It seems every week there is another data breach in the news, which translates to millions and millions of personal records, credit card numbers, and other pieces of confidential information stolen each month. The victims of these breaches include important companies with professional IT staff. Thus, obviously, everyone is vulnerable.
What’s more, the cost of a breach is $188 per record compromised, according to the Ponemon Institute. The number of stories about companies declaring bankruptcy after a data breach is scary. Google it. This brings up an important question: What is the role of the DBA in securing data?
Now, you may be thinking: “Shouldn’t the network guys be responsible for security? After all, they’re in charge of the firewalls and the other security tools we employ.” I wish it were that easy. The reality is that DBAs must play a critical role in data security.
Databases Are Secure, Right?
Data is almost always a company’s most valuable asset, spanning customer lists, financial data, personal information, credit cards, and beyond. And, almost always, this information is stored in a database—a SQL database, in fact.
So, you may also be thinking, “SQL databases are mature technology, they’ve got to be quite secure by now. I mean, come on, SQL injection attacks started almost 20 years ago. We’ve figured out how to defend against them over the course of the last 2 decades, right?”
Well, let’s consider the facts:
- IBM detected an average of 1,500 SQL injection attacks per month in 2015.
- SQL injection was one of the top web application vulnerabilities in 2007.
- SQL injection was rated the No. 1 attack by OWASP as recently as 2013.
- SQL injection attacks continue to evolve—have you heard about compounded, blind, or inference SQL injection attacks or how they are being used together with XSS and DNS hijacking?
With the understanding that your databases are not inherently secure, the question becomes: How do you make sure you are doing everything a DBA should to protect your company’s data?
Data Security Essentials for DBAs
- Protect against SQL injection attacks using parametrized statements, validating input in forms and log management security tools that can detect common attack patterns.
- Maintain a record of which databases and tables contain personally identifiable information and other particularly sensitive data. Review privileges and access logs regularly.
- Identify which workloads and datasets require meeting compliance standards and understand the specific technical requirements, processes, and reporting obligations.
- Review your encryption (and key management) policy and practices for data at rest and in transit, especially for any databases outside your network, such as those in the cloud, colocation facilities, offsite backups, etc.
- Monitor database performance and unusual spikes in database activity to identify potential unauthorized threats. When activity increases beyond historical baselines, investigate the applications, user accounts, and IP addresses causing the spike.
- Use a security tool to analyze and correlate database and web server logs in real time to identify suspicious activity, such as failed login attempts, logins from malicious IP addresses, and changes to user rights and log deletion.
- Improve situational awareness—where there is a failed database login, identify any other activity related to the same account and database.
- Patch management is important. Automate the process of updating and patching your database software with the latest updates.
- Ensure there is clear communication to end users and processes in place to avoid copies of databases from residing on personal computers.
- Monitor large extractions of data and protect against downloads to USB drives on workstations.
- Review your disaster recovery plan and test it regularly with dry runs.
- Establish a process to “blow the whistle” in case anything suspicious is found by anyone in IT, the process to investigate such an event, and what you will do in case a breach is detected.
- Conduct penetration testing regularly, ideally having it done by a third party, including testing for defense against social engineering tactics.
Remember, security is not a technology or a quick fix. It requires well-defined processes, the right tools, and an investment in time. It’s not “someone else’s job,” nor is it something you work on if or when you have free time, which, by the way, will end up being never. Security management must be a priority for you as a database administrator. It might be the most important part of your job.