Database Security Solutions

We don’t have to look too far back in history to see the damage of data loss in both private enterprise as well as the government sector. Data breaches at the government level – with news reports about WikiLeaks, Edward Snowden, and Bradley Manning – illustrate the risk that is posed by individuals within and outside the firewall. Among the salient data points that companies should know are the fact that in as much as the bulk of their resources go toward protecting against network intrusions breaches at the database layer would cause the greatest harm.

In terms of encryption techniques–an important approach to preventing data theft–more organizations are applying encryption against data in motion, but too few  encrypt all their data at rest. In addition, human error and internal hacking which can be limited or even prevented through privilege controls are also not being deployed widely enough.

Most IT Managers are either unaware of, or know that they have no safeguards to prevent a database administrator or developer from accidentally deleting data or unintentionally harming critical applications. An aggressive stance with preventive security measures is critical since it enables organizations to ward off breaches. Monitoring and audits, on the other hand, will only detect data loss after an event

Things to consider when choosing an effective Database Activity Monitoring Solution.

Database monitoring, auditing and compliance

Compliance is essential, because most compliance regulations address real problems which all businesses must pay attention to. Compliance is a facet of IT security in an organization, but most of the current database security regulations relate to monitoring instead of real-time preventative measures. While essential, it is certainly not in itself sufficient.

A major element of compliance is Database Activity Monitoring (DAM), which is concerned with identification of all activities in the database and recording the same using alerts and reports. Through DAM, organizations can precisely identify which entities and individuals gain access to the database and the reason for this.

Compliance regulations are aimed at ensuring that businesses conform to the standards bodies regulating their activities e.g. HIPAA, SOX, PCI-DSS and other international standards. For most standards bodies, a comprehensive analysis of who does what when and why is required.

Every database security system should include tools to detect and notify any activity which falls outside standard activity, or is otherwise suspicious. You should have alters to all suspicious activities in order to be aware and attend to them in real-time, even if they have been prevented by a firewall.

DAM should also include things that should have been but weren’t done like people who have database access but don’t use it, or people who fail to change their passwords on schedule. You can use the information to revoke unnecessary privileges which may be wrongfully used or enforce policy

Segregation of Duties

Access control, which is based on separation of duties, protects the database from insider attacks which may be deliberate or a result of identity theft. In access control, privileges are assigned to various users according to their requirements. Roles of employees are defined and they are granted the minimum level of access needed to carry out their jobs.

Separation of duties controls user behaviors and manages individual entities by only allowing entities to perform tasks that fall directly in the scope of their work, which protects the database from both direct and unintentional breaches. Every solution must have powerful tools for access control, including firewalls to detect who is on the system as well as row or column control in the database.

SQLi Protection

Databases are accessed primarily using SQL commands; therefore the most important form of protection is against SQL injection (SQLi). Database protection suits should include a set of robust, built-in controls including SQLi white and black list definitions. It should include overflow protection and the option to further customize settings according to organizational policy.

Most firewalls include monitoring features which can collect data on organizational behavior, improving the baseline for normal activity and strengthening the firewall’s ability to detect normal and suspicious database activity.

Some organizations may opt for ‘Vulnerability Patching’, which usually offers data masking and SQLi protection. If the database’s default set up is inaccessible, any unpatched vulnerabilities will be difficult to exploit. Regular software updates are still necessary, but many devastating potential breaches can be avoided.

Data masking

Usually, databases have information which in-house or top remote DBA expert teams will not need to view, even though they need to use it. The admins should have access to the whole database, but data like financial data, customer details should not be revealed. Data masking distorts the data such that when extracted, the format is kept, but actual data cannot be interpreted.

Data masking can also be extended to testing and development activities. Testers and developers need access to the database to upgrade and test functionality, but they don’t need to see actual data. Dynamic data masking enables developers to work on data formats without seeing the real data. Static data masking creates a duplicate of the entire database which testers and developers can work on without viewing the actual data.

Data encryption

This is an essential part of database security, and comes in different levels. For starters, your protection solution may include encryption tools to encrypt the entire database, so that even if somebody accessed the physical database, they would not read the data without the encryption key.

The next level of encryption is useful outside the database. All data exiting the database in whatever format should be encrypted to protect it in case of malicious access. Usually, this is implemented on the transport level i.e. encrypting the transport channel. Ensure that your sensitive data is properly encrypted before transmitting it outside the organization.

Database Access Auditing