Keeping their databases secure is one of the things that can keep a DBA up at night. There might be pressure to improve performance to satisfy restless users or maximize system resources to return unneeded disk space to the organization. But those concerns pale when compared to the specter of a data breach or discovering that unauthorized users have access to the company’s valuable information. Those are the kinds of issues that are more likely to lead to a member of the database team cleaning out their cubicle.
Instituting database security is not something that can be done effectively by adopting a reactive approach. It’s far too late to address security flaws once they have been exploited by a hacker or curious user who was not prevented from perusing sensitive data they were not authorized to view. Data breaches cannot be rolled back. Once a database has been compromised, it is too late. At that point, measures are required to minimize the damage that will be done to the enterprise and the individuals whose data was stolen.
Proactive Database Defense Begins with Security Policies
The goal of security in any aspect of an IT environment is to prevent unauthorized intrusion and the associated risk to an organization’s computing systems. Accomplishing this goal is best done through the use of security policies designed to mitigate or eliminate threats. A viable security policy is comprised of many interrelated elements. Some of the most critical to institute include:
- Data security accountability – Everyone in the organization needs to understand their responsibilities regarding sensitive or important data and their role in protecting it. A concept that is critical for implementing accountability is the classification of data into various categories that may require varying levels of protection. Data governance is a valuable practice that enables everyone in the enterprise to gain a better knowledge of the types of data in play and how it needs to be protected.
- Hardened network defenses – Keeping intruders away from your systems is vitally important. If hackers can’t get to your databases, they can’t hurt them. Mistakes in configuring remote access capabilities can leave systems vulnerable to attack. Incorporating robust network monitoring to immediately detect suspicious activity is mandatory when developing your security policy.
- Securing database servers – The servers on which your databases run present a distinct and fundamental component of their security. Locking down access to the database while permitting uncontrolled access to root operating system privileges will not adequately protect your data. A holistic approach that addresses access to databases and their associated servers is necessary to fully protect your databases.
- Vulnerability scanning and patching – Hackers are notorious for attempting to exploit vulnerabilities as soon as they are discovered by security professionals. To thwart their efforts, an enterprise needs to engage in a program of regularly scanning their systems and databases for security flaws and acting quickly to address them with the recommended updated and patches.
- An incident response plan – In the event that a data breach or related security incident occurs, an organization should have a plan in place to address it. Scrambling after the fact will only exacerbate the problem and may lead to further negative impacts on the enterprise’s reputation. The plan needs to include making the proper notifications if a data breach occurs as well as forensic techniques to resolve the issue and prevent its reoccurrence.
- Monitoring and controlling access – This may be the most important ongoing practice involved in developing a resilient security policy. Vigilant monitoring of database access and usage is required to alert the team of anomalies that may indicate that unwanted guests have arrived or are attempting to enter. The level of access enjoyed by company employees may change over time and also needs to be verified regularly. Changes in responsibilities need to be quickly reflected in database access as individuals move to different teams or leave the enterprise.
Tools for Implementing Security Policies
It’s impossible to enforce database security effectively without the right tools. You need applications that can be used to monitor the systems as well as those that can proactively and reactively address security gaps that are identified. IDERA’s DBArtisan is an administrative tool that offers many features to your database team. Among them is the ability to perform security management functions on a wide variety of database platforms.
DBArtisan supports many different databases including SQL Server, MySQL, and Oracle. The tool addresses security with intuitive wizards that assist in performing user, role and permission management from a unified interface. Logical and physical modeling can be performed on these aspects of security to gain a better understanding of what needs to be done to tighten control on access to sensitive data. Accounts can easily be migrated between different database platforms, gaining productivity for your DBAs. You can also classify data based on the level of security that it deserves.
DBArtisan can be a valuable addition to the tools your database team uses to enforce the security policy that protects their databases. Providing your team with the tools they need is the only way to ensure that enterprise security policies are implemented throughout your environment.