Database Management System Security Guidelines
Proprietary and corporate databases always contain sensitive information that must be protected from vulnerabilities and exploits. All companies need to work on a regular basis to identify existing and potential database security vulnerabilities and do everything possible to remediate those.
According to experts almost 100% of breached data is stolen from database servers. In more than 50% of cases this is done through default or easily guessable credentials and less than a half of cases makes use of stolen login credentials. Another major threat is the fact that database administrators are usually too slow to install critical security patches for databases. The following are the top 10 threats related to databases:
- Default or weak passwords
- SQL injection
- Excessive user and group privileges
- Unnecessary DBMS features enabled
- Broken configuration management
- Buffer overflows
- Privilege escalation
- Denial of service
- Un-patched RDBMS
- Unencrypted data
These are the most important steps to ensuring database security:
- Isolate sensitive databases — an accurate inventory of all databases deployed across the enterprise should be kept. In addition, all sensitive data stored in those databases shall be identified.
- Eliminate vulnerabilities — all database vulnerabilities affecting it safety should be assessed, identified and remediated on a regular basis.
- Enforce least privileges — employees should have access to that minimum information necessary to perform their duties and that’s all.
- Monitor for deviations — appropriate database policies should be implemented and all activity that deviates from usual behavior should be monitored.
- Respond to suspicious behavior — in case of suspicious or abnormal database behavior the security team should be alerted immediately to minimize risk of attack.
Every modern company or organization should develop and implement a general database security policy within the company. This policy and its guidelines shall be obligatory for all the company employees. It should take into account all modern sensitive data protection regulations such as GDPR, for example. This policy should also take into account having the following security components for any database management system:
- Firewall — a database security component that can be put between a database and client applications which will be serving as a point where all database traffic is inspected and filtered. If a query looks suspicious it may be blocked and the user disconnected from the database.
- Data Masking — a database security tool that can effectively prevent sensitive data from exposure. Data masking may be static or dynamic, each serving a specific goal in database management system security.
- Database activity monitoring — aids in the process of reducing vulnerabilities by providing real-time visibility into all database activity. Such tools collect data, aggregate it and analyze the data to look for activities that are in violation of security policy or that indicate that anomalies have occurred.
- Sensitive data discovery — as part of a database security policy, a company should understand what databases need protection, which can be done more efficiently through finding all sensitive data.