By Jack Dawson
A database protection solution must include all of these elements of database protection:
1. Compliance: Monitoring and auditing
Compliance is an important part of a database protection solution. This is because many of the regulations and statutes provided for with compliance address very real problems faced by enterprises and to which must receive due attention.
It is an essential part of implementing IT security, but it falls short in that much of the regulations provided focus more on monitoring procedures as opposed to real-time prevention of threats to the database and system. As such, while essential, compliance is not nearly enough.
Database Activity Monitoring (DAM)
A major component of compliance is implementation of Database Activity Monitoring (DAM). The DAM will identify every activity in the database, generating reports and necessary alerts about those activities.
Compliance for each organization involves adherence to relevant standards bodies’ regulations e.g. the SOX, PCI-DSS or HIPAA, as well as any relevant international compliance standards e.g. ISO 27001 standard on Information Security Management Systems.
By applying DAM, you will be able to tell who is accessing the database (individual or entity) and why. Most standards bodies require a comprehensive reporting system outlining who or what did what, when and why.
Every database protection solution must therefore include tools that detect and alert the relevant admins about activities that deviate from the standard policies (organizational and otherwise) or are suspicious. Having alerts for suspicious behaviors will help you to manage such issues in real-time, even if you have a DB firewall.
Monitoring should also include sins of omission i.e. what needs to be done but has not been. Examples include regular changing of passwords or monitoring individuals that have DB privileges that they have not ever used. Information on lack of activity will help you know where there is proffering of excessive privileges so that you can revoke them before they are misused.
2. Separation of tasks and access control
Access control primarily aims at preventing malicious attacks and potential threats from within the organization. While there are instances of deliberate malicious attacks from insiders, more often than not these result from theft of login credentials.
By separating duties and assigning functionality and privileges according to user requirements, you can limit the extent of damage in case of potential or actualized threats. For instance, a user responsible for creating backup files to the DB needs never see the actual content in the DB. A tester will need access into the database, but not necessarily to actual data stored therein.
In duty separation, you must give every user only the minimum access needed to carry out the job. By allowing every user to only carry out tasks under their jurisdiction you can largely protect your databases from inadvertent as well as deliberate breaches.
Every DB protection tool or solution must include functions for separation of tasks, with as large a range as possible of controls and privilege regulation. Apart from the inbuilt tools, the database firewall should be able to detect what users are in the system, allowing even greater control over their privileges and applications within the database.
3. SQLi and query protection and patching
Primarily, access to the database is through SQL commands, making protection against SQL injection (SQLi) attacks the most important form of protection to implement. Part of the DB protection tool is a firewall with an effective set of predetermined SQLi definitions categorized as black or white list. You should also be able to customize your own polices per your organizational needs.
In addition, you may implement the DB firewalls, which are capable of learning your organization’s needs and DB access behaviors, better defining their baseline and therefore being able to identify potential threats more accurately over time.
Some companies may opt to implement ‘Vulnerability patching’, which is essentially a mix of data masking and SQLi protection. When the database has been set up to be inaccessible, all vulnerabilities not patched will be more difficult to exploit. While very useful in deflecting many potential breaches, regular monitoring and updates of the software will help increase efficacy and increase definitions of suspicious behavior.
4. Data masking
Database administrators may need to use certain information within the database in certain ways, but they should not be able to view it. For instance, while the DBA or Remote DBA must have access to the database in its entirety there is not a need for them to view such things as sensitive financial data, customer names, user passwords etc. the aim of masking data is to garble up the data, making it unreadable when retrieved from the database.
For further testing and developmental purposes, implementation of masking is necessary for any system upgraders – usually developers and testers. They too need to access the entire database, but they do not need to see the actual data.
Dynamic data masking allows users to see the format of data storage on the DB, without reading the actual data. Static masking creates a duplication of the entire database with the actual data masked, which is what testers and developers would use in their improvement processes.
5. Data encryption
There are different levels of encryption implemented for different levels of the database. For starters, you may apply an encryption tool to encrypt the entire database. This would protect the data from misappropriation for example in instances where an unauthorized party gains access to the physical data location. Only users with the encryption keys would be able to read the data.
Another form might be to protect the database externally i.e. ensure that all data leaving the DB in whatever format is protected from malicious access. Application of this is at the point of transportation through encryption of the transport channel, and is important for every item of information leaving the organization.
There is a wide range of tools available for protection of organizational databases. In your search for a database protection tool, your organization will be in great shape if you have at least four of the five aspects mentioned above. You may be able to find a single tool to provide all these aspects of database protection, but the more likely eventuality will be implementing a combination of the best solutions to provide all the protection you need.
Jack Dawson is a highly creative marketer who can always be trusted to come up with a new approach. He knows that the client’s business comes first, and he never tries to impose his ideas on others. His greatest expertise revolves in the worlds of interactive SEO, Social Media, Brand Identity Design, Content Creation and Print Collateral.