When Data Access Governance (DAG) was first conceived, the logical place to implement such access control was on unstructured data such as shared file systems, collaborative platforms (e.g. SharePoint), and email systems. These massive unstructured data repositories seemingly contained the bulk of the corporate data, often quoted as representing well over 80% of all corporate data. Moreover, these data repositories appeared to be growing exponentially and therefore were the logical choice as the initial place for such extra controls. And thus, the DAG market and vendors appeared.
However as with any new undertaking, an evolutionary process followed that transformed one of the key foundational premises. While unstructured data might well represent 80% or more or the corporate “raw” data, the next natural and highly tempting “pot of gold” was the data stored in databases upon which key business systems were built. In fact, the data held within those databases was actually “information”, which by very definition means highly valuable. While gaining illegal access to an email message might prove embarrassing to the parties involved, it would be rare to grab an email that might contain information which could be leveraged. But gaining access to a database record from a live business application could well permit the escape of data of immense value such as a customer name, address, birthdate, and credit card number. In case you did not notice, that’s exactly the information a bad actor needs to open obtain a credit card in that stolen person’s name. In fact, that’s the crux of all the data breaches that make the news, where they quite often quote the number of personal records stolen.
But databases are inherently safe, right? That was a very common and somewhat reasonable belief. So initially people assumed that DAG did not need to extend to cover their databases as they were already “airtight”. Of course and with no disrespect intended to database vendors, that’s not entirely true. However, even if we were to accept that assumption at face value, two other variables entered the equation. First, many shops went from a homogenous database environment to a heterogeneous one. Gone are the days of the Oracle or SQL Server only shops. These days databases are merely a commodity when building business applications, so any database will often do. Second and more important, the regulatory rules imposed now require extending DAG across all data no matter where it resides. As such, smart DAG vendors are extending their coverage to the key operational database platforms that businesses rely on for their most important functions. Since relational databases were prevalent during the past three decades, that’s a smart place to start.
STEALTHbits helps you control unstructured data with a proven approach to achieving Data Access Governance (DAG). We can find your unstructured data, determine who has access to it, and monitor how they are using that access. The STEALTHbits platform focuses on ease, scale, and interoperability. We’ve made getting your DAG program easy to get started—regardless of whether you’re looking to do a small pilot in one part of the business or trying to scale out quickly to the whole enterprise. As you need to draw in more and more data, you’ll find STEALTHbits has the flexibility to scale out to meet that challenge as well as become a part of your security, governance, and larger IT management platforms through out-of-the-box integrations.
For more information on how STEALTHbits can help your organization achieve Data Access Governance, contact us today.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Bert Scalzo is STEALTHbits Technical Product Manager for databases. He’s an Oracle ACE, blogger, author, speaker, and database technology consultant. He has BS, MS and Ph.D. in computer science, an MBA, and has worked for over 30 years with all major relational databases, including Oracle, SQL Server, DB2 LUW, Sybase, MySQL, and PostgreSQL. Moreover, Bert has also has worked for several of those database vendors. He has been a key contributor for many popular database tools used by millions of people worldwide, including TOAD, Toad Data Modeler, ERwin, ER/Studio, DBArtisan, Aqua Data Studio, and Benchmark Factory. In addition, Bert has presented at numerous database conferences and user groups, including SQL Saturday, SQL PAAS, Oracle Open World, DOUG, ODTUG, IOUG, OAUG, RMOUG, and many others. His areas of interest include data modeling, database benchmarking, database tuning and optimization, “star schema” data warehouses, Linux®, and VMware®. Bert has written for Oracle Technology Network (OTN), Oracle Magazine, Oracle Informant, PC Week (eWeek), Dell Power Solutions Magazine, The LINUX Journal, LINUX.com, Oracle FAQ, and Toad World. Moreover, Bert has written an extensive collection of books on database topics, focusing mainly around TOAD, data warehousing, database benchmarking, and basic introductions to mainstream databases.