In today’s cyber security landscape database holds that most important asset of an organization. Having installed and configured firewalls, IDS and end point security, one should not expect that the database is secure and there is no way anyone can breach data. Most of the major data breach incidents of the last few years indicates that despite having installed the state of the art firewalls and other security appliances, the database got breached.
In application driven business, data can be at rest or can be in motion. So, both the data at rest and data in motion need to be secured. Another important issue is key management and users privileged management.
What are the targets in a database security?
User accounts, emails, payment card information, sensitive business data, health care data etc.
How do you know that your data has been breached?
You need to enable and configure the triggers in your database, which can help you determine if there is any data breach in your system.
How data can be reached?
Spearheading, SQL injection, malwares etc.
What are the threat actors that can access database?
Hackers, OS admins, DBA, application test and development team, support staffs.
Here comes the list of types of database security controls
Evaluate and analysis
- You need to know what to protect, the location of your sensitive data, ways to protect them, classify the level of sensitive data, knowledge of your critical data.
- Is your database system configured properly? Every database vendor publishes the recommended security best practices in their websites. Do you follow those best practices and apply the new settings as soon as they are published in the vendor’s website.
- Is there any policy in place to secure database? If not, create one and review your policy at least once a year to keep it viable to tackle the latest threats.
- Do you scan database regularly for misconfiguration. How do you check if there are any changes made in the database?
- How do you manage privileged users of your database? Who has full access to your databases and to what extent? Why do they need full access?
- Do you encrypt data in rest and data in motion? Does your DBA need access to your data? What if DBA account gets hacked?
- Do you use data redaction, which means to make only a portion of the data visible to the support staff? For example, a call centre agent may need to verify only the last 3 digit of a user social security number and the rest of the number should not be visible to them.
- Do you have a development or test server? How do you manage security of the test and development server? When application move from the test environment to the production environment, do you change the application admin’s username and password.
- Do you regularly patch your database, applications and the OS? Make sure you apply all the latest security patches as soon as they become available.
- Where and how to take backup of your data. Are your data getting backed up in encrypted format?
- How do you monitor and detect the effectiveness of security controls. The existing controls may fails and may not detect the breaches. Make sure the database generate logs during the startup and shutdown of the database, Logon and logoff from users, Privileged access and the creation, altering, and dropping of schema objects. Can your database trigger events when row level access of sensitive data? If not, make sure your database is set to trigger when changes occurs at the column and row level.
- Do you use database firewall to block unauthorised SQL traffic and can protect against buffer overflow attack?
- Do you regularly monitor and analyse database event logs? Make sure the events logs are protected so that no one can accidentally or intentionally delete or modify the logs.
Focus on Data driven security.
- Do you block the highly privileged application users from accessing sensitive data? What data can they see? Do you apply row and column level security to tables? You may need a cell level security to define who need cell level access to the data.
- Which technique do you use to address authorization mistakes in the database?
- How can you minimize the mistakes made by DBA? Are there any controls or procedures are in place that is effective in minimizing human generated errors?
- If you have to move data from your server to another server, do you transfer data in encrypted format via IPSec tunnel.
- Try to encrypt all important data by default.
- Do you have any encryption key management system? How do you manage encryption keys?
- Have a database audit plan that can effectively review the system logs, Database Access, changes to the Database, Use of System Privileges, Failed Log-on Attempts, Check for Users Sharing Database Accounts, check for integrity controls, authorization rules, User-Defined Procedures, encryption and other well-known database security vulnerabilities.
The aim of this post was to address a few important questions that a database security professional need to pay attention to while developing a strategy to protect database against breaches. A comprehensive data breach prevention strategy can only mitigate the damage done by the intruders, but in no way it can completely eliminate the risk of data breach. So, after developing the strategy and implanting it, you need to have skilled team to monitor and detect any suspicious event.