没有合适的资源?快使用搜索试试~ 我知道了~
教你学会怎么对付病毒,从此让你的资源免受病毒的侵犯,让你上网不再有忧虑
资源详情
资源评论
资源推荐
W H I T E P A P E R
O r a c l e D a t a b a s e S e c u r i t y : Preventing Enterprise Data
Leaks at the Source
Sponsored by: Oracle Corporation
Charles J. Kolodgy Gerry Pintal
Brian E. Burke
February 2008
IDC OPINION
Information has become the world's new currency. Databases are the digital banks
that store and retrieve valuable information. The growing number of high-profile
incidents in which customer records, confidential information, and intellectual property
are leaked (or lost/stolen) has created an explosive demand for solutions that protect
against the deliberate or inadvertent release of sensitive information. Moreover,
numerous information-intensive government and industry regulations are requiring
organizations to protect the integrity of customer and employee personal information
and corporate digital assets. Security breaches can no longer be "swept under the
rug" because of strict breach disclosure laws.
Addressing information protection and control (IPC) is a complex challenge. Today,
nearly all corporate information exists in electronic form, typically stored in databases,
so it stands to reason that enterprises must secure their databases as part of any IPC
strategy to protect sensitive information and comply with policy regulations. As
attackers are much more likely to be cybercriminals who are financially motivated, it is
more difficult to deter them with a minimal amount of security. Database security
represents a preemptive approach to preventing enterprise data theft and regulatory
compliance infractions.
IDC believes that no IPC strategy can be effective unless information is properly
protected and controlled at the source — the database. In addition, enterprises must
adopt database security best practices to protect the mission-critical enterprise data
repositories that represent their lifeblood.
IN THIS WHITE PAPER
This IDC white paper presents a preemptive approach to IPC. It discusses the
growing internal threats to business information, the impact of government regulations
on the protection of data, and how enterprises must adopt database security best
practices to prevent sensitive customer data or company information from being
distributed within or outside the enterprise in violation of regulatory or company
policies. This white paper also highlights how Oracle provides security products that
enterprises can leverage to protect themselves from costly data breaches.
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com
2 #209752 ©2008 IDC
Approach
IDC developed this paper in January 2008 using a combination of existing market
research and our knowledge base of primary research. This research includes a
range of quantitative surveys and in-depth interviews about enterprise security
conducted with IT executives at companies in a variety of industries, including
healthcare, financial services, public services, and manufacturing. In addition, IDC
met with the Oracle product development team to understand Oracle's database
security product offerings.
INFORMATION PROTECTION AND CONTROL
Motivators
Information as Currency
For the vast majority of organizations, some of their greatest assets consist of digital
bits of information, intellectual property, and data stored in databases, file
management systems, flat files, spreadsheets, and other information storage formats,
not their physical holdings. Database servers hosting the data are critical components
of a successful business.
The demand for solutions that protect sensitive information was originally fueled by
industries (e.g., financial services, banking, healthcare) that needed to comply with
various government and industry regulations (e.g., Health Insurance Portability and
Accountability Act [HIPAA], Gramm-Leach-Bliley [GLB], Sarbanes-Oxley [SOX]). In
2006 and 2007, a series of high-profile incidents in which customer records and
confidential information were leaked (or lost/stolen) created an explosive demand for
solutions outside the heavily regulated industries. A privacy failure, or even the mere
perceived failure to protect customer data, can result in loss of consumer trust, affect
customer retention, and cause significant damage to brand and company reputation.
The stakes are extremely high for organizations that manage patient health
information, Social Security numbers, credit card numbers, and other types of
protected personal data; they are being forced by government and industry
regulations to implement security measures to address leakage of personal
information. The loss of confidential personal information can materialize into
compliance infractions, lawsuits from customers and/or patients, potential identity
theft, and significant and often irreparable harm to an organization's credibility and
reputation.
Similarly, financial institutions must protect their consumers from fraud and identity
theft, which run the gamut from authentication and securing private consumer data to
making consumers whole in the event of a fraudulent loss. If consumers lose
confidence in an institution's ability to adequately secure sensitive information, they
will defect from both online banking and the institution. The same can be said for
many other industries as well, especially retail, where customer trust and brand
reputation are critical.
©2008 IDC #209752 3
Any organization with sensitive personal or financial data represents a potential
target. New attack vectors are going for the "business jugular." Criminal elements are
conducting targeted attacks on financial assets, reputation, or sensitive proprietary
data from inside the business. In one extreme example, newly hired employees were
planted for the specific purpose of stealing customer credit information. These new
forms of creative attacks are proving to be difficult to detect in part because they are a
blend of interconnected security weakness and because they emanate from
individuals believed to be trusted corporate insiders. All of these developments
require improved IPC mechanisms.
Internal Threats Versus External Threats
According to IDC's 2007 Enterprise Security Survey of 433 North American IT
professionals, internal sources are believed to pose a greater threat to the enterprise
than external sources. The gap between internal and external threat concerns is
much more pronounced within large enterprises, as shown in Figure 1. The growing
concern with internal security threats comes as no surprise as enterprises have
focused their attention on strengthening perimeter defenses, designed to keep people
out, while having considerably weaker or even nonexistent defenses on information
repositories such as databases. Those already on the inside can have nearly
unfettered access to information. The need to improve information protection from
insider threats appears to be a growing concern. Figure 2 illustrates how concerns
about internal threats have been growing.
FIGURE 1
Origin of Most Serious Threats: Internal Sources or External
Sources?
0
10
20
30
40
50
60
Small
(<100
employees)
Medium-sized
(100–999
employees)
Large
(1,000–9,999
employees)
Very large
(10,000+
employees)
(% of respondents)
Internal sources
External sources
About even
Source: IDC's 2007 Enterprise Security Survey
4 #209752 ©2008 IDC
FIGURE 2
Internal Threats Are Considered Most Serious
0
10
20
30
40
50
60
Small
(<100
employees)
Medium-sized
(100–999
employees)
Large
(1,000–9,999
employees)
Very large
(10,000+
employees)
(% of respondents)
2005
2007
Source: IDC's 2007 Enterprise Security Survey
Additional IDC survey findings that illustrate the risks to information from internal
threats include:
! 80% of very large organizations (10,000+ employees) and 52% of large
organizations (1,000–9,999 employees) have terminated employees or
contractors for internal security violations.
! 31% of very large organizations (10,000+ employees) and 15% of large
organizations (1,000–9,999 employees) have prosecuted an employee for
internal security violations.
For organized attackers, the ultimate payoff comes from selling the ill-gotten data, not
from conducting fraud using that data. Trafficking in stolen credit cards and other
identity information has become big business. IDC estimates that in 2006, $900
million was made in the buying and selling of stolen and compromised identities.
Internal threats are rapidly climbing the priority list of enterprise security threats and
now account for three of the top 10 most serious threats facing corporations today.
1. In 2007, employee error ranked as the greatest threat to enterprise security. This
is up from the fourth-greatest threat in 2006! IDC believes the majority of
information leaks and compliance violations come from employee error.
Organizations are extremely concerned with employees inadvertently violating
corporate policies and/or complying with government and industry regulations.
剩余15页未读,继续阅读
tiandidapengniao
- 粉丝: 24
- 资源: 11
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0