At Black Hat, former FBI agent Shawn Henry spoke on a new security paradigm which was based on the idea that "It is not enough to watch the perimeter." Almost exactly a year ago, we outlined how one of our customers uses database controls to mitigate spear phishing since they assume, as Mr. Henry does, that a compromise has taken place.
Today, IDG published a great article on database security that underscores why perimeter security isn't enough:
Database security is starting to show up on the radar of C-level execs, and no wonder. According to Verizon's "2012 Data Breach Investigations Report," 174 million corporate records were compromised in 2011 (the highest since 2004, according to the company), and in a survey by the Independent Oracle Users Group, 31 percent of respondents anticipated a major data breach this year.
The article provides several real-world anecdotes on securing databases, including this one:
Richard Isenberg, Fiserv's VP of security engineering, turned to Imperva for tools to handle segregation of duties, vulnerability scanning and blocking suspicious activity. "The databases themselves don't have enough security baked in to meet our compliance initiatives around tracking and understanding everything that privileged users do and alert us when they're doing something we don't want," he says.