WP Top 8 Database Security Best Practices | Imperva

Top 8 Database Security Best Practices

Top 8 Database Security Best Practices

There is a large body of knowledge on what activities are required in order to secure databases and in order to comply with regulations and requirements. We’ve gathered the top 8 best practices for ensuring database security.

Databases are arguably the most important and, unfortunately, also the most complex part of our servers these days. The SQL (or NoSQL) language is richer than any other server command language. You can connect to databases using a great many networking libraries and authentication methods. There are many thousands of packages and procedures in any database. There are often even a Java virtual machine and an HTTP server. You can call out from the database using external procedures or various utility packages. All of this functionality is great when you look at productivity and building applications, but from a security standpoint the more options and capabilities a server has the harder it is to secure and monitor it properly. Each such option can be used by an attacker to gain unauthorized access or misuse authorized access.

Protecting the database is imperative

There are checklists you can follow – at least for some of the mainstream databases. This is good – it means you can adhere to a set of best practices and achieve security and compliance. To get you started we’re highlighting the top best practices for ensuring general database security.

Top Best Practices for Database Security

1. Discovery

You can’t secure that which you don’t know. You need to have a good mapping of your assets – both of your instances and sensitive data. Plus, you need to have some method of automated discovery since the state of your “asset map” will change as new workloads and systems are added.

2. Vulnerability and configuration assessment

You need to assess the configuration of your databases to ensure that they don’t have security holes in them. This verification includes both the way the database is installed on the operating system and the configuration options within a database itself. You need to verify that you are not running versions of the database with known vulnerabilities.

3. Hardening

The result of an assessment is often a set of recommendations. This is the first step in hardening the database. Other elements of hardening involve removing all functions and options that you do not use.

4. Change auditing

Once you have a hardened configuration you must continually track it to ensure that you don’t digress from a secure configuration. You do this using change auditing tools which compare snapshots of the configurations (at both the operating system level and at the database level) and alert you when a change is made that may affect the security of the database.

5. Database activity monitoring

While changes can and should be tracked using change auditing, you can also use database activity monitoring to alert on changes made through a SQL (or NoSQL) interface. Additionally, database activity monitoring lets you detect intrusions and misuse, detect fraud, and discover problems at real-time, limiting your exposure considerably.

6. Auditing

Audit trails must be generated and maintained for database activity that may have an impact on security, integrity or on access to sensitive data.

7. Authentication, access control and entitlement management

Not all data and not all users are created equal. You must authenticate users, you must ensure full accountability per user, and you must manage privileges to limit access to data. You need to enforce these privileges even for the most privileged database user. You also need to review entitlement reports periodically as part of an audit process.

8. Encryption

Use encryption to render sensitive data unreadable. Use encryption so that an attacker cannot gain unauthorized access from outside the database. This includes both encryption of data-in-transit so that an attacker cannot eavesdrop at the networking layer and gain access to the data when it is sent to the database client as well as encryption of data-at-rest so that an attacker cannot use the media files and extract the data there.