The growing costs of security breaches and manual compliance efforts have given rise to new data security solutions specifically designed to prevent data breaches and deliver automated compliance. This paper examines the drivers for adopting a strategic approach to data security, compares and contrasts current approaches, and presents the Return on Security Investment (ROSI) of viable data security solutions.
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
The Business Case for Data Security
1. White Paper
The Business Case for Data Security
Business Case
The growing costs of security breaches and manual compliance efforts have given
rise to new data security solutions specifically designed to prevent data breaches and
deliver automated compliance.
This paper examines the drivers for adopting a strategic approach to data security,
compares and contrasts current approaches, and presents the Return on Security
Investment (ROSI) of viable data security solutions.
“ ”
With the growing threats to applications and data, from
large-scale, automated Web attacks to insider malfeasance,
proactive data security has become mandatory.
2. The Business Case for Data Security
Executive Summary
DatabaseFileWeb
Large-scale application attacks, targeted insider threats, and a swelling raft of regulations are compelling
organizations to adopt a new defense: data security. In this paper, we will address three key business questions:
1) What are the risks and regulatory drivers for data security?
We take a close look at today’s security and compliance landscape, current data security challenges, and the
auditing and reporting requirements in leading data privacy and data governance regulations. We conclude
that data security should be an executive focus, when businesses consider the devastating impact of data
breaches and the rising costs of regulatory compliance.
2) What are the alternative approaches to achieving data security?
We contrast Imperva’s holistic data security approach with other approaches, including “do it yourself” projects,
use of data security features within event management and application delivery products, and loosely
integrated data governance solutions. It is our contention that only a comprehensive and intelligent platform
can deliver the right level of security and control that is essential for effective data security.
3) What are the financial benefits of deploying a holistic data security solution like Imperva
SecureSphere?
Based on the analysis offered above, we determined that Imperva SecureSphere offers a cost reduction and
cost avoidance benefit of 274% compared to alternative approaches. Calculating the total costs over a five
year period, a typical large enterprise would spend $5,487,500 in data breach expenses, manual monitoring,
auditing, and reporting costs versus $1,467,850 with Imperva SecureSphere appliances, licenses, maintenance,
and operations costs. The cost savings are compelling, demonstrating why data security has moved to the
forefront of most organizations security strategy.
Imperva White Paper
< 2 >
3. The Business Case for Data Security
I. Data Security and Compliance: An Evolving Landscape
DatabaseFileWeb
Security and compliance are two of the most critical concerns for any organization. Between 2005 and 2010,
data breaches have cost organizations billions of dollars and exposed over 500 million sensitive records,1
leaving a litany of lawsuits, sanctions, fines, and lost revenue, in their wake. In addition, organizations are subject
to increasingly stringent regulatory compliance requirements. A growing number of regulations mandate
monitoring and auditing of user activity, application safeguards, and internal controls. To develop a cohesive
strategy for security and compliance, organizations must analyze their security risks and compliance needs.
Financial Impact of Security Incidents
Data breaches are financially devastating, averaging $6.75 million per incident and $204 per compromised
record.2 Data breaches not only impact organizations, but also affect the tens of millions of individuals who fall
victim to identity theft and fraud. Due to external attack or insider abuse, data breaches are perhaps the single
most damaging security event that an organization can endure. In addition to breaches, organizations must
fortify their valuable resources against denial of service, data loss, and data manipulation.
Hacking and External Threats
Hacking and external threats are the leading cause of data breaches, accounting for approximately 94%3
of all compromised records in 2009, according to an in-depth investigation of data breaches. And 92%3 of
compromised records from hacking-related attacks were attributed to Web application attacks. Based on this
forensic evidence, if organizations had fortified their Web applications against attack, they could have reduced
the total number of known compromised records from over 140 million to roughly 20 million.
Web Application (92%) Network File Shares (1%)
Remote Access and Control (2%) Physical Access (1%)
Backdoor or Control Channel (5%) Wireless (1%)
Unknown (1%)
Figure 1 Proportion of Breached Records Due to Hacking by Attack Method3
The rise in Web-related data breaches is due in part to more sophisticated attack techniques. Hackers have
become more organized, pooling resources, and delegating responsibilities based on skill set. They are also
creating automated capabilities to improve efficiency and scale building armies of bots – remotely controlled
computers – to unleash large-scale, automated attacks.4 These new methods have made Web application
attacks very effective and, unfortunately, very destructive, as is borne out in data breach investigations.
