Security needs to focus beyond networking layer: Oracle
By Gabey Goh December 10, 2013
- Two-thirds of IT security resources allocated to protecting the network layer
- This despite many conceding that a database breach would be more damaging
MANY organisations have a disconnected view on how they are securing their IT infrastructure, according a recent report by CSO Custom Solutions Group and Oracle, which showed that close to 66% of companies had most of their IT resources allocated to protecting the networking layer.
In an email interview with Digital News Asia (DNA), Kenneth Hee (pic), director of security at Oracle Asia Pacific, said the report showed that the gap between the threats of severe damage from a database attack versus the resources allocated to protecting the database layer is significant.
“Most IT security resources in today’s enterprise are allocated to protecting network assets, despite [the fact] that the majority of enterprises believe that a database security breach would be the greatest risk to their business.
“As for the reason why databases are neglected by IT security resource allocation, lack of awareness stood out with 44% of respondents saying they believed that databases were safe because they were installed deep inside the perimeter,” he added.
Hee pointed out that the rise of Internet and connectivity could be another driver of this assumption.
“During the early days, when the data centre was evolving to connect to the Internet, there was a lot of fear and unknowns about the world beyond the internal network. It shifted organisations’ focus and investment to build up a strong perimeter to ensure data and information security,” he said.
However the reality is that threat vectors are continuously adapting to exploit the vulnerabilities inside the perimeter, especially with the Bring Your Own Device (BYOD) trend.
Hee noted that not all database breaches originate outside the perimeter. For instance, they can be caused by a malicious Representational State Transfer Application Programming Interface (REST API) call, or compromised laptop with spear-phishing advanced persistent threat (APT) bait.
“Hence, organisations should revisit the assumption that the database and application data are inherently safe because of network control; and organisations must correlatively assess data risks versus their security resources allocation approach,” he said.
When asked whether enterprises were addressing these security risks, Hee reported that based on conversations with Oracle’s customers, there are encouraging trends in North America and Europe.
Many organisations there are rebalancing their resource allocation to protect the application and database data inside the perimeter, and this could be attributed to the strong awareness in the market and regulations set for privacy and data protection.
“Our conversations with customers also lead us to believe that many organisations in the Asia Pacific region are investing in security using a risk-based approach to prioritise their investment,” he added.
This is line with the study’s findings which showed 90% or respondents reporting the same or higher level of spend compared with 12 months prior. The survey showed that 59% of participants plan to increase security spending in the next year.
Oracle is advocating an 'inside-out' approach to enterprise security, whereby protecting data at the source increases confidence that security investments are aligned to the greatest threats.
“Many of our customers are working with us to roll out this approach across their IT servers, infrastructures and systems. Most of these organisations have applied risk management, which helps to enable them to align their investment based on risks instead of technology needs,” Hee said..
One of the key concerns for organizations that are looking to revamp their security strategy is to justify the payback on security investments. Organisations said that correlating IT spending to concrete risk reduction is one of their top challenges.
Hee claimed that leveraging Oracle's approach may enable businesses to achieve a higher return on their security investment.
“Protecting data at the source increases confidence that security investments are aligned to counter the greatest threats. Protecting data in the database may also save both time and money because most organisations' sensitive data reside in the database,” he said.
In addition to the 66% of budgets and resources dedicated to network security, the report also found that two-thirds of IT security resources are allocated to protecting the network layer, with the remaining third split among applications (15%), databases (15%) and middleware (3%).
When asked about what should be the ideal percentage split for how an organisation should spend its security budget, Hee said that the percentage of spend can be substantiated based on the risk assessment of an individual organisation and its industry segment.
“Organisations should consult their database and application vendors, who are currently supporting their mission-critical operations and revenue generation, for a review of investment and also to identify the gaps between the value of data assets and their IT security resource allocation,” he added.
Hee offered his top three recommendations to companies seeking to improve their IT security strategies:
- Align IT security strategy with business risks
- Examine every touch point
- Design IT security strategy for scale and avoid the silo or piecemeal security solution implementation approach