Published on July 9th, 2019 📆 | 5128 Views ⚑0
Database management: The security checklist for every data-driven deployment
Security threats have become a ubiquitous
problem for American companies, and reports find that damage related to
cybercrime is projected to hit $6 trillion annually by 2021. According to
Accenture, the most expensive component of a cyber attack is data loss, which
represents 43 percent of cybercrime
The first few months of 2019 have shown that
the ever-growing threat of data breaches continues to trouble companies across
industries, with vulnerabilities striking everywhere including dating apps,
data analytics firms, hotel databases and medical records. Stolen data is now
showing up for sale on the dark web, extending the life and reach of these
violations. And it’s likely that the emergence of 5G will add to the complexity
of data security, as companies prioritize first-to-market strategies rather
than focusing on security.
Cybersecurity threats are very real but
organizations can mitigate problems by adhering to a security ‘checklist’ to
limit their chances of exposure. According to the Pew Research Center, 64 percent of Americans say they have
personally experienced a major data breach and now lack trust in key
institutions that hold sensitive information.
Despite the threat, some organizations neglect
to take adequate steps to protect their databases. Sites that scan the internet
for databases show deployments that do not take even the simplest security
steps. There are four mandatory activities that every organization should be
aware of when deploying a database to ensure data security and protect against
a variety of common security threats, both malicious and accidental.
Secure the environment
The simplest step for environmental security
is ensuring that your server has a firewall
enabled to limit access to only the necessary ports and interfaces. If
whole-internet access is not needed, limiting incoming connections by specific
IPs, ranges or subnets protects the good and keeps out the bad.
The servers hosting your database should have limited user access and should be kept up to date with all security patches for the operating system and database system you are running.
It is also beneficial to use encryption between clusters over a secure tunnel or intra-cluster TLS encryption when sending data over the public internet.
For databases collecting massive volumes of data, you may also want to encrypt the data at rest. Enabling this protection tends to have a minimal effect on throughput and can protect from certain attacks on a disk or server that is physically stolen. When considering file encryption, you may also want to encrypt backup files as these are frequently moved to remote locations and may become a target for intruders.
Limit attack surface area
There are various ways companies can reduce
their exposure to vulnerabilities and increase database security. One strategy
includes using non-default ports to
make port-scanning harder. While changing the ports from their default values
does not increase security, it does limit the vulnerability of servers by
making port scanners, that cast a wide net looking for exposed vulnerable
servers, work harder.
Companies should direct all database traffic
to internal networks or encrypted
tunnels, rather than the public internet. Many servers have multiple network
interfaces, which allows you to route different types of traffic on different
networks. Select a database that allows you to route traffic on specific
interfaces that are on internal networks. By having client applications,
database replication and administrative functions using an internal network, it
becomes harder for outside attackers to gain access to your database through an
Regardless of whether the interfaces are internal
or external, the standard method for securing web traffic is through Transport Layer Security (TLS/SSL).
When protecting an internal interface, not only can you encrypt the data
between clients and the database, you can also encrypt data between the individual
nodes of the cluster, or, the internal interfaces. Though using TLS/SSL
encryption on the internal interfaces of a database cluster can impact latency,
if your database’s internal interface is connected to a public network, it’s an
important option to consider.
If your clients connect to the database via a public network, in addition to enabling security on the database itself, consider encrypting the communication between the clients and the database servers. You can do this as well with TLS/SSL.
Enable database authentication and access control
Enable database security options that require a username and password or some
other authentication mechanism for access to data. Selecting a database that
allows role-based access control
(RBAC) is one of the most effective ways to increase security. RBACrefers to giving the right levels of
access by assigning roles to users and applications that connect to the
database. A role is a collection of permissions or privileges to objects or
operations in the database.
Organizations should implement security using
the principle of least privilege to
limit access of client applications and users to include no more privileges
than is absolutely necessary. In the event of a leak or theft of credentials,
minimal privileges will limit the ability of attackers to get full access to
sensitive systems and information. Access control can also be used to prevent
access to sensitive data records by database operators and administrators.
Being on the receiving end of hackers who
access your database username and password can be a nightmare. Database deployments
should use safe and secure methods for authentication. This can be a
centralized and secure authentication technology, such as Kerberos, or
username/password based security. Between client and server, passwords should
never be sent in plaintext when sent across the wire, and can be further
protected when paired with TLS/SSL encryption.
Audit access and behavior
Lastly, after implementation, companies should
consistently monitor for failed or
unusual authentication attempts in their security logs to ensure that
authentication attempts follow expected patterns. Organizations should also be
sure to capture database configuration changes and administrative actions,
especially those that attempt to modify security settings.
Unfortunately, even with
best-practices and all precautions taken, organizations are still at risk of
breaches. With massive influxes of data promised to arrive with IoT and 5G,
being confident in cybersecurity will make data operations far more manageable.
With these four measures in place, organizations can feel increasingly
confident in their day-to-day ability to handle the data appropriately.