1
Privacy Rights Clearinghouse, www.privacyrights.org/500-million-records-breached
2
Ponemon Institute, “Cost of a Data Breach,” January 2010
3
Verizon Business, “2010 Data Breach Investigations Report
4
Imperva, “Industrialization of Hacking,” 2010
Imperva White Paper
< 3 >
4. The Business Case for Data Security
The Enemy Inside
DatabaseFileWeb
Risks associated with insider threats, ranging from sabotage and fraud to sensitive data theft, have also
increased, along with the opportunities for insiders to profit from their illicit activity. Many organizations have
overlooked insiders who may access sensitive networks, applications, and data on a daily basis. Privileged users
must have access to sensitive data in order to perform their job. Therefore, they can abuse these privileges
and gain control of such data more easily and more covertly than external users. It is not surprising, then, that
insiders accounted for 48% of all breaches and 3% of all compromised records in 2009.5
Rising Cost of Achieving and Maintaining Regulatory Compliance
Organizations of all sizes must comply with a raft of regulations designed to bolster security, reduce fraud, and
ensure privacy. These regulations were enacted for a variety of reasons: as the result of an extraordinary event,
as with the implosions of Enron and Worldcom that led to Sarbanes Oxley (SOX), or as the evolution of disparate
security standards that morphed into the industry-wide and influential Payment Card Industry Data Security
Standard (PCI DSS).
Addressing Multiple Compliance Mandates
In addition to SOX and PCI, organizations must adhere to a range of other industry and government
regulations. Healthcare companies must comply with HIPAA, the HITECH Act, and MAR. Federal institutions
must fulfill FISMA, ITAR, EAR, and DISA STIGs requirements. Energy companies must comply with NERC and
FERC. Organizations in Europe are governed by Basel II and EU data breach notification laws. The list goes on,
as does the amount of auditing and security requirements that organizations must address. On top of these
regulations, new regulations are introduced every year, and existing laws change.
While each regulation defines unique auditing and security requirements, it is possible to distinguish consistent
themes across most compliance mandates. Achieving compliance becomes much easier when organizations
develop well-defined and repeatable processes that track all user activities, maintain separation of duties, and
establish user accountability.
Demonstrating Compliance
All regulations require organizations to demonstrate compliance to external auditors and governmental
agencies. Organizations must prove that compliance processes are in place. They also have to collect pertinent
audit and security data and present it in a clear, understandable format. With these operationally taxing manual
processes, it is not surprising that U.S. businesses spend over $2.5 billion on SOX compliance each year.6
5
Verizon Business, “2010 Data Breach Investigations Report
6
AMR Research, “With GRC Spending at an All-Time High, What Happens to SOX?”
Imperva White Paper
< 4 >
5. The Business Case for Data Security
II. Data Security: Requirements and Alternative Approaches
DatabaseFileWeb
Organizations’ data security strategy should focus on the core business drivers of preventing external
attacks, mitigating insider abuse, and automating compliance processes. Some of the resulting operational
requirements include:
» Accurate Protection for Business-Critical Applications and Data
A data security solution should provide comprehensive protection of all critical data assets including
Web applications, databases, and files from external attack and insider threats. Because of the complex
nature of data-layer threats, a security solution should be able to detect known attack methods, malicious
users, deviations from expected user behavior, and correlate multiple event attributes together for
pinpoint accuracy.
» Full Auditing with Separation of Duties
Since audit trails of user activity have become an essential aspect of compliance, a complete data security
solution must be able to audit all access and changes to databases and files. It should ensure audit
data integrity and user accountability and identify material variances in user activity. Demonstrating
compliance must be achieved through automated reports and analytical tools – the basis for forensic
investigations.
» Low Impact Deployment
Any solution designed to improve security should not impact application uptime or impose management
burden. The solution should meet availability and performance requirements while not introducing
operational risks. In addition, it should support centralized management, monitoring, auditing, and
reporting to streamline administration for large, distributed deployments.
