SQL Server Security ConcernsBy CIOinsight | Posted 11-08-2010
Only a third of SQL Server professionals polled in a recent survey say that personal identity information, such as Social Security and credit-card numbers, are encrypted in all of their databases. Another 25 percent say they aren't using encryption to protect the data at all.
These are among the key takeaways from a survey performed by Unisphere Research and sponsored by Application Security, a database security solutions vendor. The report features data culled from a survey of 761 members of the Professional Association for SQL Server (PASS) in September 2010.
Among its findings: While 20 percent of respondents say a data breach in their organization is either "inevitable" or "somewhat likely" during the next 12 months, a full two thirds describe such an event as "highly unlikely" or "somewhat unlikely."
Many SQL Server pros identify human error as the greatest risk to security, with 65 percent citing it as the most significant challenge.
Hiding under human error's umbrella are problems such as:
- nonmalicious policy violations that result in data being compromised;
- mistakes that occur during the often manual process of reviewing user rights.
Behind human error, the most commonly cited challenges to database security are insider hacks and abuse of privileges (44 percent of respondents).
When asked if their existing database controls provide adequate protection against breaches and attacks, 69 percent of respondents say that all or most of their databases are secure. However, 18 percent say most of their databases are not adequately protected. Only 33 percent say personal identity information such as Social Security and credit card numbers is encrypted in all of their databases. Another 25 percent say they aren't using encryption to protect the data at all.
Data masking technologies are used even less frequently than encryption: Only 20 percent are using it in all of their databases to protect personal information, compared with 36 who say they are not using such tools.
Patching remains slow. Only 20 percent of respondents say they deploy SQL Server patches as soon as they are delivered by Microsoft; 31 percent apply security patches at least once a month. Nineteen percent said they update at least once a quarter, and 10 percent put it at once every six months.
For more, read the eWeek article Inside Enterprise Database Security Concerns.