It is easy to believe that security for databases is the sole responsibility of RDBMS (RDBMS) suppliers. They are experts on their platform and theoretically could be the first-choice source for security products to protect their databases. But, in reality, RDBMS vendors only provide some of the security picture.
Some essential security capabilities are included in relational databases. Identity management access control, identity management, and encryption of communications are a few examples. However, this leaves out several essential functions like checking user activities, SQL injection protection and vulnerability evaluations. In some cases, the information available is not sufficient. For instance, audit trails typically don’t contain the required information required to prepare compliance reports. Likewise, the encryption built into them is usually slow and difficult to integrate.
Additionally the security gap in databases grows when RDBMS customers’ requirements are considered, since organizations typically require protection from more than one kind of database. Single-platform solutions don’t work well when an organization has sensitive data in a variety of databases. Actually, the majority of companies utilize Oracle in conjunction with Postgres and MySQL as well as DB2, Sybase and SQL Server — each one of these platforms serving their distinct and essential tasks.
Equally problematic is the fact that the requirements for compliance and security in the enterprise are usually concentrated on the security of the data rather than the infrastructure. Security of data, in contrast requires more than security of the database container. the manner in which data is usedand under what circumstances is a matter that isn’t addressed by databases and its role-based access control system.
For these reasons, databases security tools play an important, if not the primary role to protect company data within the center of data. Let’s have a look to these instruments and the ways they will fill in the gap in database security features within the enterprise.
Monitoring the activity of databases
The most important element of security in a database includes activity monitoring also known as what are often referred to as”database activity monitoring” (DAM) systems. They record every SQL activities that are logged in the database, including administrative actions and examine the statements to determine if they are a result of a behavioral, context or security-related misuse. These tools are able to detect and alert users to a range of threats. In addition, they are able of blocking specific statementsalthough few organizations utilize this block feature.
The main reason that most companies deploy DAM in their security arsenals isn’t only to spot threats, but also because it’s the most effective way to gather a complete record of events for regulatory reporting as well as to offer data and filtering options that aren’t available in integrated audit logs of databases. It’s as simple as this: DAM is to databases in the same way that security information and log management and event management is generally related to IT data security, and report management.
The disadvantage of DAM is that it can take time to set up local agents. It can also cost a lot to buy and maintain, and it is required to make periodic changes to policies to ensure that alerts are alerted of any inappropriate activity. Furthermore, businesses can decide not to block database queries since it could cause undesirable side impacts on the application’s state or data quality.
It’s important to note that there’s a tiny segment in the DAM vendor market that offers more security-focused products, which are commonly known as database firewalls. They’re similar to a Web Application Firewall (WAF) in that they function as proxy servers that are placed behind the database — not to the application and is designed to block malicious activity. Like WAFs databases, they digest the traffic that comes in and filter it according to specific security rules and also blacklists and whitelists of queries.
For instances where databases have an immediate exposure to outside (i.e., Internet) threats, firewalls for databases will stop SQL injection attacks as well as filter unneeded queries. They can be beneficial in situations that it’s expensive or time-consuming to modify the software. Additionally there are proxy providers that can mask or redact results of queries based on security of the user’s. They are referred to as data masking. services alter the query results that are provided to a user when the request is deemed to be untrustworthy or if the user doesn’t have the right permissions to access all information they’ve asked for.
Assessment of the database
Tools for assessing databases, also called vulnerability assessment tools for databases test the configuration of databases and patches levels. In contrast to standard endpoint and server assessment tools, vulnerability assessment tools examine operating system-specific settings and configuration data stored in the database, these are not visible to the server assessment tools. These tools are specifically designed for databases and have thousands of pre-built checks for specific configuration errors and the presence of commonly used attacks, and cover not only the vendor-recommended security of databases best practices but also industry-recommended security protocols as well.
Some databases include basic security checks that are integrated into their standard administration capabilities. But the fact of the issue is that third party security analysis tools are essential, because they contain details and offer details that most database vendors do not bother to address. Although vendors can warn organizations about specific vulnerabilities in their databases and related patches, third-party vendors also provide solutions, reconfigurations and analyses that which the vendors of databases do not. They may, for instance suggest the elimination of options for databases that are known to pose security risks.
