Learn the complexities of database security and some of the practices, policies, and technologies that will protect the confidentiality, integrity, and availability of your data. Show
What is database securityDatabase security refers to the range of tools, controls, and measures designed to establish and preserve database confidentiality, integrity, and availability. This article will focus primarily on confidentiality since it’s the element that’s compromised in most data breaches. Database security must address and protect the following:
Database security is a complex and challenging endeavor that involves all aspects of information security technologies and practices. It’s also naturally at odds with database usability. The more accessible and usable the database, the more vulnerable it is to security threats; the more invulnerable the database is to threats, the more difficult it is to access and use. (This paradox is sometimes referred to as Anderson’s Rule. (link resides outside IBM) Why is it importantBy definition, a data breach is a failure to maintain the confidentiality of data in a database. How much harm a data breach inflicts on your enterprise depends on a number of consequences or factors:
Common threats and challengesMany software misconfigurations, vulnerabilities, or patterns of carelessness or misuse can result in breaches. The following are among the most common types or causes of database security attacks and their causes. Insider threatsAn insider threat is a security threat from any one of three sources with privileged access to the database:
Insider threats are among the most common causes of database security breaches and are often the result of allowing too many employees to hold privileged user access credentials. Human errorAccidents, weak passwords, password sharing, and other unwise or uninformed user behaviors continue to be the cause of nearly half (49%) of all reported data breaches. Exploitation of database software vulnerabilitiesHackers make their living by finding and targeting vulnerabilities in all kinds of software, including database management software. All major commercial database software vendors and open source database management platforms issue regular security patches to address these vulnerabilities, but failure to apply these patches in a timely fashion can increase your exposure. SQL/NoSQL injection attacksA database-specific threat, these involve the insertion of arbitrary SQL or non-SQL attack strings into database queries served by web applications or HTTP headers. Organizations that don’t follow secure web application coding practices and perform regular vulnerability testing are open to these attacks. Buffer overflow exploitationsBuffer overflow occurs when a process attempts to write more data to a fixed-length block of memory than it is allowed to hold. Attackers may use the excess data, stored in adjacent memory addresses, as a foundation from which to launch attacks. Denial of service (DoS/DDoS) attacksIn a denial of service (DoS) attack, the attacker deluges the target server—in this case the database server—with so many requests that the server can no longer fulfill legitimate requests from actual users, and, in many cases, the server becomes unstable or crashes. In a distributed denial of service attack (DDoS), the deluge comes from multiple servers, making it more difficult to stop the attack. See our video “What is a DDoS Attack”(3:51) for more information: MalwareMalware is software written specifically to exploit vulnerabilities or otherwise cause damage to the database. Malware may arrive via any endpoint device connecting to the database’s network. Attacks on backupsOrganizations that fail to protect backup data with the same stringent controls used to protect the database itself can be vulnerable to attacks on backups. These threats are exacerbated by the following:
Best practicesBecause databases are nearly always network-accessible, any security threat to any component within or portion of the network infrastructure is also a threat to the database, and any attack impacting a user’s device or workstation can threaten the database. Thus, database security must extend far beyond the confines of the database alone. When evaluating database security in your environment to decide on your team’s top priorities, consider each of the following areas:
Controls and policiesIn addition to implementing layered security controls across your entire network environment, database security requires you to establish the correct controls and policies for access to the database itself. These include:
Database security policies should be integrated with and support your overall business goals, such as protection of critical intellectual property and your cybersecurity policies and cloud security policies. Ensure you have designated responsibility for maintaining and auditing security controls within your organization and that your policies complement those of your cloud provider in shared responsibility agreements. Security controls, security awareness training and education programs, and penetration testing and vulnerability assessment strategies should all be established in support of your formal security policies. Data protection tools and platformsToday, a wide array of vendors offer data protection tools and platforms. A full-scale solution should include all of the following capabilities:
Database security and IBM CloudIBM-managed cloud databases feature native security capabilities powered by IBM Cloud Security, including built-in identity and access management, visibility, intelligence, and data protection capabilities. With an IBM-managed cloud database, you can rest easy knowing that your database is hosted in an inherently secure environment, and your administrative burden will be much smaller. IBM also offers the IBM Security Guardium smarter data protection platform, which incorporates data discovery, monitoring, encryption and tokenization, and security optimization and risk analysis capabilities for all your databases, data warehouses, file shares, and big data platforms, whether they’re hosted on-premise, in the cloud, or in hybrid environments. In addition, IBM offers managed Data Security Services for Cloud, which includes data discovery and classification, data activity monitoring, and encryption and key management capabilities to protect your data against internal and external threats through a streamlined risk mitigation approach. Which techniques is used for data protection?Encryption—alters data content according to an algorithm that can only be reversed with the right encryption key. Encryption protects your data from unauthorized access even if data is stolen by making it unreadable.
How many techniques are used to secure the database?For securing a database there are three fundamental principles: confidentiality, integrity and availability. Along classifying data, a complete method of securing a database require: access control to database and contained objects, backup and restore plans, audits and secured network connections.
How can we protect data in database in DBMS?Encryption is a technique of encoding data, so that only authorized users can understand it. Encryption alone, however, is not sufficient to secure your data. Protecting data in the database includes access control, data integrity, encryption, and auditing.
Which method is used to protect the confidentiality of data?Encryption is a process that renders data unreadable to anyone except those who have the appropriate password or key. By encrypting sensitive files (by using file passwords, for example), you can protect them from being read or used by those who are not entitled to do either.
|