Data Security: The Future of Security and Compliance
To address the full scope of today’s security and compliance requirements, Imperva has created a new
technology category, Data Security. With Data Security, organizations can mitigate data breach risks and directly
satisfy auditing and compliance mandates by implementing one, integrated, best-of-breed security solution.
Data Security protects business-sensitive data where it lives, in database and file servers and how it is accessed,
through applications. With data-layer protection, data security solutions can block the attacks that lead to costly
data compromises more accurately than any existing technology. It can also monitor users to prevent insider
abuse, and audit all activity with unmatched visibility for compliance.
The Imperva SecureSphere Data Security Suite
Imperva SecureSphere Data Security Suite encompasses the market-leading SecureSphere Web Application
Firewall, and the award-winning SecureSphere Database Security and File Security Solutions. Either deployed
alone, or together as one integrated, centrally managed solution, SecureSphere Data Security Solutions offer a
powerful defense against hackers and malicious insiders, streamline and automate regulatory compliance, and
prioritize and mitigate data risks.
Imperva White Paper
< 5 >
6. The Business Case for Data Security
DatabaseFileWeb
SecureSphere Data Security Solutions offer organizations several unique capabilities:
» Complete, End-to-End Data Protection - SecureSphere protects data where it is stored – in databases
and files – and how it is accessed – through applications – and addresses the full Data Security and
compliance life cycle.
» Automated Security – Imperva’s patented Dynamic Profiling automatically learns application and
database usage without manual intervention. The unique ThreatRadar service further streamlines security
by automatically stopping attacks from known, malicious sources.
» Full Visibility with Separation of Duties – SecureSphere monitors and audits all database and file
activity, including privileged user access, without relying on native auditing capabilities. Interactive audit
analytics enable users to analyze, correlate and view activity from any angle.
» Streamlined User Rights Management – SecureSphere simplifies the process of reviewing and
managing user rights across distributed file servers and databases. SecureSphere aggregates access rights,
identifies dormant accounts and highlights excessive privileges.
» Zero-Impact Deployment – SecureSphere offers multiple, transparent deployment options for easy
integration into any environment with no impact on existing applications, databases or files.
Imperva White Paper
< 6 >
7. The Business Case for Data Security
Contrasting Imperva’s Data Security with Alternative Approaches
DatabaseFileWeb
To meet security and compliance requirements, organizations may rely on a combination of native logging
tools, manual reporting processes, and manual application vulnerability fix and test procedures. The following
section investigates various approaches to prevent data breaches and address compliance mandates.
Security Information and Event Management
To manage the massive amounts of data collected, some organizations have turned to Security Information and
Event Management (SIEM) solutions. SIEMs aggregate log data across multiple servers and devices, correlate
events to identify anomalies, and streamline compliance reporting. However, SIEMs that rely on native logging
for audit data present the following challenges:
» Complex configuration of native database and file server logging utilities by DBAs and IT Administrators
» No separation of duties as logging policies and audit trails can be manipulated by the users that should
be audited
» Significant degradation database and file server performance
In addition, SIEMs, as cross-product security event aggregators, do not provide in-depth analysis or purpose
built reports for database and file activity, and cannot prevent unauthorized access or monitor activity in
real-time.
Data Governance and Information Management
Information Management vendors offer a broad spectrum of solutions for data management and governance.
This breadth enables organizations to use one supplier to address multiple data security and data management
requirements. However, such an approach often increases the cost, complexity, and duration of data security
and compliance projects. Broad-scale, non-specialized information management vendors may turn relatively
simple auditing projects into multi-year, company-wide consulting engagements. In addition, while broadening
project scope, information management vendors often fall short in terms of addressing all necessary auditing
and compliance requirements. For example, an information management vendor may be able to secure
database data, but not files nor applications. Organizations should assess their current and future security
requirements and determine if such a solution is aligned with project goals and will address monitoring and
security objectives within a desired timeframe and budget.
Integrated Application Delivery and Security
One approach to achieve Web application attack protection is to combine a Web Application Firewall with
a load balancer for combined application delivery and security. Such an approach can consolidate multiple
functions onto a single hardware platform. However, adding Web application security to existing application
delivery controllers (ADCs) can have a number of unexpected consequences, including drastically degrading
ADC performance and impacting the stability of mission-critical networking equipment. Most importantly,
ADCs only tackle one aspect of data security: application protection. They cannot monitor or protect
application data stored in databases, nor can they secure unstructured data in files.
