6 Do or Die Database Security Strategies
As solution providers ponder how they can help customers protect their sensitive information, one of their key targets should be the corporate database. Databases are where most organizations store the bulk of their information and yet they remain woefully unprotected. According to the 2009 Data Breach Investigations Report from Verizon Business, database breaches comprised 30 percent of data breached in 2008 and accounted for 75 percent of all data breached last year. Here’s a look at a few techniques for securing databases.By Ericka Chickowski
No Title
Database EncryptionNative database encryption isn’t enough; organizations also need to complement encryption with effective key management to make the effort meaningfulMaking a Case:In a 2008 survey conducted by UK-based Trust Catalyst, just under 40% of IT decision makers said they don’t know where their database encryption keys are stored.
No Title
Controlling ConfigurationsShoring up database configuration is the low-hanging fruit in database security. Stop using default administrator passwords and eliminate test databases from production database servers are good first steps.Making a Case:An Enterprise Strategy Group survey conducted in 2008 found that among IT decision-makers, 53% listed misconfigured databases as a top database risk.
No Title
Vulnerability and Patch ManagementEmploying vulnerability scanners and streamlining patch management can go a long way toward stopping outside attacks from picking exploiting well-known security holes in the database software.Making a Case:According to a 2008 poll by the Independent Oracle Users Group, 11% of enterprises have never patched their databases and 26% take over six months to apply database patches.
No Title
Access Control and Identity ManagementBest practices and automation surrounding user provisioning, role-based access control and account revocation are critical to ensuring users log into the database on an as-needed basis.Making a Case:According to Gartner analyst Jeffrey Wheatman, “It really needs to start with good role-based access control. That definitely is a critical component because if you don’t know who should be able to do what, then how do you actually figure out how to put controls around that?”
No Title
Database MonitoringEmploying automated database monitoring and policy enforcement tools helps tie together the previous strategies and to give the organization an auditable ‘big picture’ of database activity.Making a Case:Writes Rich Mogull, analyst for Securosis: “[Database Activity Monitoring tools] are particularly helpful in detecting and preventing data breaches for Web-facing databases and applications, or to protect sensitive internal databases through detection of unusual activity.
No Title
Secure CodingThe way an organization churns out code can have a profound effect on the security of sensitive database stores. Even otherwise secure databases can be exposed to risks posed by sloppily written Web applications.Making a Case:According to researchers on the IBM ISS X-Force team, SQL injection attacks last year grew from 5,000 attacks per day to 450,000 attacks per day.