Database Security Exposed: The Truth Behind the Record High Number of Data Breaches

Written by Cyral.

“Every company is a data company.”

From building better products and providing better customer experiences to improving efficiencies, data is driving the business.

With data taking the spotlight, there are important implications for security, privacy, and compliance teams. It’s not just your company that sees value in your data. There are many bad actors that also see value in your sensitive data too.

It shouldn’t be surprising that data breaches are surging to an all time high.

According to the Identity Theft Resource Center’s 2021 Data Breach Report, there was a new record high number of data breaches in 2021, which also constituted a 68% rise year over year!

Your data and databases are the primary target for attackers. And with data breaches at all time highs, it’s time to evaluate how you are protecting your more sensitive assets — your data.

Attack Vectors Increasing Faster Than They Can Be Secured

Originally, all valuable information was stored within the data center. The most common strategy was to implement perimeter security for the data center. If only authorized users had access to the data center, then only authorized users had access to critical data.

However, as enterprises migrate to the cloud and modernize their applications, the perimeter expanded. Applications and sensitive assets now live outside the data center, and systems that were never intended to be accessed externally are now exposed to the internet.

The proliferation of the cloud comes with a surge in the number of applications, users, and APIs — each creating new attack vectors that bad actors can leverage in attempts to access your data.

Speed, scale, and self-service are all enabled by modern cloud-based infrastructures. However, these characteristics of the cloud can also introduce new complexity and risk. Any gaps in the security posture of distributed infrastructure and applications can lead to data breaches, and with data breaches at an all time high it is evident that attack vectors are increasing at a rate faster than they can be secured.

What makes matters worse is that there are very limited security controls at the data layer that can prevent data exfiltration when user credentials or applications become compromised.

Databases are Exposed

For decades databases have resided in data centers with very limited risk. Outside of a few database administrators, very few users and applications had access to databases. But today, this is rapidly changing.

Digital transformation, cloud migration, and data democratization initiatives are increasing the amount of sensitive data created and collected, the number of data repositories where sensitive data is stored, and the amount of access granted to users and applications.

With so many roads leading to your data, it is important to note that the database is protected by little more than a password.

The Primary Problem: Passwords

While modern authentication and authorization, like SSO and MFA, have been applied to the credentials at almost every other layer of the tech stack, the database is usually protected by just a password. This subjects your database to the bad behavior and security vulnerabilities that have largely been deemed unacceptable for almost every other service or system, including:

Shared Database Credentials

With more and more users needing access to sensitive data, it is often faster and easier for end users to share credentials with each other instead of requesting access. For administrators, it is also difficult to manage all the joiners, movers, and leavers. This practice is extremely common and increases the risk of unwanted and unauthorized access to sensitive data.

Database Credentials Hard-coded into Applications

Applications also need access to databases and need credentials just like users. The database credentials for applications are often hard-coded into the application itself. If the application becomes compromised or the source code is accessed, there is nothing standing between a bad actor and your database.

Given the prevalence of shared database credentials and credentials hard-coded into applications, common security practices like rotating the password every 90 days are not feasible — compounding the poor security hygiene at the database level.

Rigid Database Access Controls

Database credentials and access controls are extremely rigid. Most users are given complete access to all datasets within the database, even if they only need to access a subset of the information. Databases aren’t designed to grant privileged access to users and applications, and existing privileged access management (PAM) tools aren’t database aware and don’t offer column, row, and field-level control to the database. This means that engineers, data scientists, analysts, and department heads who need access to the data have all or nothing access.

A new approach to database security is necessary.

Modern Approach to Database Security

Using solely a vector-based approach to database security is incompatible with a cloud-based world. Without implementing modern security controls to the data layer, databases will continue to be exposed, and we will continue to see the rate of data breaches reach new highs as more and more enterprises migrate to the cloud and embark on data democratization initiatives.

Consistent, Federated Security Controls at the Data Layer

Data is now stored in many different data repositories across clouds and data centers. It’s imperative that enterprises implement consistent, federated security controls across each of these repositories. Attackers look for the path of least resistance and will exfiltrate data from the “weakest link” in your data chain.

Fortunately, the types of security controls required at the data layer already exist in your toolbox — these tools just haven’t been extended to databases.

Authentication

Enterprises need an easier, more scalable, and more secure way to grant access to the growing number of joiners, movers, and leavers in their business. Other applications and services have leveraged Identity and Access Management (IAM) solutions to manage federated authentication. These same services need to be extended to the database itself. And by leveraging additional authentication best practices, like SSO and MFA, the amount of unwanted or unauthenticated access to sensitive data can be drastically reduced.

Authorization

In addition to managing who or what has access to databases, it is also important to implement authorization controls that are database aware. Users should only be able to access information intended for them. Column, row, and field-level authorization is critical for enterprises that are giving database access to more users and applications. Just-in-Time (JIT) access is another common security best practice that should be extended to the database. Modern authorization controls limit the blast radius of successful attacks and ensure your most sensitive data never falls into the wrong hands.

Auditing

Most enterprises don’t have an easy way to know who or what is accessing the database or even what they are doing. With existing controls, when a breach has been detected, it can sometimes take weeks or months to uncover exactly which accounts were compromised and what data was exfiltrated. Modern monitoring, alerting, and auditing controls can use pre-processed logs to provide real-time analysis. Security teams can see exactly who is accessing the database, as granular as the field level — cutting auditing times from months to minutes.

Conclusion

As companies store more data, store the data in more places, and give more access to the data, it’s imperative to evaluate the security posture of databases. Attack vectors are growing faster than they can be secured and the security controls of databases are ineffective or non-existent. Any gap in an enterprise’s security posture can result in unfettered access to sensitive data.

The prescription to overcome these security threats is to apply consistent, federated security controls at the data layer. These include database-aware authentication, authorization, and auditing to help security and productivity teams ensure that only the right people have the right access to the right data at the right time.

To learn more about how databases are exposed and best practices for multi-cloud database security, please download the white paper: Database Security Exposed: The Truth Behind the Record High Number of Data Breaches