As a database administrator (DBA), you need a solid grasp of database security basics to manage your systems confidently. Having strong database security knowledge will allow you to protect your organization’s sensitive and business-critical information by following best practices and ensuring adherence to security protocols.
What Is Database Security?
When we use the phrase “database security”, we’re referring to all of the tools designed to establish and preserve database integrity, availability and confidentiality. Ensuring that the data stored in databases is secure at all times is one of the most important responsibilities for any DBA.
Database security covers:
- Datastores in databases
- Database management systems (DBMS)
- Applications that access database data
- Hardware servers
- Virtual database servers, including cloud-based servers
- Network access points
Maintaining database security requires a delicate hand. While you need to prioritize data security, data must be accessible to provide value to the business. The more access you allow to the data stored in a database, the more vulnerable that data becomes, but a watertight database is neither functional nor practical. This paradox is sometimes called “Anderson’s Rule.”
The best way to strike the right balance between security and accessibility is to establish thoughtful security protocols, assign tiered levels of data access, and invest in a solid security and database activity monitoring platform.
Why Is Database Security Important?
It is not an exaggeration to say that an organization’s reputation, financial future, legal compliance and overall functionality are all dependent on its ability to safely store, move and manage the data that it collects. Insecure databases were at the heart of several prominent breaches in 2019, resulting in stolen passwords and credit card information for millions of users, the exposure of massive amounts of sensitive information, and huge fines.
Unfortunately, database breaches are not limited to big companies with deep pockets and a team of PR pros who can help to clean up the publicity mess. Companies of all sizes are at risk. Even a mid-size company that suffers a breach can end up spending millions of dollars for legal fees, fines, data recovery efforts, user notifications and downtime. Moreover, a breach can impact future revenue, since customers and partners are less likely to want to deal with companies they view as untrustworthy or technologically behind.
The consequences can be even worse if your intellectual property is compromised. If your trade secrets, inventions, and information about how your company operates internally fall into the wrong hands, the very existence of your company could be at stake.
Common Types of Database Security Threats and Challenges
Many issues can leave your database vulnerable to security breaches. Here are the most common security threats you should be prepared for.
Insider Threats
The most obvious kind of insider threat is a malicious user who intends harm. However, this term also includes users who have the power to make mistakes that leave a database open to attack. Indeed, nearly half of all data breaches reported in 2018 were due to human errors such as choosing weak email or database passwords, sharing passwords, and careless storage of database credentials that have been created. There’s a third type of insider threat as well: an external attacker who obtains valid user credentials through tactics such as phishing.
Lax database administration, especially allowing too many employees to have high-level access to databases, increases the risk posed by insider threats.
Database Software Vulnerabilities
Hackers work tirelessly to locate and target security vulnerabilities in platforms and software, including database management software. Failure to promptly apply security patches when they are released increases your exposure.
SQL/NoSQL Injection Attacks
Attackers can target a SQL or NoSQL database by inserting certain strings into database queries served by web applications or HTTP headers.
Buffer Overflow Exploitations
Attackers can use excess data from buffer overflows as a foundation for launching attacks. Buffer overflow happens when a process attempts to write more data to a fixed-length block of memory than it can hold.
Denial of Service Attacks
When an attacker floods the target service with too many requests, the server is unable to keep up with requests generated by legitimate users. These denial of service (DoS) attacks can cause website instability or a total crash.
Distributed denial of service attacks (DDoS) are the result of the flooding of multiple web servers. These attacks are especially difficult to stop once they start, so prevention measures are critical.
Malware
Malware attacks often begin on endpoint devices but they can easily extend to databases. Internet of things (IoT) devices are especially vulnerable to malware because they are often not updated with security patches as frequently as primary hardware located in the office.
Backup Attacks
Unprotected backup data that isn’t secured properly is vulnerable to attacks. This includes older backups stored on physical drives, but also extends to cloud-based backups, which have become more common over the past few years.
Changing Corporate Environments and Resources
Several less tangible threats can increase database vulnerability:
- Companies are saving and processing more data than ever, leading to a more complex database structure.
- Networks have more access points, including access to and from cloud environments.
Database Security Controls
Database administrators should be aware of the various types of database security controls that can help mitigate database breaches. These controls also help to ensure database integrity by preventing data from being altered in transit and while being stored.
Restricted Access
Access controls should be granted based on the least-privilege principle, which requires restricting system privileges for user accounts and computing processes to only those permissions required to perform the assigned functions.
Database Auditing
Routine database auditing can reveal database vulnerabilities and suspicious activity, as well as help you prove your database security measures are compliant with database security standards and regulations. Ideally, these solutions should be agentless so the auditing process doesn’t degrade database performance.
Authentication
Authentication verifies the identity of users and accounts to prevent unauthorized users from accessing data or systems. Network security protocols should include authentication measures across your company’s entire network.
Securing Outside Applications
Database security also requires securing all applications that have access to the database. Default settings are designed to facilitate a seamless installation experience but are unsecure because they are known to would-be attackers. Your job is to make sure your application security set at the highest level possible that also still enables the business to operate properly. The same tenet holds for securing your underlying operating systems. For example, SQL databases rely on Windows Server, so Windows Server must be kept secure to maintain database security.
Other Security Measures
Data encryption makes it more difficult for hackers to use data they manage to steal. Storing backups offline reduces the chances that hackers can gain access to them. And a comprehensive (and regularly tested) disaster recovery plan can help you quickly restore your databases after a breach or catastrophe.
Critical Database Security Best Practices
Some data security best practices relate to directly managing the database, while others focus on rules related to database access. Specific best practices to consider include:
- Hardening your database. This can include establishing firewalls across all applications and systems with database access, as well as physical security measures like keeping servers in a secure, locked room.
- Encrypting your data everywhere it lives, including in your databases.
- Controlling database access by enforcing the least-privilege principle and conducting regular permissions reviews to account for changes to the workforce or access needs.
- Auditing and monitoring database activity for suspicious changes and access attempts.
- Minimizing the value of your database by storing only the data that must be kept accessible. Less valuable databases are less attractive to bad actors, and breaches will cause less damage.
- Enforcing general best practices for protecting systems and data, such as requiring strong passwords and providing training on phishing attacks.
Consider the Needs of Your Company
As you start planning how to protect your databases, be sure to consider the unique needs of your company. Collect intelligence about the specific ways staff and third parties need to access data, and the amount of being stored, accessed and transmitted. Be sure your cybersecurity measures are scalable and flexible enough to keep up anticipated growth and adoption of new technologies.
