There is a large body of knowledge on what activities are required in order to secure
databases and in order to comply with regulations and requirements. We’ve gathered the top
8 best practices for ensuring database security.
Databases are arguably the most important and, unfortunately, also the most complex part
of our servers these days. The SQL (or NoSQL) language is richer than any other server
command language. You can connect to databases using a great many networking libraries
and authentication methods. There are many thousands of packages and procedures in any
database. There are often even a Java virtual machine and an HTTP server. You can call
out from the database using external procedures or various utility packages. All of this
functionality is great when you look at productivity and building applications, but from a
security standpoint the more options and capabilities a server has the harder it is to
secure and monitor it properly. Each such option can be used by an attacker to gain
unauthorized access or misuse authorized access.
Protecting the database is imperative
There are checklists you can follow – at least for some of the mainstream databases. This is
good – it means you can adhere to a set of best practices and achieve security and
compliance. To get you started we’re highlighting the top best practices for ensuring general
Top Best Practices for Database Security
You can’t secure that which you don’t know. You need to have a good mapping of your
assets – both of your instances and sensitive data. Plus, you need to have some method of
automated discovery since the state of your “asset map” will change as new workloads and
systems are added.
2. Vulnerability and configuration assessment
You need to assess the configuration of your databases to ensure that they don’t have
security holes in them. This verification includes both the way the database is installed on
the operating system and the configuration options within a database itself. You need to
verify that you are not running versions of the database with known vulnerabilities.
The result of an assessment is often a set of recommendations. This is the first step in
hardening the database. Other elements of hardening involve removing all functions and
options that you do not use.
4. Change auditing
Once you have a hardened configuration you must continually track it to ensure that you
don’t digress from a secure configuration. You do this using change auditing tools which
compare snapshots of the configurations (at both the operating system level and at the
database level) and alert you when a change is made that may affect the security of the
5. Database activity monitoring
While changes can and should be tracked using change auditing, you can also use
database activity monitoring to alert on changes made through a SQL (or NoSQL) interface.
Additionally, database activity monitoring lets you detect intrusions and misuse, detect fraud,
and discover problems at real-time, limiting your exposure considerably.
Audit trails must be generated and maintained for database activity that may have an impact
on security, integrity or on access to sensitive data.
7. Authentication, access control and entitlement management
Not all data and not all users are created equal. You must authenticate users, you must
ensure full accountability per user, and you must manage privileges to limit access to data.
You need to enforce these privileges even for the most privileged database user. You also
need to review entitlement reports periodically as part of an audit process.
Use encryption to render sensitive data unreadable. Use encryption so that an attacker
cannot gain unauthorized access from outside the database. This includes both encryption
of data-in-transit so that an attacker cannot eavesdrop at the networking layer and gain
access to the data when it is sent to the database client as well as encryption of data-at-rest
so that an attacker cannot use the media files and extract the data there.
*** This is a Security Bloggers Network syndicated blog from Blog authored by Ron Bennatan. Read the original post at: https://www.imperva.com/blog/top-8-database-security-best-practices/