No Vaccine for Data Loss, Enterprises have to Work Smarter at Securing Databases
By Grace Chng, Tech Writer, EDB
With the pace of digitalisation picking up, billions of bytes of data are being generated every minute. According to the World Economic Forum, about 463 exabytes of data will be created each day globally.
The data form important reservoirs of information critical for business operations. With cybercrime on the rise, the relevance of database security becomes all the more paramount. Moreover, regulatory regimes governing data integrity and governance which are closely aligned to security measures, are also tightening.
These trends highlight three key issues:
- Greater urgency for enterprises to examine database security more closely than ever
- Need for specialised database security professionals
- Continuous education of the workforce to be always on alert for phishing and other cyber scams
In mid-October 2020, Alain Boey, head of Enterprise Data Strategy, Petronas, and Andy Bien, former CIO, Airport Authority (AA) Hongkong, among other participants, offered the following observations on data security and compliance at a roundtable discussion organised by EDB.
Enterprises need to examine database security more closely than ever
Petronas, the national Malaysian oil and gas company, has been exploring the usage of public cloud in their transformation. Boey stated, it is moving data to the public cloud. He said it has been a big effort, adding that his team is also learning how to manage the process of cloud migration, securing the data and ensuring the proper governance is followed.
At a leading creative digital community in Hong Kong, over several hundred startups build security into their products rather than offering security as an afterthought. Startups are cost conscious and want the most bang for their buck, so they use open source database software as it is affordable and offers more features.
And at the Hong Kong International Airport, which receives cyber attacks regularly, security is a high priority, said Bien. He added that when assessing database security, every aspect of security, including network defence and protection, must be considered. He spoke of the need for IT security talent, which is in short supply globally.
When there aren’t enough skilled people, organisations might be concerned about switching to an open source database. “To a certain extent, organisations can do more with open source databases as it has more features, but then it also needs to have even more accountability on the security front,” Bien pointed out.
Which led EDB’s sales director for Southeast Asia and Hong Kong, Frank Courtney-Jay to state that open source database software has the benefit of many developers contributing code, including security code. “PostgreSQL has thousands of contributors who are very keen and passionate about providing updates. I’m not sure that proprietary companies can match that.”
Organisations must ensure proper governance in data access and management
Marc Linster, EDB’s Chief Technology Officer, advises enterprises to “think about security in layers, starting with granting the least access necessary for any role and blocking unnecessary access at the earliest opportunity”.
Once they apply this principle of least privilege, he says that then they can decide which user has read or write access to which data, followed by auditing and encryption considerations.
Boey’s team is working on security protocols with its security business partners. This is of great importance to Petronas, he said, because security is closely related to compliance on data privacy and the integrity of sovereign data, both of which are subject to government regulations.
He added that the challenge for the Malaysian oil and gas company is compounded because it has operations in many countries, hence it would have to follow all the various compliance regulations.
“Internally we are building up governance policies with regard to the access, archiving and maintenance of data. When it comes to compliance, there is no compromise with government regulation.”
Yet, for the Airport Authority Hong Kong, the situation is different as it only operates in one territory. Bien explained: “AA aims to offer personalised service, which means it must know more about the air passengers. This is challenging because on the one hand, we need to know more about that person in order to serve them better, and at the same time, we want to respect the privacy of that person”.
He identifies data ownership, privacy, and the rights of passengers as the key issues. “It is one thing for the IT department to implement a technical solution, but the issue is multi-faceted. The appointment of an executive with legal background as chief data officer to ensure compliance would be most essential.”
In conjunction with this then, database security must be tightly coupled with data compliance as any loss or theft of data will run afoul of government regulations, agreed all three IT leaders.
Continuously educating the workforce
An additional cause for concern is people. Bien highlighted that people are often a source of cyber weakness. Users want convenience and may take shortcuts when they access business applications which can compromise the enterprises’ security rules. Maintaining proper cyber hygiene is a good way to protect data.
“Security is everybody’s business,” he emphasized, adding that enterprises need to bring greater security awareness to the workforce.
Boey says that Petronas runs phishing simulations to ensure that its employees are kept aware. Every employee takes the simulation tests, and a pass rate is expected. Those who do not meet the grade, are to be re-trained and then retake the simulations.
Corporate security training modules where employees can access and learn are also available. The company is also stepping up efforts to communicate to all employees that they are the first line of defence, he added.