Expectation: I am an IT security and compliance director, and I have an audit coming in a month. I have few databases that have customer data, product data and employee data. I think I will be OK and may be able to pass the audit if everything goes well.

Reality: I am an IT security and compliance director and I have an audit coming in a month. I have databases that I don’t even know about in my environment, and I am not sure if those databases contain customer data, product data, employee data or some other sensitive data. I don’t think I’ll be OK, and I will fail the audit. I am sure nothing will go well.

Is Your Compliance Status at Risk?

Does this reality sound all too familiar? And more importantly, are you covered?

Compliance is most challenging when you have to meet various security baselines (e.g., STIG, CVE, CIS, SOX, PCI or HIPAA) for all your data sources. Multiply it by the number of data sources across several platforms and the equation gets very complex.

Read the white paper: Three Guiding Principles to Improve Data Security and Compliance

Organizations are almost constantly trying to minimize the cost of compliance and are always looking for a way to meet all their compliance needs cost-effectively and without much hassle. This sounds too perfect, right?

But it is possible. It starts by understanding the strategy to be in compliance from a data source vulnerabilities perspective and adopt industry best practices in this approach.

Why Do You Need This Approach to Compliance?

Organizations have thousands of data sources across multiple platforms (e.g., databases, data warehouses, big data platforms) with thousands of users accessing data from applications or natively using sequel queries. Database administrators (DBAs) deploy the production system with default usernames and passwords or passwords that do not comply as per corporate baseline. As a result, they are easy to decode for gaining access to the data.

Data control language (DCL) commands like Grant and Revoke are not set properly and often provide excessive privileges to users who do not need them. There are so many misconfigurations and default database settings that need to be changed. There are also missing patches that need to be updated.

Managing the data repositories’ vulnerabilities requires a great deal of skill and maintenance, especially when you multiply this by the number of data sources and data platforms. It’s a big project, and relying on resolving this all manually is a massive investment in time and resources. But it will not make you sufficiently compliant or more secure on its own.

This leads to the next point: Insider threats increasingly lead to data breaches. Enterprises often have no authority to restrict access, they do not have a simple source of information on who has access to what and they cannot manage entitlements across a large inventory of data sources. All of this must be remediated.

Is There a Solution?

Enterprises are looking for an automated way to analyze sensitive data servers, identify sensitive data, check for the risk posture in those servers and get a vulnerability assessment report to understand the overall risk. Once they gain access to this information, they can then look for best practices to remediate all vulnerabilities scanned on those servers.

This will solve the twofold problem of managing compliance and securing your data.

That may be your ideal scenario, but it can also be a reality. Some organizations are leveraging IBM Security Guardium Vulnerability Assessment to solve this big challenge. To learn more, watch the on-demand webinar “Avoiding the Data Compliance Hot Seat” or watch the latest Guardium Vulnerability Assessment demo:

More from Data Protection

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…