Connect with us

Hi, what are you looking for?



Database Security: It’s More Than Meets the Eye

Having a safe doesn’t do much good if it is left open. Yet the safe where organizations house their data is sometimes left just as unsecure.

Having a safe doesn’t do much good if it is left open. Yet the safe where organizations house their data is sometimes left just as unsecure.

Last year for example, it was revealed that a university system upgrade at the University of North Carolina-Charlotte exposed data on the university’s H: drive on the Internet between Nov. 9, 2011, and Jan. 31, 2012. The news got worse for the university when it was discovered that misconfigured access settings also exposed sensitive data from the school’s College of Engineering from 1997 to February 2012.

“DBAs [database administrators] don’t have time for security – they spend less than five percent of their time on it,” said Forrester Research analyst Noel Yuhanna. “Most enterprises are dealing with data explosion that’s creating performance issues and availability concerns, which is where most of their time an effort goes. In a survey we did last year, performance was the top concern.”

Protecting Databases ImageApproaching database security the right way is about more than just persistent data security – it also means properly defining database access policies, ensuring the database’s security controls are correctly configured, audited and enforced.

“Databases are strange beasts,” said Barry Shteiman, senior strategist at Imperva. “They have many different flavors, and so vendors implement similar ideas in different ways and name similar concepts differently. One of the biggest challenges in managing rights and permissions is the need for overarching policies that encompass all of these different types of databases. Consolidation in permission and privilege visibility is the key for success.”

On its list of top 10 database threats for 2013, Imperva ranked excessive and unused privileges and privileges abuse as the top two. Access controls should be checked as often as possible and reviewed against a baseline, Shteiman said.

“One needs to understand that a single database instance could have thousands of users, permission groups, derived rights, and access methods that keep changing, and are very difficult to control,” he explained. “However, organizations that go through a process of creating a baseline of wanted and required access control and implement tools, are able to check the actual access configuration against a baseline, making their lives easier and enabling them to control the privileges from a better visibility standpoint.”

“In regards to enforcement of audit and security rules and permissions, separation of duties and aggregation are recommended when possible,” he said. “Letting the cat guard the milk is known to be a bad security practice.”

Advertisement. Scroll to continue reading.

Most times, organizations of all sizes install the database servers on the same segment as the application servers, which can cause a major security issue, noted David Maman, CTO of database security firm GreenSQL.

“Separation between the segments should be firewalled,” he said. “With today’s firewall technology, a 2U firewall can support millions of concurrent sessions and close to 100GB per second traffic. There are no limitations to the traffic, and there’s no overhead for internal segmentation.”

Database administrators should also never have the option to get sensitive information from the database, just as application developers, quality assurance or IT teams should never have the ability to run any type of administrative commands on the database, he added.

“In recent reports we have seen how APT [advanced persistent threat] and generic malware is used to infiltrate organizations and steal their data,” said Shteiman. “Such risks need to be taken into account when companies build their database security plan. If a DBA’s computer is being compromised, it is very simple to get to the database itself using the DBA’s credentials, leaving the keys to the kingdom out in the open. Therefore controlling and auditing data access both in the malware infection scenario, and out of plain business logic – a DBA logs in at 2 a.m. and requests 1 million records from the database – is important.”

“The sad truth,” he added, “is that for many of the organizations, the last question asked is ‘so what data should we protect’ or ‘are we auditing a subset of our overall data or everything.’ When regulations and security policies mandate ‘protect your sensitive information’ they don’t define the sensitive data, because it is subject/company/business specific.”

“A key point in securing and auditing databases is understanding what should raise a red flag,” he said. “Classification of your assets is an important and sometimes overlooked step.”

Related Reading: Proving Compliance and the Case for Improving Database Security

Related Reading: SIEM, Database Security Top of Mind for IT Professionals

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...