Manual Vulnerability Management
Most organizations invest considerable effort to ensure that Web applications, databases, and file servers do not
contain vulnerabilities. Web developers must allocate time and resources to ensure that applications are written
according to secure coding best practices. IT administrators and DBAs must deploy vendor-supplied patches
into key applications and databases. Security personnel must test applications and servers for weaknesses and
then fix any discovered vulnerabilities.
Imperva White Paper
< 7 >
8. The Business Case for Data Security
However, while an essential aspect of any data security strategy, manual vulnerability patch processes:
DatabaseFileWeb
» Burden developers and administrators with disruptive fix and test cycles (“fire drills”)
» Can expose organizations to attack for weeks or months while vulnerabilities are being fixed
Based on extensive research, fixing a single Web application vulnerability takes on average between two to
four months.7 With 83% of Websites having had serious vulnerabilities, relying on manual fix and test processes
is not sufficient. The length of time to apply database security patches is even longer, often exceeding three
months after a patch is released.8 Unfortunately, attackers will not wait for weeks or months to unleash online
attacks. Organizations should evaluate solutions that can virtually patch vulnerabilities to eliminate this window
of exposure and reduce the costs associated with emergency fix and test cycles.
Approaches to Data Security
SecureSphere Native Data Governance Application Manual
Function Capability Data Security Logging and Information Delivery and Vulnerability
Suite and SIEM Management Security Management
Security Purpose-Built
Platform
End-to-End
coverage of all
data assets
Proactive Policy
Enforcement
Instant
Vulnerability
Mitigation
Compliance Compliance
Automation
Separation of
Duties
User Accountability
Deployment Rapid
Time-to-Value
No impact on
systems and
business processes
Imperva White Paper
< 8 >
9. The Business Case for Data Security
III. Return on Security Investment (ROSI) with Imperva SecureSphere9
DatabaseFileWeb
The SecureSphere Data Security Suite is designed from the ground up to meet all aspects of security and
compliance for business-critical applications and data. SecureSphere provides conclusive cost-savings by
offloading operationally-expensive logging from database and file servers and by driving down manual
compliance reporting costs. More importantly, SecureSphere offers return on security investment (ROSI) by
drastically reducing the risk and impact of a devastating data breach.
In order to quantify the cost savings provided by Imperva, we compared the cost of implementing
SecureSphere versus the cost of “doing nothing” and the subsequent expenses created by a data breach or
manual auditing and reporting processes.
The following table shows our assumptions. The number of protected records is an estimate for a medium size
company, but this number will vary widely and should be adjusted according to the individual business profile.
The average number of records lost in a data breach is extrapolated from results of the Ponemon Institute “2009
Cost of a Data Breach” report. The probability of a data breach is estimated at 5%.
Basic Assumptions Value10
Number of Protected Records 100,000
Average Number of Records Lost in a Data Breach 33,088
Probability of a Data Breach 5%
Annual Cost of a Full Time DBA or IT Security Administrator (in USD) $110,000
Reducing the Financial Impact of a Data Breach
Data breaches are costly, averaging $6.75 million per incident.11 The expenses mount as organizations are forced
to investigate breaches to assess affected records, notify customers, and pay legal fees and fines. However, the
single highest cost is lost business, accounting for nearly half of the total financial impact of a breach.
Statistics show 98% of compromised records originated from servers,12 predominantly Web application,
database, and file servers. A dedicated data security solution could lower the cost of a data breach by accurately
identifying the scope of the breach or preventing the breach from ever occurring.
SecureSphere Database Activity Monitoring and File Activity Monitoring can audit every access to sensitive
data and quickly identify the individual records that were compromised. Without this independent and
tamper-proof audit trail, organizations often have to assume the worse and notify all potential victims – even
if only a fraction of that data was accessed by a perpetrator. An Activity Monitoring solution can drastically
reduce the extent of a data breach, by an estimated two thirds. A proactive defense such as a Web Application
Firewall, Database Firewall and File Firewall can block attacks, avoiding the breach altogether for almost all
application-related breaches. The following table shows the costs of a data breach with and without a data
security solution.
