One of the most important first steps to any database security strategy is also, coincidentally, one of the most likely to be forgotten: enumerating the databases an organization manages. After all, unless an enterprise knows how many databases it has and which ones contain sensitive information, it is pretty difficult to prioritize them based on risk and implement appropriate controls. And, yet, many organizations are operating in the dark with regard to database discovery.
“Many companies struggle to locate and accurately maintain an inventory of all their data across databases,” says Anu Yamunan, senior product manager at Imperva.
It’s true, says Paul Borchardt, senior manager of Vigilant by Deloitte, who sees many organizations fail to maintain any kind of centralized inventory of databases or applications across the enterprise.
“This sounds so simple and logical, but an accurate asset inventory is frequently nonexistent or, if it exists, is fragmented and managed by disparate asset managers, such as DBAs and developers,” he says. “Failing to identify the one database containing the PII of your clients because you didn’t know about it will not please the regulators or the court of public opinion.”
Part of the issue is one of scale. Many organizations operate hundreds of databases across their IT infrastructure, some more visible than others.