Abstract

This article is a case study about an Enterprise Data Security project including the strategy that addresses key areas of focus for database security encompassing all major RDBMS platforms. It presents the current state of database security tools and processes, the current needs of a typical enterprise, and a plan for evolving the data security. This strategy will help set direction for the blueprint of data security and provide a composite high level view of data security policies and procedures for the purpose of satisfying growing regulatory and compliance requirements and develop high level timeline and for all steps of development. This article presents a three steps strategy to address current outstanding audit concerns and positioning to more readily address the evolving regulatory landscape.
 
1 Overview
As security, regulatory, and compliance pressures continue to be a key driver for XYZ Company, the technical environment supporting our business will need to be continually reviewed and enhanced to ensure all requirements are met. The database environment is extremely sensitive based on the fact that a large percentage of data at XYZ Company resides in our RDBMS platforms. These environments have been audited and scrutinized on a regular basis and will continue to be as we move forward. Although the database environments at XYZ Company are protected by tightened perimeter security measures, advanced authentication, authorization and access control security measures, and are considered to be a secure environment which effectively protect XYZ Company data from external intrusions, we must continue to look for opportunities to increase the overall security and compliance of these environment based on evolving needs, as well as, new technologies that can enhance the environment. Through compliance activities such as internal audits, SOX, GLBA, PCI, and others, other opportunities have been identified to better secure this environment.

2 The primary problem
The primary problem with many compliance initiatives is a focus on existing security infrastructure that addresses only the network and server software threats. But the data security capabilities required to be compliant goes far beyond these technologies. Network and server software protections (network firewalls, Intrusion Prevention Systems), while important, provide no insight into data-level attacks targeted directly against a database or indirectly via a web application. Regulatory compliance requires an understanding of who is allowed to access sensitive information. Regulatory compliance requires an understanding of who is allowed to access sensitive information? From where did they access information? When was data accessed? How was data used? The bottom line is that data security requires a new approach that extends the breadth and depth of IT’s ability to secure information.

2.1 Stronger database security is needed to accommodate new requirements
Another driver is our extended partnership with non-XYZ Company parties, more and more tasks will be performed outside the physical boundaries of our facilities which will add another level of due diligence we must take into account. Stronger database security policies and procedures must be in place to accommodate the new environment. Centralized database management security must be considered to reduce cost. As we have been presented with opportunities to solidify the environment, we have continued to evolve the existing environment. This, at times, has led to implementing "point" or manual solutions which become harder to manage as the environment continues to grow and become more complex. Centralized database management environment must be considered as a solution to increase efficiency, reduce implementation complexity, and in turn to reduce cost.