More than half still not encrypting sensitive regulated data in all their databases
By Roxana Bradescu on Feb 09, 2009
We ran some polls during the Network webcast we did last week, Information Security for Database Administrators. (If you missed it, the replay is available here)
One of the polls was "Are you encrypting sensitive information such as credit card and social security numbers in all databases across your organization?" We had 61 responses, and 34 answered NO. Although 27 of the folks on our webcast answered yes, the 2008 IOUG Data Security Report a few months back actually indicated that number out there is more like a third. One of the main reasons is we find is the use of production data containing live social security numbers or credit cards being copied to non-production databases for development and test purposes.
We are going to be talking more about this topic in a live webcast on how to "Protect Sensitive Data Using Encryption and Masking" this Thursday at 2:30 EST/11:30 PST. You can register here.
The second question we asked was "Are you using native database auditing to detect failed logins, DDL changes, or other suspicious activities?" with a follow-up question of "Are you monitoring database audit logs to detect security threats in real-time?" We had 67 responses, 32 indicated they were auditing their databases, but only 25 were actually monitoring those audit logs.
In the webcast, we discussed the importance of using tools like Oracle Audit Vault to automate the monitoring of audit data in order to detect and alert on security threats in real-time. Also having all that audit data securely stored in a centralized warehouse saves lots of time and money when generating regulatory audit reports. If you want to see a demo of Oracle Audit Vault, you can register here to attend one of our weekly demos in February.
Well that's it for now, I will be posting some follow-up to some of the questions asked on this and other recent webcasts. Stay tuned...