Database Security
Breaches in database security have become rather commonplace in the news: that’s millions upon millions of credit card numbers, personal data and other forms of confidential information falling into the wrong hands month after month.
The victims of such breaches are not small organizations; we’ve seen big corporations with hundreds of employees in IT falling prey to data hackers. No one is completely safe, as it appears.
According to research by the Ponemon Institute, each breached record costs $188 from the company. You can Google the number of companies that have had to declare themselves bankrupt following a data breach. This brings us to the most important question of the day: what role do database administrators play in ensuring database security?
Many organizations may think information security falls solely in the docket of the network administrators: they are, after all, the people who deploy firewalls and other security tools for the protection of company information assets. However, DBAs are the first line of defense in securing organizational information, and we’ll learn why and how in the following paragraphs.
No matter how mature and advanced a database technology is, there is a part to be played by the individuals in charge of database access. Take SQL Servers, which have been on the market for over two decades, and have been subject to SQL injection risks in about as long a time. Now, while SQL Server technology has grown in leaps and bounds, securing the database against injection risks hasn’t followed a similar path. Consider this:
SQL injection remains a risk despite advancing server technologies because the perpetrators are also evolving: you’ve probably heard about inference, blind and compounded SQL injections, and how cybercriminals apply them alongside DNS and XSS hijacking.
Therefore, recognizing that no database is innately secure, every organization must be proactive in finding out how the DBA is managing your information asset security procedures. This must be backed up with adequate resource allocation towards the necessary manpower and infrastructure deployments, of course.
For database administrators, security within an organization starts and ends with a few simple but critical steps, which are listed as follows:
Enforcement of database authorization protocols demands elevated privileges and technical expertise in the enforcer, that is, the DBA. Database security encompasses many different system procedures, commands and utilities that must be implemented for the desired effect. In the organization, you have users that need to access multiple databases housed on multiple servers, which may sometimes be located in separate physical centers. This is complicated database security for the DBA, who must institute commands to be repeated to every single database. In addition, in the absence of a single centralized data repository, the DBA must manually take charge of adding, deleting or modifying users’ security configurations within the multiple databases.
At the highest level, database security comes down to establishing the following:
Strong authentication protocols are at the heart of any database security deployment. It is impossible to track usage and control authorization without the basis of strong authentication. Before authorization can be given to access and use database resources, each user of the database management system (DBMS) must be assigned a login that establishes their identity. The login ID should have an associated password, which means that only the one(s) who know(s) the password will use that ID. There are DBMSs that use their operating system’s login ID and password as the same applicable for database login, while others require that a specific login ID and password be created for database security and access.
The type of login ID notwithstanding, user passwords must be changed regularly to stop surreptitious access to the DBMS by external parties. When the DBMS user no longer needs to access the database (e.g. when they leave or move to a different department, their login should be immediately deactivated). This, however, can be complicated for certain cases. For instance, there are systems that prevent deactivation of logins belonging to users that own any database objects. It is therefore recommended that only DBAs should be allowed to create database objects, particularly within production environments.
Authorization within the database system is managed through the GRANT and REVOKE statements controlling the users who have access to specific commands and objects. Privileges may be granted or revoked from logins to enable users to access system commands, database objects, programs, data, etc. Instead of granting access to database users individually, authorization controls may be assigned to PUBLIC, so that persons that can log onto a DBMS have authority to carry out the basic tasks. Granting privileges to PUBLIC is however a poor security practice.
SQL injection is a form of web hacking in which SQL statements are specified in a format that exposes data to an attacker. SQL injection attacks can be prevented by using the right coding applications and query language interpreters. In addition, you can use static SQL in place of dynamic SQL, enforce suitable limits to control buffer overrunning, properly testing and validating user input and preventing concatenation of user input into SQL.
Lastly, database auditing requirements should be planned for and executed on schedule. This allows tracking of use of database privileges and resources, so that any unauthorized access can be noted and rectified before trouble ensues.
Sujain Thomas is a data IT professional who in addition to rendering DBA expert services runs a blog that is dedicated to sharing top quality open source resources for web designers and web developers.
Read More: Scaling your social media database for optimal performance
In the late 19th Century, physicians began inserting hollow tubes equipped with small lights into…
This year wasn’t exactly what the video gaming industry expected — it declined by 7%…
By Oren Askarov, Growth & Operations Marketing Director at SQream Becoming “data-driven” has become a…
Horasis Asia Meeting, led by German entrepreneur Frank Jurgen-Richter, will take place this year on the…
Techstars is one of the world's most recognized startup organizations, helping to support countless founders…
Article by Vikram (V) Venugopal, General Manager, VP BioPharma at Prezent, Partner at Prezentium Biotech…
View Comments