Simon Spring, Senior Account Director EMEA, WhereScape, discusses how the rise in remote working has highlighted a need to focus on data security and compliance, emphasising the importance of organisations turning their attention to the physical integrity of their data centres.
Among the important topics occupying the time and investment decisions of tech professionals, compliance and security are arguably two of the most wide-ranging and consistently challenging. Under conventional circumstances, the pressure to adhere to regulatory guidelines, maintain data integrity and minimise risk is always front of mind. In the last 12 months, however, the emphasis has shifted, risks have increased and scrutiny is intense.
If that wasn’t enough to contend with, the huge momentum behind strategic and remedial Digital Transformation projects has brought database security and compliance to a level not witnessed before. As Microsoft CEO, Satya Nadella, revealed last year: ‘We’ve seen two years’ worth of Digital Transformation in two months’. Technology professionals are used to innovation and change, but recent experiences have been on a different level entirely.
Indeed, the pandemic has added significant additional pressure and risk around database security in particular. The overnight jump in remote working, for example, not only means far more security is required in general, but in the rush to set up access at scale, it’s likely that some organisations will have granted elevated privileges when they are not needed. It’s somewhat ironic that in the rush to set up more remote access points, cybercriminals now have broader access to corporate networks. Exacerbating the risks, a general and underlying sense of anxiety among many has increased the possibility that individuals may fall victim to threats such as phishing emails.
In addition, the challenges facing database security are not just focused on protecting the privacy of personal data, compliance dictates that security measures safeguard data and act as a constant test of protection and preparedness. However, databases are under ongoing attack from cybercriminals at risk from a range of vulnerabilities and also subject to internal threats.
Many of the issues are stubbornly familiar, including the use of weak and shared passwords or the frustrating problem of organisations going no further than using default system passwords and settings. But that’s just the tip of the iceberg and poor or non-existent pre-deployment security testing, poor data encryption and insecure backups exacerbate the complex compliance and security challenges present across many organisations.
In focusing on data security and compliance, organisations must also retain their emphasis on the physical integrity of their data centres. Faced with growing cybersecurity risks, IT teams must not neglect the safety and resilience of their infrastructure estate, including those from insider threats. While the likelihood of a physical breach or natural disaster can be perceived as remote compared to the massive volume of cyberattacks out there, the consequences of damage to physical systems can be just as disastrous.
Improving compliance and security
These changing circumstances mean that many organisations would benefit by stepping back from solely focusing on immediate risk to review their processes so they can be sure their approach remains fit for purpose. Conducting a compliance audit, for instance, can very effectively assess the state of existing systems against a set of regulatory standards. Among various important indicators, auditors are looking for the availability and demonstrable value of reports, run books, documentation alongside configuration and security settings that effectively address each compliance requirement or process.
Don’t forget, compliance is not a nice-to-have or a luxury item – it’s often mandatory and requires significant financial and resource commitment. Effective compliance is also a question of leadership attitude – those organisations that take a holistic approach will usually see better outcomes. The point is, compliance is not an inconvenient obligation, it can also be an opportunity for innovation, such as the benefits offered by data automation and risk assessment technologies. Data warehouses developed using automation software tend to be more secure than their hand-coded counterparts, which can be subject to human error.
In practical terms, written procedures and policies should not exist in isolation, but be supported by relevant training for management, employees and contractors. Governance is also key in order to monitor, enforce, audit and respond to any breach of compliance or instances of potential misconduct. This is not just the preserve of large organisations who can build an internal team or outsource governance to a third party, SMEs should also create a process to audit their compliance processes so they can maintain standards.
Technology has an important role to play with dedicated software solutions able to monitor and manage database security and compliance. For example, the best solutions can identify existing vulnerabilities across environments from SQL Server to Amazon and Azure. It’s possible, for instance, to rank security levels in a ‘report card’ and analyse user permissions across database objects. Armed with this insight, IT teams can both optimise security policies for each dataset, while improving their ability to comply with audits.
High standards of compliance and security deliver vital benefits to every stakeholder. As we see on a regular basis, compliance and security failures can be hugely expensive and recovery can sometimes prove impossible. But, with leadership commitment and sensible investment in technology, people and processes, organisations can meet or exceed their obligations and demonstrate their all-round excellence in today’s highly competitive markets.