This month, Black Hat 2022 celebrated its 25th year and gathered thousands of security experts and executives from 111 countries. As an exhibitor, Cyral had a chance to swap stories with dozens of cyber security pros – and also took the opportunity to ask them a few operational questions as part of a survey. With data breaches at a record high and based on the responses, we’re left asking, “Do companies have a false sense of security for their databases?”
We started out by asking Black Hat attendees that stopped by our booth a basic question, “What goal is more important to your organization’s security team: protecting critical assets or locking down attack vectors?” 228 people responded. Nearly 80% said that protecting critical assets was the more critical objective. We certainly agree with this group – after all, in the end, we’re trying to prevent the bad guys from taking our data.
But in practice so much of our attention and budget is applied to attack vectors themselves — email security, application security, network security, API security, IoT security — yet all roads lead to data.
Very little has been done to modernize or shore up security around the database itself. Most production databases are protected by little more than a password.
Meanwhile, there is a surge of new applications and users now need access to the data. So we asked Black Hat attendees, “How do you grant database access to new users today?”
About 1/3 of the people we asked said they were creating database accounts for each user. This is an operational challenge that doesn’t scale easily and it also raises security concerns about how applications might be accessing the database. Database credentials are often hard-coded within the application, which means the passwords are rarely rotated and if the application becomes compromised it is easy for attackers to gain database credentials. Additionally, the rise of low-code/no-code development has introduced many data-specific concerns as outlined by the OWASP Top 10 Low-Code/No-Code Security Risks.
Another 1/3 of the group said they require the use of trusted agents and certificates – these companies are relying on a Privileged Access Management system to manage access. PAM systems do create a lot of operational complexity and lack many of the controls databases need to remain secure. For example, PAMs support users, not applications. Additionally, PAM systems generally provide all-or-nothing access to databases, without data-masking or limited read/write or read-only privileges.
And nearly 30% of the security professionals we surveyed said they give users access to shared credentials or that they weren’t sure at all how they grant database access.
At a time when data democratization is taking hold at companies worldwide, a range of teams and roles need to access production databases for support, troubleshooting or to improve software quality. Security teams need to restrict access to sensitive data without inhibiting user productivity and to manage not only human user access, but also applications’ access.
While some may be seeking to guard each of the ever-expanding number of attack vectors that are a consequence of the move to the cloud, it’s becoming clearer to more of the security world that it’s the data layer that matters most. To learn more about this growing problem, please read the white paper: Database Security Exposed: The Truth Behind the Record High Number of Data Breaches.