All Articles

For database security following framework can be adapted by any organization to ensure database security system established within organization. This has been written by Prakash Sharma.

Database Security Framework

Quality Assurance will need to be performed for all the processes defined above

Best Practices

1. Physical Access Control needs to be established
2. Installation sites need to be secured
3. Lock and expire all default database accounts
4. Change default passwords
5. Lock and expire all default user accounts
6. Enforce password management
7. Enable data dictionary protection
8. Grant least privilege to maximum number of users
9. Enforce access controls
10. Restrict operating system access
11. Restrict network access
12. Apply security patches periodically
13. Enable SSL to provide mechanism for data integrity and data encryption
14. Set up certificate authentication for client and servers
15. Restrict privileges to listener which acts as a database gateway to the network
16. Restrict physical access to network
17. Use Firewalls
18. Never keep vulnerable ports open (example 1521)
19. Prevent unauthorized administration of Listener
20. Encrypt Network traffic
21. Harden the Operating System by disabling unnecessary services
22. Ensure Audit trails enabled where ever security threats foreseen

Data Base Security Terms and Definition

Data base Security

• Data base Security is a mechanism to protect database against intentional or accidental threats. Security controls are established to mitigate the risks emerging due to threats pertaining to critical assets in the organization.  Database is a critical asset for any organization hence organizations need to invest budget for data base security requirements

What is a threat?

• Any intentional or accidental event that may adversely affect the system

Database Threats

Theft

• An unauthorized resource gets into an organization with a pen drive and  copies organization data and moves out of premise. Someone intentionally decides to store database backup on a public storage system

Fraud

• Any tampering to data and changing the content without authorization is a fraud

Confidentiality compromise

• Any data or data base if available for public purview leads to confidentiality compromise unless an an organization intentionally decides to publish data for public.

Privacy compromise

• Any personal information if available for public purview leads to privacy compromise unless an organization intentionally decides to publish data for public

Integrity compromise

• Any tampering to data and loss of data and its audit trail leads to integrity compromise

Availability compromise

• Any data should be available to its intended user always and if the data base is not available or data base gets corrupted then it is an availability compromise

Examples of Threats

1. Using another person’s log-in name to access data
2. Unauthorized copying of data
3. Illegal injections by hacker
4. Viruses
5. Data Alteration

Security Controls

Authorization

• User-Access Policies needs to be defined for database access.

Authorization is a mechanism to grant privileges to enable user to access the system.

Authentication

• Authentication is a mechanism to verify whether the right user logs in to the system. System Administrator is responsible for providing user rights to individual users who can access the system.

Views

• Whenever there is a need to perform queries on multiple related tables, it is important for creating views and granting privileges to users to ensure user is not aware of existence of any columns or rows which are missing from the view.

Backup and Recovery

• The backup and recovery processes are vital for organization to ensure a copy of database and log file is stored on an offline storage media. It is important to test the tapes by recovering the data to ensure backup is performed successfully.

Integrity

• Integrity of data base systems can be maintained by securing the database from virus and malicious code attacks and preventing data from becoming invalid.

Encryption

• It is a concept to use special algorithms to render data unreadable by any program and you need to have decryption key to read the data. Performance degradation exists when there is a need to encrypt too many data columns

RAID Technology

• RAID stands for Redundant Array of Independent Disks. RAID is implemented on a hardware system where the database is installed to ensure DBMS continue to function even if one of the hardware components fails.

Privileges

• Privilege is a right given to user to access the database and its relevant data. Read, Write, Read-Write access given to the database or data base tables or rows or columns of a table.