Additionally, the majority of tools from third parties are developed with non-technical stakeholder in mind. Therefore, while they offer the necessary separation of tasks among security as well as DBA teams, individuals who aren’t well-versed in technical details of databases are able to make sure that the proper policy is in effect and are enforced.
Encryption
The majority of databases provide encryption features, typically to protect certain cells or columns within the database. These internal capabilities are typically controlled by the application, it’s the app that needs to be enhanced to use the database encryption libraries that secure and decrypt information. This kind of encryption, also known as”application layer encryption (despite it being supplied through the databases) has been thrown out of use because of performance and integration problems.
Nowadays, the majority of customers using databases use the term transparent encryption for their databases also known as TDE in short. TDE is a system that works on all data, and is able to encrypt data that is transferred to or from the database while it is written or read-out from the disk. It is also, contrary to popular belief it’s faster than application layer encryption. However, the major advantage for TDE is that it’s not visible for the end user as well as the application , and even the database. This means that encryption can be added with no modifications to the code of the application or queries in the database. The result is that disk files and databases are protected from the prying eyes of others.
The flaw of TDE is in two ways It needs a robust key management system to guarantee data security. Additionally, any authenticated user or application will receive encrypted the data on request. Therefore, even though TDE is able to solve the majority of security issues, it requires assistance to verify access and use.
Masking and tokenization
If an organization isn’t confident in an existing database, or cannot guarantee that the database’s security in the long run, how can it ensure that the data is safe? It may delete it, but any program that relied on that data won’t function anymore. In addition, two database security tools have gained a lot of attention in the field of Payment Card Industry Data Security Standard compliance and testing data management.
Because these security tools for databases integrate compliance and security knowledge in the policies that are already built and procedures, they ease the load on the security and operations teams. This means that companies aren’t making rules from beginning from scratch.
Two of them include masking and tokenization.
Tokenization replaces sensitive information with an alternative that appears and behaves as the original in the same manner that arcade or subway tokens is similar to cash. The applications will remain in operation as usual however there is no risk if the data goes missing or stolen. Tokens are only worth their significance as a reference to the original value. The value is being stored in a differenthighly secure database, referred to as the token vault. It is only accessible by a select group of users.
Tokens can be used to substitute of one data element, for instance the credit card number but what happens when an enterprise has a lot of data that is complex and used to analyze data?
Data masking — also called static data maskingis a method that allows the exchange of sensitive data sets by masking copies, yet preserve the overall value of a database. “A “mask” mask is an effective method to obscure data, like shifting values within a salary column or replacing real names for those pulled randomly from a phone book or even altering the date of birth of a person by a few days from the actual value. In this manner the true data is hidden, but the masking copy maintains the same characteristics as the original to yield useful results.
Data masking and tokenization substitute sensitive data with an alternative, eliminating sensitive data completely, which may eliminate the requirement for security in databases entirely.
Procurement
Security tools for databases are offered by the database providers as well as third-party security vendors and are included within open-source distributions. However, with security software for databases the old adage “you receive what you spend for” applies. Log data scanners and vulnerability scanners mining tools are usually affordable, or free. However, they are typically lacking the variety of functionality and features and offer a poor experiences for users, and can’t allow for the customization required by most businesses. Security monitoring for activity is extremely complex security tasks that require the most effective tools developed by third-party security experts. There are better tools available out of the box capabilities, however at a significant cost.
Support and training
Since these database security tools integrate security and compliance information in the policies that are already built They ease the burden on the security and operations teams. This means that companies aren’t making rules from beginning from scratch. However, each kind of security software for databaseseither the tool or the platform is complex enough for the deployment and management that a certain amount of training is necessary.
In all instances, third-party providers of these security software tools offer trainingthat is typically included into the cost of the purchase. In the majority of cases, a period of two to five days of training is enough to become familiar using the platform. While these platforms will require regular management and maintenance however, these can easily be handled by internal staff and without the requirement for a competent, dedicated support team.
Copyright Reseau Actu.