Related Links As if federal security managers didn’t have enough trouble sleeping, now they have to worry about the health and well-being of their databases. For years, agencies reasoned that if they kept intruders outside the firewalls by buttoning up their networks, everything inside remained safe. But a series of high-profile database breaches in the last couple of years have shown the danger of this reasoning. Last year, up to 40 million credit card records maintained by CardSystems Solutions were exposed to hackers.

Reminding federal officials that such attacks are not limited to financial services firms, the Defense Department reported in April that an intruder infiltrated one of its servers and riffled through the confidential health insurance records of more than 14,000 people. Why the interest in hacking databases? That’s “where the gold is,” said Ted Julian, vice president of strategy and marketing for Application Security Inc. Ramanand sagar mahabharata.

(AppSecInc), a database security tools vendor. “Why bother with other parts of the infrastructure if in the database you can get it all?”. But experts worry that the security features that come standard with database management systems (DBMS) don’t do enough to protect against today’s data thieves. “The basic database measures are not good enough,” said Noel Yuhanna, lead database analyst at Forrester Research. “You need advanced security to protect your private data. [Database management systems] are not sophisticated or intelligent enough.” For many organizations, the answer is third-party tools that work directly with a DBMS to provide custom vulnerability assessment, intrusion detection and prevention, data monitoring, and auditing capabilities.

Hackers aren’t the only reason federal agencies want tighter database security. Insiders with valid authorization can also succumb to the temptation to sell private information. “Pretty consistently over the last eight years, data theft has shown itself to be an insider problem,” said Adrian Lane, chief technology officer at IPLocks, a security tool provider. “It’s insider threats that are really driving security purchases nowadays.” Adding to concerns are security holes inadvertently opened by third-party contractors and suppliers. To facilitate closer business collaboration, agencies routinely use virtual private networks to connect employees at private companies to agency contacts. But vulnerabilities in partner networks can unintentionally provide a hidden door for cyberthieves to enter federal systems. Regulations add to database worries On top of security worries, managers also grapple with mountains of regulations, ranging from those mandated by the Federal Information Security Management Act (FISMA) to health care privacy laws, notably the Health Insurance Portability and Accessibility Act (HIPAA).