As security pundits and analysts wrap up their annual round of yearly predictions, the headlines have been flush with forecasts about social media security threats eclipsing many other dangers on the to-do lists of IT security organizations. The theory is that unmanaged social media and Web 2.0 applications will be the root cause of this year’s big security breaches.
While there certainly is room for concern, some security experts within the channel aren’t so sure, though, that customers should waste too much of their energy chasing the newly percieved threats if they haven’t squared away the fundamentals. They believe social media isn’t the next big threat in 2010–unsecure databases are.
Count Brian Roemmele in that camp. He believes that even though customers may be abuzz over Facebook and Twitter and the requisite protection products that are cropping up around these applications, a lot of the furor is distracting channel customers and partners from more important security issues–namely, database security.
"There are a lot of products out there that are trying to chase this noise, but no one has a silver bullet today," says Roemmele, president of the Canadian VAR Privacy-Assured Inc. "Securing information around the database and access to the database is really the number one issue to this day. "
The fact is that most channel customers these days are not trying to bar their employees from using Web 2.0 and social media applications. They just want to be sure that data is not compromised in the process.
One of the most common fears is that these applications can be used as a conduit to leak sensitive information or data. But as Alex Polishchuk , president of the database consulting firm Advanced Computer Consulting, explains distracting oneself on the social media medium could divert valuable resources on fundamental protections of the data where it actually resides.
"You know, from that point of view, people might as well be afraid of employees using their cell phones, because guess what, using cell phones people can steal and pass on whatever they want ," Polishchuk says. "The same goes for USB sticks, cell phones, video cameras, photo cameras, they might as well be afraid of that."
Roemmele agrees.
"There is the thought that individuals are going to leak information to the worldwide web of internal secrets and those sorts of things, but there’s nothing stopping them from doing it by these other mediums now," he says. "So the major question that remains is what should companies really be protecting? And that is all of their most sensitive information, whether that be credit card numbers or social insurance numbers or what have you. It could be a number of things, but they all have one thing in common and that is that they’re sitting in the database."
Beyond the data leak issues, social media worries tend to also zero in on virus and malware risks. These are definitely the more legitimate of the two, Polishchuk says.
"I would be more concerned about people introducing some kind of virus via this social network so that virus spreads to the computers and so on so that the company has to spend lots of energy on cleaning up that virus from their employee PCs and things like that ," he says
At the same time, though, Roemmele explains that channel partners and their customers need to keep their eyes on the prize–the prize stolen by hackers who pull off successful attacks, that is. Many of today’s most dangerous hacking attacks are carried out to tap into large data stores in order to siphon of vast quantities of personal information to sell on the black market.
"They’re more interested in getting into where the large amounts of information are residing because that’s something, if they can get to that information, it is something that they can actually capitalize on comparison, would you rather have one person’s name, or would you rather have 50k credit card numbers?"
This is the real reason why channel partners should keep database security on top of the priority stack for 2010, even as customers pressure for answers about social media risks. Because in the end, by covering database security for them, the channel will be protecting the most vital assets put in danger by these risks.
"In the broader sense when we’re worried about criminial activity it is almost always dirven around money and that money is coming from selling credit cards and its coming from selling information to allow people to assume false identity," says Josh Shaul, vice president of product management for database and application security vendor Application Security Inc. "So many successful big picture breaches with 100 million, 50 million 90 million credit card numbers or records stolen inevitably attack the database. When data is harvested in that kind of quantity, really, the only place you can store that much data is in the database."