Database Security For Managers
Essay by 24 • November 21, 2010 • 1,170 Words (5 Pages) • 1,518 Views
Executive Summary
What do recent well-publicized data breaches have in common? With the exception of lost laptops, purloined handheld devices, dumpster divers, or someone physically nicking a PC from the office, all breaches involve a common entity: the database. (Schwartz) Virtually every corporation maintains a database that contains critical business information, from customer contact or account data to order tracking information and human resource records. Today, enterprises must comply with industry and government regulations that charge businesses with ensuring the security of this sensitive information. At the same time, databases are increasingly subject to attack by internal and external attackers who no longer seek notoriety but want financial rewards. By compromising the security of databases and obtaining customers' personal data, committing fraud, or blackmailing the targeted company, attackers can jeopardize the reputation, financial standing, and customer trust of a business. Consequently, database security has become a serious concern for an increasing number of corporations. Security vendors are responding by designing technologies that complement and extend traditional database solutions. This paper will examine some techniques currently available that protect database information and provide some tips that managers can use to improve data security and integrity.
Principle Reference
Schwartz, Matthew (January 14th, 2008) "10 Database Security Tips for Smaller Businesses" [Electronic Version] , bmighty.com, Retrieved January 22, 2008 from http://www.bmighty.com/security/showArticle.jhtml?articleID=205604358
Database Security
A variety of techniques exist for managers to examine that can be used to combat database attacks. Most databases can generate an audit log of operations performed on the database. Auditing records malicious activities on the database, such as failed logins or attempts to abuse access privileges, but it does not highlight internal attacks, such as someone with valid permissions taking data for purposes other than the intended use. Also, it takes time to review audit logs, and malicious activity may not be obvious to the untrained eye. The main reason many companies do not keep extensive audit trails, is because maintaining an audit log requires significant processing power, which has a negative impact on the database server. In fact, auditing can sometimes cause a 30 percent or greater degradation in overall database performance, a hit that many
organizations cannot afford to take.
The traditional approach to database security is access control. With this approach, database tables are configured with access controls to ensure that only authorized users with specific roles are issuing database queries. Access controls provide a necessary level of database protection; however they are typically looser than desirable to accommodate the needs of the client application. This discrepancy is the outcome of a disparity between the way applications and databases are engineered. An enterprise application must serve thousands or potentially millions of different users simultaneously, accessing the database rapidly to perform various actions requiring varying permissions. The application front end accepts requests (in the form of HTTP or SOAP) from users, and its business logic processes those requests, sending appropriate queries to the back-end database to retrieve or update information. Today, most enterprise applications are designed to access the database via a single master account with high-level access to the database. This freewheeling access to the database enables the application to process virtually any request on behalf of any user without a concern about security. Leaving access controls looser than necessary on the database results in weaker security. If an attacker compromises the application, he or she can cause it to issue other commands to the database with the near root-level access granted to the application. SQL injection is one type of attack that exploits this weakness in the typical application-database system. The attacker enters specially crafted characters into an application field, which are not detected by the application and are sent directly to the database. This allows the attacker to issue commands directly to the database through the application. Since the application has near root-level access to the database, the command likely will not violate any access control rules enforced by the database, enabling the attacker to leverage the full capabilities of the application.
In-database field encryption is the process of encrypting high-valued fields, such as credit card or national identity numbers, directly in the database. Such encryption safeguards the database in the event that an attacker steals the hard drive of the database server or the entire database
...
...