Encrypt your database? You bet

When amateur hackers have proven that even lavish perimeter security measures are woefully weak, there's only one choice left: Encrypt the info on your databases.

COMMENTARY--When the team from Protegrity, Inc. called the ZDNet offices last week to tell us about its database content encryption software, Secure.Data, my initial reaction was, "Who needs it?" After all, your databases should be inaccessible to the outside world. If they're inaccessible, why bother to encrypt the information?

The need for such products was driven home a few days later when The Washington Post announced that hackers had broken into a number of computers belonging to the US Army and to NASA. Some of those computers contained classified information, some contained information controlled by privacy laws, and some contained information so sensitive that it would prove invaluable to terrorists and others who might cause harm. In one case, a database of the travel plans for the couriers who hand deliver the most critical secrets was exposed.

To make matters worse, its wasn't highly skilled hackers or spies who broke into the military computers. They were consulting company employees with no experience as hackers, using tools readily available on the Internet. The consultants found that despite strong policies against such things, the Army and NASA computers had weak or missing passwords and no external security. Clearly, despite the policies, government employees were conducting business as usual--which meant they weren't following the policies.

The consultants found that once they broke into one computer on the military's network, usually using a simple carriage return as a password (sometimes only having to type "password" to get in), they could find the names and addresses of other computers. They were also able to open and read database listings and e-mail files, and they were able to link to other computers through the computers they'd already compromised.

Now, take that thought a little ways down the logical road. If your data is so unprotected that unskilled hackers can break in and read it with ease, think about how easy it would be for your own staff. After all, your staff already knows a lot about your company, and that knowledge should ease their search for useful information. Sure, you should be able to trust your staff with company information, but not everyone should have complete access to everything. Suppose someone broke into your payroll information, for example, and learned what everyone in the company was earning.

Equally likely in today's uncertain economy is that an employee might decide to get rich in a hurry by selling information to your competitors. A customer list? No problem, just have the database send it out.

And that, of course, is why you need to encrypt your data with a product such as Protegrity's Secure.Data--because taking reasonable precautions isn't enough to stop someone determined to access sensitive data on your network. As I said, your network should be protected from intruders, and your staff should be completely loyal. But while we're waiting for that to happen, encrypting network data is exactly what every company needs to do.