Why Database Security?
In the current world of super digitization and automation, any of your business operations require to access and / or process the business data which is stored in your databases.
No business operation can be completed efficiently unless the corresponding database is available for accessing and processing data. Hence, databases are the essential and most important component of your business. So, maintaining performance efficiency and security of your databases is vital for your business. The main reasons why database security should be focus of organizations are listed below:
Though awareness for database security is increasing in the past few years, still we see many organizations facing challenges in implementing database security with the required rigor. Let us have a look at the commonly faced challenges.
Challenges for “Database Techies” (mostly Database Administrators — DBAs)
• Database Administrators like to create a locked-down “gold” configuration
• Database Administrators are reluctant to add security software on the machine for fear of performance degradation
• Database Administrators have no idea about the data contained in a database
• Lack of communication between Data Architects, back-end developer team and Database Administrators
• Database Techies not “educated” on compliance and regulatory requirements
• DBMS vendors have not yet released patch or Database Administrator does not have time to apply the patch because of the performance testing required before applying the patch to production databases
Challenges for Information Security (IS) Personnel
• Multiple DBMS vendors
• IS Personals not aware of the database aspects like — • Where data satisfying a specific business operation need, are located • How securely the corresponding databases are configured • What is the patching status
- Auditors demand certain log generations or specific configurations while Database Techies refuse to implement the same due to performance degradation fear
Result of these problems
Databases are mostly left at the mercy of protections for the other system components like applications, networks, firewalls etc. However rampant incidents of data breaches clearly indicate that security implemented at other system components like applications, networks and firewalls is not sufficient and robust database security controls at database layer are essential.
Solution
Additional layer of comprehensive security on the database itself
Since database security is of such critical importance to organizations let us have a look at the top 10 database threats:
Top 10 Database Threats
- Excessive Privilege Abuse
- Legitimate Privilege Abuse
- Privilege Elevation
- Exploitation of vulnerable, mis-configured databases
- SQL Injection
- Weak Audit Trail
- Denial of Service
- Database Communication Protocol Vulnerabilities
- Unauthorized copies of sensitive data
- Backup Data Exposure
The above list indicates different aspects of database lead to different vulnerabilities. E.g. the top 3 threats clearly correspond to data authorization mechanism of database and the allocated privileges on business data while number 4 and 6 indicate insufficient security configurations. Number 5 threat corresponds to lack of appropriate validations of user inputs, number 7 and 8 are more related to the network side configuration of the database, while 9 and 10 indicate insufficient access control.
Database Security Journey: Steps
• Get your Database Techies (Database Administrators, Data Architects and back-end developer and tester teams) trained on your security audit requirements and importance of database security implementation.
• From the database vendor and technical security benchmarks for your database technologies, understand the vulnerabilities and recommended security configurations.
• Get your Information Security Personals educated on the DBMS products you are using and their known vulnerabilities and security configuration methodologies for the same.
• Prepare Customized Technical Security Checklist for your databases as a combined effort of your database technical teams and your information security team.
• Categorize the security level for your databases as per their business criticality and security compliance norms applicable. Prepare secure configuration templates for each category and database product you are using. Incorporate database operational procedures to ensure that the applicable secure configuration templates are always used while creating/migrating/upgrading your databases.
• Devise/ purchase tools to conduct Security Health Check for your databases as per your custom checklist. Formulate database operational procedures to conduct such security checks on regular basis and to act on the results of the security checks. It is recommended to conduct such checks at least once in 6 months.
• Decide on the Database Security Products and / or In-built Database Security Features that best suit your database security implementation requirements as per the customized checklists prepared.
• Work out a detailed plan for implementation of the required security features. Note that the implementation can’t be sole responsibility of your DBAs. Successful and efficient database security implementations require cooperation and contribution from all, the DBAs, data owners, developers, architects as well as your information security team.
• Work out and implement a plan for continual evaluation and maintenance of your database security implementations and database secure configuration templates.
Database Security Controls
Now, let us familiarize ourselves with some of the terms used by your information security requirements / auditors.
A security control is means of achieving security in the database. It may be a configuration or feature facilitated by the database software or may be database addon or may be external tool or product.
To be able to decide on the required security implementations for your databases, first you need to understand the different types of security controls associated with databases, as described by the information security auditors. So, let us have a quick review of the different types of security controls. There are three main categories of security controls.
1. Detective Control
2. Preventive Control
3. Administrative Control
Detective Control — A detective control is configurations/ features/tools/ products used for monitoring the database operations in order to 1) keep record of what is happening in the database — maintain accountability and non-repudiation and 2) to identify any irregular or illegitimate operations so as to be able to stop them early on and reduce the impact of the undesired operations. A detective control is reactive in nature i.e. it takes action (record/send alert/ generate report — etc.) after an operation of the specified pattern, takes place in the database.
Since, the purpose of the detective control is to monitor your database, a most suitable detective control will be one which is external to your database, so that it is able to able to monitor the database independently, reliably able to monitor the operations carried out by DBAs and other power users as it is not under the control of DBAs and is not affected by the database availability.
Most of the standard database softwares provide native auditing capabilities for this purpose. However, an additional tool may be necessary to analyze the audit records generated by the database to identify irregularities near real time. Also, the native audit mechanisms may put an additional load on the database, thereby, reducing its performance efficiency for your business operations. Hence, you may not be able to enable all the auditing as per the monitoring requirements. Thus, it may be necessary to have an additional tool capable of monitoring and recording the database operations without depending on the native database auditing.
Preventive Control — A preventive control is configurations/ features/tools/ products used for preventing an external or internal threat, like illegitimate or erroneous operations in the database. A preventive control is proactive by nature i.e. it tries to prevent undesirable operations from happening in the database.
Since, the purpose of the preventive control is to stop undesirable operations in your database, a most suitable preventive control should be part of your database so that it can’t be bypassed by the attacker.
Administrative Control — An administrative control is features/tools/ products used for carrying out administrative operations in the database in a secure manner. E.g. carrying out database configurations, monitoring and ensuring the database availability, checking and correcting for data corruptions, monitoring and maintaining the database performance etc. A typical administrative control may act in both proactive and reactive manner.
A suitable administrative control may be part of the database or external to the database depending on the operations it is managing.
Each type of control listed above, serves its own purpose. Thus, you can’t rely on only one type of control and need to use a combination of all three types to achieve comprehensive security for your databases. Also, you may need to use more than one control of each type, to achieve the required security level for your database. E.g. you may need to use native database auditing as well as an external Database Activity Monitoring (DAM) tool as your detective controls. This approach of layering multiple security controls is called “Defense in Depth” and is a recommended approach for security implementations.
As Oracle is the most widely used software for most critical and large size databases, I am giving below the possible defense in depth security architecture for Oracle database.
I will talk about each type of control in in my subsequent articles. In the next article, we will consider detective controls for databases
https://meenalkin.medium.com/database-security-series-part-2-5ee40f6e1edd
