Time to Tighten up

In today’s fast-moving business environment, databases are critical assets. They store client details, financial information, company secrets and other data necessary for a successful business. The need for database security is important, but the issues associated with it have grown exponentially over the past few years. Strengthened network defenses have made attackers concentrate on exploiting applications and databases directly. Attackers are much more likely to be cyber criminals who are financially motivated, thus it is more difficult to deter them with a minimal amount of security.

The issue of database security is a challenging one. The database must be accessible for operational purposes but also be protected without interfering with business operations. Database security is about improving access and authorization controls, data protection, integrity, and audit. IDC believes the most effective way to secure database management systems (DBMS) is to incorporate security functions and features at the DBMS level and not just exclusively slap on security to the exterior of the application or network.

Basic database security

The techniques to achieve basic security vary widely within database management systems. Although basic database security tools typically cover the who, what, when, and where of data usage, it has been difficult to consistently get full coverage with traditional database security systems. Most security is provided by third party applications that are kludged together with the database. Typically, these solutions provide basic security functions, or what can be called check-box security. Check-box security allows companies to tell auditors that they are performing the requirements of security regulations and best practices, but the security features do not provide the robust security. Check-box security is not comprehensive enough to deal with sophisticated attackers or to adequately address the insider threat. Or, they are unwieldy, thus making it less likely that the system will be properly utilized.

Advanced database security strategy

Organizations now must go beyond basic database security to be truly protected. They must realize that due to the nature of today’s information currency business environment, increasingly dangerous attackers, and an increasingly complex regulatory environment, they can no longer continue adding multiple loosely integrated point security solutions that are not designed to work together. Organizations need to demand better security because it is key to their business success. There are a number of building blocks for an advanced database security strategy, these include securing the application, identity and access management (IAM), encryption, policy and audit.

Securing the application

Establishing advanced overall database security begins with securing the application. This is done in many ways, the first is to ensure that the application code has no inadvertent vulnerabilities and this is done by testing custom software looking for security vulnerabilities. The second aspect of securing the application is to reduce the attack surface – the larger and more complex the DBMS is, the more likely there will be considerable avenues of attack. Reducing the attack vectors require the eliminating of features or components that are not in use, or are not required. Although it requires more work to set up, it is better to only enable features needed and to avoid installing unnecessary options – those that are required are only activated by a privileged administrator. The next level of application protection is to perform periodic vulnerability assessments of production DBMS to ensure they remain secure. In this way any deviations can be corrected. This will require that patches are kept up-to-date. Lastly security consistency checks should be performed before and after a database upgrade or migration.

IAM: least privilege principle

A key cog for any security mechanism is IAM. The IAM system within a DBMS can provide for provisioning, password management, privileged password management, digital signatures, secure single sign-on, audit and reporting, and multifactor authentication mechanisms. These basic controls identify who can get access to the DBMS, to what data they are permitted to see, and what they can do with the data. The IAM system can also provide permission or limits on from where the data can go (i.e. remote access).

IAM mechanisms can perform these duties but if you just use the IAM system at a bare minimum you will not have full security. There are generic accounts in most DBMS that do not identify the user, or that convey super user privileges. To be truly useful, the DBMS IAM schema must enforce the least privilege principle. Least privilege requires that users (and even applications) have the minimal privileges required to function properly. In a database environment this might mean that someone can have read the data out of a database but is not authorized to modify that data. In this way it is possible to greatly improve the security of a system because there will normally be considerably less people who can perform the functions attackers crave to penetrate the system.

Encryption

Encryption is often the first thing that comes to mind when thinking of securing data. When done properly it is the best way to prevent unauthorized access to data. In recent insider data loss incidents, the culprits only accessed and downloaded plain text data. When they discovered an encrypted file, it would be left alone. The key differentiator in this technology is key management. How easy is it to produce, retrieve, archive, change, and destroy encryption keys? Those are all functions the key management systems should do well. Without robust encryption key management the underlying encryption is either going to be ineffective (easy to guess or access keys) or so complicated that the encryption is unusable. With the proper encryption and key management capabilities, database encryption can be a very valuable component of a comprehensive database security strategy. Nevertheless encryption is just one tool, it isn’t the magic bullet for database security.

Policy and audit

Security policy, both at a strategic and tactical level, must be clear and well defined. There can be hundreds of components of a security policy, so it is difficult to delineate what is right for any given environment. Policies are best when they are created for individual needs and requirements. However, the policy must provide the proper guidance to secure the DBMS and it must be enforceable. The most effective security policies are those that can be set and enforced directly within the DBMS. This helps remove user error and also reduces barriers associated with strong security.

Conclusion

It is clear that check-box security is not sufficient in today’s enterprise global business environments. Enterprises carry high value information, within their IT systems in general and in their databases in particular. Given the high risks of not being in compliance with applicable regulations, while being exposed to deliberate and/or accidental security breaches, it is imperative that enterprise management demand the highest levels of information security for their information systems, not just do enough to check that security is in place.

Organized and financially motivated attackers are not going to be thwarted by check-box security. It does nothing for an organization to just go through the motions to meet regulatory requirements. Instead they need to use the impetuous of compliance to deploy the most effective security controls available. When developers and database administrators enterprise senior management will not have to be concern about the potential risks of having check-box security protecting their valuable corporate information assets.

If an enterprise consistently adheres to best security practices in the current business and threat environment, it is highly likely they will gain a competitive advantage against their competitors and others who are not making security a high priority. Strong security allows you to expand the exchange of critical business information for greater business opportunity.

Business basics

Databases must be capable of providing three basic security requirements:

Confidentiality: the system must prevent unauthorized access to protected and proprietary information by anyone without a valid technical or business requirement

Integrity: the system must prevent the malicious or accidental deletion or tampering of data
Availability: the system must allow authenticated and authorized users access to the data at their requests

About Charles Kolodgy

Charles is a Research Director for IDC’s Security Products service. In this role, he executes primary research projects, and analyzes markets for both vendors and user customers. His responsibilities include both hardware and software security products, firewalls, intrusion detection and prevention, vulnerability assessment and management, hardware authentication (tokens and smartcards) and encryption. Research areas that cut across product markets include product certification, website security and security policy.