9
In our opinion, the only viable alternative approach that fully addresses data security requirements is manual compliance and vulnerability mitigation.
The ROSI calculation therefore compares Imperva to a manual approach.
10
These numbers vary between organizations. They represent a typical number for a medium-to-large enterprise.
11
Ponemon Institute, “Cost of a Data Breach,” January 2010
12
Verizon Business, “2010 Data Breach Investigations Report”
Imperva White Paper
< 9 >
10. The Business Case for Data Security
Impact of a Data Breach Due to Web, Database and File Security Threats
DatabaseFileWeb
SecureSphere SecureSphere
Without
Database and File Web, Database,
SecureSphere
Activity Monitoring13 File Firewall14
Number of Suspected Compromised Records 33,088 33,088 0
Number of Confirmed Compromised Records Not available 11,029 0
Consulting Services and Investigation Costs $1,350,000 $225,000 0
Notification Costs $742,000 $247,000 0
Legal Costs $1,147,000 $382,000 0
Identity Protection and Other Services $202,000 $67,000 0
Lost Business and Related Costs $3,307,000 $1,102,000 0
Cost of a Data Breach $6,750,000 $2,023,000 0
Vulnerability Remediation Efforts
In addition to reducing the likelihood of an expensive data breach, a dedicated data security solution can also
cut vulnerability remediation costs. First, Imperva SecureSphere can virtually patch application and database
vulnerabilities, thereby eliminating disruptive emergency fix and test cycles. Vulnerabilities can be fixed as part
of regular development schedules, which is significantly less expensive than fixing vulnerabilities in production.
Second, SecureSphere typically allows organizations to delay minor patch updates until a cumulative patch is
available or a new software version is released. This provides organizations considerable cost savings compared
to the expense of developing, testing, staging, and implementing software patches.
The following table compares the labor costs of remediating Web application and server vulnerabilities for an
organization with 10 online applications, 15 Web servers, and 5 database servers.
Annual Vulnerability Remediation Labor Costs
Without SecureSphere With SecureSphere
Emergency Fix and Test of Custom Vulnerabilities $120,000 $0
Custom Vulnerability Fixes in Scheduled Releases $0 $19,200
Operating System Patches $25,000 $12,500
Web Server Patches $25,000 $12,500
Database Server Patches $12,500 $6,250
Total $182,500 $50,450
13
SecureSphere Database and File Activity Monitoring offer auditing but no access control;
14
When SecureSphere is implemented in “Firewall” mode, the risk of a Web, Database or File data breach is immeasurable. While auditing can reduce the
impact of a breach by identifying actual compromised records, when SecureSphere is deployed inline, it can proactively prevent attacks from occurring.
Imperva White Paper
< 10 >
11. The Business Case for Data Security
Labor Costs of Auditing and Reporting
DatabaseFileWeb
While both databases and file servers offer native logging capabilities, managing and maintaining audit log files
can be an expensive proposition. Database or IT administrators must determine what activity to audit, create
log rules, and then sort through reams of log messages to find materially relevant information for reports. Raw
data must be arranged into a presentable format for auditors. Organizations must also develop in-house tools
to prevent unauthorized access or manipulation of log data for separation of duties.
Native tools only address one aspect of the data security and compliance lifecycle. They cannot locate sensitive
data on the network, test databases for vulnerabilities, or patch these vulnerabilities. Organizations that use
native audit tools must also account for the costs of manually discovering and classifying sensitive data – two
requirements either implied or explicitly spelled out in many compliance regulations. Furthermore, many
regulations require that organizations limit user access rights to business need-to-know and remove dormant
accounts. For large enterprises, managing database and file access rights for thousands of users can be an
overwhelming task, leading many administrators to grant excessive privileges.
A dedicated data security solution such as SecureSphere can eliminate manual administrative tasks, automate
auditing and compliance reporting, and dramatically improve the overall security posture of the organization.
The following table compares the number of full time employees required to meet database and file security
compliance requirements, with and without a data security solution.
