In a May 2012 report just released by the Ponemon Institute, 69 percent of organizations find it difficult to restrict user access to sensitive information in IT and business environments. On top of that 66% say their organizations find it difficult to comply with privacy and data protection regulations. So organizations are finding it hard to keep up with new regulation at the same time they are unable to secure data from internal users. It’s no wonder that in this same report 50% say that data has been compromised or stolen by malicious insiders such as privileged users.
What are companies doing about it?
Many have deployed encryption solutions. In the May 2012 report by Ponemon, 67% say they are very familiar or familiar with the use of encryption to protect sensitive data at the record level. And encryption solutions leverage role-based access to enforce data privacy at the application tier where personal information could be otherwise exposed. The challenge with encryption is that it often requires source code changes, meaning (1) potential performance overhead and (2) additional code and maintenance for applications that continue to change. For organizations with homegrown applications or packaged applications like PeopleSoft, Siebel, SAP or Oracle, encryption requires additional code changes their organizations may not want to support. Additionally, because developers would be required to implement the code changes, enforcing segregation of duties becomes more difficult. An ideal solution would allow for data to be protected with minimal (or no) performance or application code impact.
In addition, encryption does not prevent access by standard IT users or when authenticated applications and tools access the databases. In these cases all values are returned “in the clear.” An ideal solution would ensure that access is restricted for DBAs, system administrators, and other privileged users.
So what are organizations missing? Is there a way to augment encryption so that you can:
- Restrict data access for DBAs, system administrators and other users who see data unencrypted, or in the clear?
- Protect data of variable length or in unstructured or semi-structured format?
- Dynamically mask data without impact to the database or application?
- Protect data as the test, QA or training environment is created?
Hear Larry Ponemon discuss the survey results in more detail during a CSOonline.com/Computerworld webinar, Data Privacy Challenges and Solutions: Research Findings with Ponemon Institute, on Wednesday, June 13