Security counts 500 customers for AppDetective, which discovers database applications within the infrastructure and assesses how secure they are, says Ted Julian, vice president of marketing at the company. AppDetective scouts out a slew of enterprise databases - IBM DB2, Lotus Notes/Domino, Microsoft SQL Server, MySQL, Oracle and Sybase.

Longtime user Mark Maher, a security administrator at Ochsner Health System in New Orleans, credits AppDetective with keeping the company's database environment locked down. "Our Oracle databases obviously contain important information of a private nature. . . . We needed a tool to actively assess our Oracle environment and secure it where necessary," he says.

Because AppDetective kicks in immediately on receiving an Oracle security alert, Ochsner Health is able to determine its vulnerability status faster than if it had to wait for an Oracle database administrator to research the advisory, Maher says. To prevent internal theft, the tool runs access scans and compares them with termination reports. It quickly deletes former employees from the database access roster, too.