WHY DATABASE SECURITY IS IMPORTANT TO YOU
Data is the most critical asset to any organization, whether it’s patient details, credit card information, or confidential operations information. Data is the core of any company and the one item that no amount of money can replace once it’s gone. The importance and private nature of data frequently make it a target for criminal activity and hackers that can leverage or sell this information for dubious purposes. These facts are not a surprise to anyone given the data breaches that have happened recently at many notable institutions. The real shock is the extent that many businesses’ data remains unprotected and at risk of theft or corruption.
- 40% of DBAs admit they are not fully aware of where all sensitive data in their organizations is kept.
- Only 38% of organizations take measures to guard against direct database network attacks, relying only on perimeter controls.
- Only 32% of DBA’s have implemented a regular, automated process to monitor databases.
- A sizable percentage of data breaches are committed using SQL injection, stolen credentials, or by insiders legitimately authorized to access the database and, by default, its data. Preventing attacks and securing data requires enforcing database security policies and implementing solutions such as data encryption, data masking/redaction and well-defined user access rules. It’s also critical to have tools to monitor and report suspicious activity as well as provide an audit trail of all database activity.
CRITICAL COMPONENTS TO COMPREHENSIVE DATABASE SECURITY
EVALUATE SECURITY RISKS
- Sensitive Data Discovery – Knowing where your sensitive data resides is an important first step in deploying a comprehensive security model. Identifying sensitive databases based on the types of applications they support is a common method used to classify databases. However, it is also valuable to understand the level of sensitivity of the data under management in various applications.
- User Privilege Analysis – Over privileged user accounts is a common vulnerability that hackers can seek to exploit. To prevent this, implementers should apply a least privilege model to all user accounts, providing users with only the rights they require to run their applications and get their jobs done.
- Security and Configuration Assessment – In order to provide a secure repository for data, databases must be deployed and configured appropriately. Database vulnerabilities can arise from misconfigured or inactive user accounts, unencrypted data, insufficient access controls, lack of audit policies and incorrect OS-level file permissions. The configuration assessment will identify information regarding user accounts privileges and roles, authorization controls, data encryption, fine-grained access control, auditing policy, database configuration, listener configuration, and OS file permissions.
PREVENT UNAUTHORIZED ACCESS TO DATA
- Data Encryption safeguards sensitive data against unauthorized access from outside of the database environment by encrypting data in motion and at rest. It prevents privileged and unauthorized users from directly accessing sensitive information in database files. Encryption also protects against theft, loss, or improper decommissioning of database storage media and backups.
- Data Masking and Redaction minimizes exposure of sensitive data such as credit card or social security numbers by automatically replacing with other values. This allows production data to be safely used for development, testing, or sharing with out-sourced or off-shore partners.
- Control User Access establishes security controls to help isolate and protect data from unauthorized access, and comply with privacy and regulatory requirements. Controls block privileged account access to application data and control sensitive operations inside the database. Security of existing applications can be increased through analysis of privileges and roles and tools to protect data from internal administrators.
MONITOR AND DETECT ACCESS ATTEMPTS AND ABUSE
- Database Firewall is the network monitoring component outside the database that monitors the inbound SQL traffic and serves as the first line of defense against SQL injection threats and other unauthorized SQL statements. The database firewall monitors data access, enforces access policies, highlights anomalies and helps protect against network-based attacks originating from outside or inside the organization.
- Auditing and Reporting can be used to monitor a wide range of activities including privileged user activity on the database server, changes to database structures, and inbound SQL statements on the network. Reports can be based on consolidated audit information from databases, operating systems, and directories, providing a holistic picture of activities across the enterprise. Standard out-of-the-box audit assessment reports are categorized to help meet standard regulations such as Payment Card Industry Data Security Standard (PCI-DSS), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), and European Union Data Protection Act (DPA).
CONCLUSION AND NEXT STEPS
Database security consists of a family of interrelated components that work together to keep an irreplaceable asset, your data, safe whether it’s keeping it out of the hands of hackers or an unfortunate error made by an employee. The first step is to evaluate your current environment to understand where you may have security weaknesses and use this information to plan and implement the right solution based on your security needs. Our expert DBA’s have extensive knowledge of database security best practices and can help walk you through the process of evaluating your current risks and planning your best strategy for data security.
Michele Egerter is a senior project manager at Guardian Eagle located in St. Petersburg, Florida. Guardian Eagle is an Oracle Gold partner with a strong technical background in database and associated needs like Oracle Database Appliance, Advanced Security, Audit Vault, GoldenGate, cloud, and efficient, performance-oriented architecture.