Database security: Challenges and solutions for businesses

It's no longer time to question the relevance of securing corporate data. Now is the time to take action to protect what has become a fundamental asset, which can lead to a loss of value and reputation for the entire company in the event of a problem. Didier LAVOINE explains.

Isn’t data security an old topic for companies?

Didier Lavoine: Surprisingly, no… it's actually a relatively recent concern. In the past, security mainly focused on the entire IT system: infrastructure, architecture, and applications primarily to prevent operational downtime, along with securing access and the system’s perimeter.

However, what we already glimpsed when moving from the notion of "corporate IT" to "information systems" has now become reality: we operate in a data-centric world. Whether raw, processed, or ephemeral, data has value. Hackers understand this well: while their past “exploits” involved bringing down IT systems, today, their main goals include data theft, corruption, or alteration.

So this challenge goes far beyond the IT department?

DL: Absolutely! It's a company-wide issue especially because, for certain types of information like personal data (under the GDPR), legal penalties may apply if data is not properly protected. That’s why corporate data and its security must be a key pillar of governance. At DEEP, we firmly believe that IT must now be part of the executive leadership team, just like Finance, Sales, or Operations whether we call it an executive committee, board, steering committee, or any other term.

What’s the right approach to data security?

DL: First and foremost, we recommend a pragmatic, structured, and forward-looking approach. Designing a data security plan is just the first step. For it to be effective over time, it must be managed and continuously improved.

This begins with the identification of key assets, notably databases, which are by far the most targeted. This involves both technical aspects (vendor, version, admin procedures, etc.) and usage analysis through Business Impact Analysis (BIA). This helps prioritize databases based on their business criticality.

Next, for each asset, we analyze vulnerabilities, identify existing security measures, and finally, develop risk scenarios — not forgetting the organizational aspects.

What areas do you focus on specifically?

DL: Drawing on our experience in database management, and in particular Oracle databases of all versions, we have developed a security analysis framework, divided into 7 key areas:

• Access management

• Data security (including availability)

• Environment: infrastructure and architecture

• Operational maintenance

• Licensing and vendor contracts

• Human resources

• Physical security

This framework leads to a remediation phase, leveraging various Oracle solutions, such as:

• Data masking with Data Masking & Subsetting

• Data encryption with Network and Transparent Data Encryption

• Database lifecycle management

• Data pseudonymization with Data Redaction

• Advanced access control with Database Firewall and Database Vault

• Unified database auditing with Database Security Assessment Tool (DBSAT) and Data Safe

For every identified risk, the security plan must define the relevant actions, their maturity level, and how they’ll progress over time. Once again, a data security plan must be managed over the long term to remain effective.

To support this effort, we’ve chosen to equip our approach with a cyber risk and compliance management tool.

And what about regulatory risks?

DL: For the past two years, it’s clearly been a growing concern. ITIL alone is no longer enough, and many organizations are now pursuing ISO 27001 certification. In this context, end-to-end data traceability and a commitment to continuous improvement are essential. We now help clients easily integrate data security into their ISO 27001 journey.

Any final advice on getting started with data security?

DL: While we do believe in certain best practices, there’s no one-size-fits-all solution. It really depends on the company’s environment, structure, data types, and volumes.

What’s clear, however, is that this is not about a big bang. It’s best to start with a few critical databases — the ones that are vital to business continuity. And in any case, make sure there’s a long-term operational follow-up, because a security plan that works today may not be effective tomorrow!