What trends should enterprises be watching in 2010, and how will they affect an organization’s security strategies? Slavik Markovich, CTO and founder of the database security company Sentrigo, thinks IT groups should pay attention to these trends—increasing movement toward cloud services, stepped up database virtualization, and growth in hacking tools that allow swift random attacks on data. On the consumer level, Slavik noted that 2010 could be the first year that Mac could experience a major virus attack. “There’s a big misconception from Mac owners that Macs and iPhones are secure,” he said. “An iPhone has an IP address—already there have been a few worms.” At work people just open their mobile devices such as iPhones and connect to the PC or to the service. Slavik recommends that enterprises think hard about how to protect those endpoints.
2010: The Enterprise Moves Data to the Cloud
According to Slavik, the “biggest push in 2010 is the move to cloud-based services. Microsoft will push the Azure cloud platform and SQL Azure database services.” A major hurdle will be “how do you protect the data in the cloud environment?” Organizations need protect data from attacks from both outside and “from your own data administrators, plus your cloud administrators or administrators from the hosting company.” The questions are: “How do you trust them? Or trust but verify that your data is not being accessed or breached?” And “how do you monitor access to the information while it’s kept in the cloud?”
Slavik notes that DBAs have been slow to move data to the cloud because the market hasn’t been ready. “There weren’t good services out there that offered real SQL Server hosting. What you got from Amazon \[for example\] for their cloud was just basically the platform. And Google of course provided its own database. Smaller companies provided the SQL Server environment, but didn’t provide the whole vision thing. Whereas Microsoft with Azure provides a really strong platform that offers both platform services and higher-level services—SQL Server web services and a path between them.” For more on SQL Azure database services, see Mike Otey’s “7 Facts about SQL Azure,” InstantDoc ID 102766.
2010: Time to Virtualize Database Services
While virtualization has been a big trend in 2008 and 2009, Slavik looks to 2010 as the time when “you won’t see any organization without some virtualization. The push will be for backend service virtualization, which includes database virtualization. Up until now organizations were hesitant about putting databases inside virtual machines (VMs), but I see more and more customers are putting SQL Servers and Oracle databases on VMs.”
He attributes the openness to virtualization to the maturity of the platforms. On the security side, challenges he calls out are the dynamic nature of the environment and changes to traditional security models. “The old-school models of perimeter protection and network monitoring are going to break down. Models based on localized activity, monitoring at the database wherever it may pop up in a virtual environment are going to be more critical. Virtualization deserves its own type of security." For more on SQL Server virtualization, see Mike Otey’s “The Inevitable Virtualization of SQL Server,” InstantDoc ID 102784.
2010: The Proliferation of Hacking Tools
The security game changer for Slavik is the variety of new tools, courtesy of the hackers, that enable automated random attacks on data. “Getting from a vulnerability to an exploit is going to be very easy for hackers, especially when you talk about databases and patching. Once a vendor releases a patch we might see worms that immediately try to exploit the patched vulnerability. Hackers know that enterprises out there just don’t patch as quickly as they should.”
Slavik notes that “It’s all about economics. There’s a lot of money to be made hacking into companies and stealing credit card information. This motivates organized crime too. It’s not just the super-skilled hackers. Anyone can download those tools.”
Slavic does security presentations for SQL Server and Oracle groups and he says that “I’m still amazed at how much of the basic stuff is still a mystery. Effort should be invested in training developers and DBAs in using secure coding practices. An organization should go with a multi-layered security approach. Definitely one of the things there should be real-time monitoring and alerting tools deployed to prevent attacks. \[Sentrigo is one of those tools vendors.\] Organizations should also consider reducing the attack surface by making sure that the critical information, the credit card, is not stored in many locations.” He recommends using tokenization. “Store the credit card in one very secure location and put on tokens in all the other locations. Those tokens can actually even look like a credit card but they are not. If the database is compromised hackers will not get to the credit card.”
It seems clear that as trends come and go, a key factor in any business decision is an understanding of its security implications. Slavik notes that the first security move is to simply become aware that you could have problems.