Principles of Database Security Planning

As the volume of digital information being produced across industries grows at record rates, databases are becoming more integral to organizations than ever before. These data stores contain the lifeblood of an organization and the sensitive information within them must be protected from improper access and breaches, which continue to rise in frequency. In 2017, there were more than 1,500 data breaches reported in the U.S. alone—nearly a 45% increase year-over-year—and according to the Ponemon Institute, the average cost of a data breach rose to $3.86 million.

Cybercriminals will use every tool in their bag to try to gain access to an organization’s sensitive data. This might include leveraging social engineering, phishing emails, malware, security exploits, compromised endpoints and user credentials, or unpatched vulnerabilities, to name a few. Yet, even as threats increase, at many organizations, database security is given less importance than perimeter defenses. Organizations often reinforce their network perimeters through firewalls and other security measures, but overlook the databases themselves.

To reduce the risk of compromise and maintain compliance with numerous data security regulations, organizations must extend data protection measures down to the database level and implement a robust, database-specific security plan. An effective database security program requires commitment and discipline across the organization. Policies must be established, standard configurations must be reviewed, and databases must be continuously monitored for compliance. Most importantly, an operational methodology consisting of technology, people, and processes must be documented and institutionalized.

The following are some best practices for creating your database security program.

Begin with a Thorough Assessment

The first step in establishing a strong database security program is to assess the current state of operations and ensure you have an accurate database inventory. Determine who owns the rogue databases that will likely be uncovered during the assessment and classify databases that are mission-critical to the organization. The assessment should also cover policy management, vulnerability management, and access management in order to identify any issues or areas that need immediate remediation. The assessment phase is necessary for establishing a baseline of known database configurations and user privileges. Prioritize and fix the most critical issues first, then after working through the list, retest to document remediation progress.

A common misstep and a sure path to spending more than necessary on a database security program is bypassing the assessment phase and installing database activity monitoring (DAM) without first understanding how critical elements integrate. Deploying DAM before conducting due diligence will often result in a solution that monitors and collects everything, generating overwhelming reports, logs of indeterminate data, and a flurry of false positive/negative alerts, which then lead to resource drain and frustration.   

Define Security Standards and Compliance Policies

Policy management is a continuous process. Without defined polices and standards to conform to, an organization cannot measure compliance or progress against benchmarks. In many instances, organizations develop robust corporate policies for protecting data as it traverses the network but fail to map those policies back to the databases themselves. When security weaknesses are remediated, it is usually a reaction to an incident rather than a proactive response to a standard or policy. A good rule of thumb is to review and update your policies after patching vulnerabilities or installing new versions of software, to ensure they account for the latest security configurations and settings. 

When defining standards and policies, make sure to have answers for the following:

  • What is the frequency of policy updates?
  • Who is the person (or persons) responsible for updating policies?
  • What are the triggers for policy change?
  • What is the approval process for a policy change?

Conduct Vulnerability and Configuration Audits

Regardless of the industry in which they operate, most organizations need to demonstrate compliance with more than one set of business, security, or regulatory policies. Because databases are often an organization’s largest repository of sensitive data, they typically fall within the scope of regulatory compliance checks and the inevitable IT audit. IT security and compliance teams will often partner with DBAs to ensure database security configurations meet the requirements of any number of industry standards and regulations, such as: Sarbanes-Oxley, the Payment Card Industry Data Security Standard (PCI DSS), the Federal Information Security Management Act (FISMA), the EU’s General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA).

To demonstrate effective controls surrounding sensitive data, organizations will need to run a baseline audit and establish a practice of continuous assessment to ensure issues are remediated in a timely manner and progress is tracked against the organization’s standards. An exemplary model to follow is the Continuous Diagnostics and Mitigation (CDM) mandate developed by the Department of Homeland Security (DHS) for ensuring database vulnerability compliancy.

DBAs should also ensure they stay current on database versions and patches as soon as they become available or, at the very least, prioritize patches based on criticality. Leverage the built-in security protocols and controls of your database, unless there is a valid reason to keep them off. Delete or disable any unnecessary or unused features or services but be sure to document all exceptions before the auditor shows up. Misconfigured database configurations and security controls can inadvertently lead to system compromise, so test and retest to be sure you have a handle on everything, especially after applying a patch.     

Identify Users with Excessive Privileges 

One particularly challenging question for many organizations is, “Who has access to my sensitive data?” Overprivileged user accounts can be leveraged to gain unauthorized data or systems access, and even to erase evidence along the way. Many database scanning technologies can not only identify vulnerabilities and misconfigurations, but also users, roles, and privileges. The only way to establish meaningful controls that track how users interact with data, or to capture an audit trail for use in a breach investigation, is to know who has access to what data, and why, when, and how they’ve been granted that access.

Frequently review not only who has administrative access, but also that database users have appropriate and minimum privileges necessary to perform their work (the Principle of Least Privilege). While enforcing segregation of duties in the database may seem to be a daunting and manually intensive job, automating rights review assessments can save upward of 80 man-hours per database instance.

Detect, Alert, and Respond to Policy Violations in Real Time

After conducting a thorough discovery and assessment of databases and implementing best practices in access control, organizations may want to consider implementing a real-time DAM solution to keep the database security plan in line. Monitoring gives security teams the needed up-to-the-second intelligence to take prompt action such as terminating user sessions or locking down accounts when violations occur or threats are perceived. Further, monitoring privileged user activity helps ensure that authorized activities are securely tracked, unauthorized behavior is not occurring, and ongoing monitoring of the database helps identify new avenues of attack.

Keep in mind that you don’t need to monitor everything, or you will find yourself constantly searching for the needle in the haystack. Instead, determine what is most important for your business to monitor—such as critical databases, sensitive database objects, highly privileged accounts, policy violations, access during off-hours from unauthorized hosts, or from services accounts reserved for recurring tasks or system maintenance jobs, etc. Be prescriptive in your monitoring policy.

Parting Advice

By following these steps, you will be well on your way to establishing a strong database security program. There are, however, a few remaining best practices that can help take your program to the next level. Consider encrypting data at rest, in use, and in motion. Seek out guidance and use security checklists and frameworks from government agencies and industry standards bodies such as the Center for Internet Security (CIS), the Defense Information Systems Agency’s Security Technical Implementation Guide (DISA-STIG), and others.

Finally, hack yourself. It is the only way to know what the auditor—or an attacker—will find, before they show up. If you don’t have the skills or time to do this yourself, consider working with a security company that offers managed database scanning. After implementing the above advice, “rinse and repeat” to ensure your database security program is repeatable and measurable. Make sure your reporting and analytics produce a clear and accurate picture of your database security posture, as well as the progress made since your last report. 

Establishing or operationalizing a database security program can be daunting and resource-intensive. If your organization is just getting started, or if it doesn’t have the necessary in-house expertise, consider bringing in experts to help establish a plan and build a program suited to your goals, and integrate that plan with your existing security solutions and teams. By incorporating database security planning into your larger IT security strategy, you will help your organization better protect its most valuable data assets and seal a serious gap that is far too often exploited by cybercriminals.

For more articles like this, check out the Cyber Security Sourcebook here.