Without SecureSphere With SecureSphere
Labor costs for Labor costs for Labor costs for Labor costs for
Task initial setup ongoing maintenance initial setup ongoing maintenance
Discovery $55,000 $55,000 $11,000 $11,000
Classification and Assessment $55,000 $55,000 $11,000 $11,000
Managing User Rights to $110,000 $110,000 $55,000 $11,000
Databases and Files
Enablement of Auditing $27,500 $27,500 $11,000 $1,100
Writing and Maintaining $165,000 $55,000 $11,000 $11,000
Custom Scripts
Creating Custom Reports $110,000 $55,000 $27,500 $11,000
Implementation of Workflow $110,000 $55,000 $11,000 $11,000
and Business Processes
Total $687,500 $412,500 $137,500 $67,100
Software and Hardware Investment for SecureSphere Versus Native Auditing
In addition to comparing the labor expenses of security and compliance, businesses must also analyze the
hardware and software investment. With SecureSphere, the costs are relatively straight forward: the price of the
SecureSphere Data Security Suite, which includes the price of the Web Application Firewall, Database Firewall
and File Firewall, plus the MX Management Server.
If organizations opt for native logging, then they will need to purchase additional hardware and software
licenses to maintain previous performance levels. This is because full logging of all activity can degrade server
performance by approximately 30 - 50%. The table below compares the infrastructure costs incurred by using
native logging tools versus deploying the SecureSphere Data Security Suite.
Imperva White Paper
< 11 >
12. The Business Case for Data Security
DatabaseFileWeb
Without SecureSphere With SecureSphere
Additional Database and File Server Hardware $50,000.00 $0.00
Additional Database and File Server Software $200,000.00 $0.00
SecureSphere Data Security Suite and $0.00 $73,600.00
MX Management Server
Annual Support and Maintenance Fees $40,000.00 $14,720.00
Hardware and Software Administration Costs $20,000.00 $20,000.00
Total $310,000.00 $108,320.00
Total Return on Security Investment
Because security and compliance must be addressed holistically, the following table compares the total
hardware, software, and management costs of the SecureSphere Data Security Suite to native logging and
manual compliance processes. In addition, a Return on Security Investment (ROSI) calculation must factor in
the cost and risk of a data security breach. The following table combines the data from the above tables to
provide the return on investment of the SecureSphere Data Security Suite versus no dedicated Web application,
database, or file security.
Without SecureSphere Year 1 Year 2 Year 3 Year 4 Year 5
Vulnerability Remediation Costs $182,500 $182,500 $182,500 $182,500 $182,500
Auditing and Compliance Costs $687,500 $412,500 $412,500 $412,500 $412,500
Hardware and Software Costs $310,000 $60,000 $60,000 $60,000 $60,000
Data Breach Cost = Probability x Impact $337,500 $337,500 $337,500 $337,500 $337,500
Total Cost without SecureSphere $1,517,500 $992,500 $992,500 $992,500 $992,500
SecureSphere Costs and Risk Posture Year 1 Year 2 Year 3 Year 4 Year 5
Vulnerability Remediation Costs $50,450 $50,450 $50,450 $50,450 $50,450
Auditing and Compliance Costs $137,500 $67,100 $67,100 $67,100 $67,100
Hardware and Software Costs $108,320 $34,720 $34,720 $34,720 $34,720
Data Breach Cost = Probability x Impact $112,500 $112,500 $112,500 $112,500 $112,500
Total Costs with SecureSphere $408,770 $264,770 $264,770 $264,770 $264,770
Cost Savings with SecureSphere $4,019,650
ROSI with SecureSphere 274%
Investment Based Discount Rate 10%
NPV (Net Present Value) $3,654,227
The total infrastructure, labor, and data breach costs of the SecureSphere Data Security Suite over five years
totaled $1.47 million, compared to $5.49 million for native logging, manual compliance processes and
no proactive Web, database or file security protection. Note that the projected data breach cost savings
for SecureSphere were conservative, assuming only the cost savings associated with monitoring traffic
and pinpointing individual breached records. With 98% of breached records originating from servers, the
SecureSphere Data Security Suite, with an integrated Web Application Firewall, should be able to prevent most
data breaches from ever occurring.
Imperva White Paper
< 12 >