It would seem that database security is the responsibility of RDBMS (RDBMS) suppliers. They are experts in their systems and theoretically ought to be the first-choice source for security products to protect their databases. But, in reality, RDBMS vendors only provide only a small portion of the security picture.
Certain essential security features are integrated into relational databases. Identity management access control, identity management, and encryption for communication are just a few examples. But this doesn’t cover numerous essential services that are essential, like surveillance of users’ activities, SQL injection protection and vulnerability assessment. In some cases, the information available is not sufficient. For instance, audit trails are often lacking the required information required to create compliance reports, and the encryption built into them is usually slow and difficult to integrate.
Furthermore the security gap in databases gets larger when RDBMS customers’ requirements are considered, because organizations usually require security for more than one kind of database. Single-platform solutions don’t work well when an organization has sensitive information stored in multiple types of databases. Actually, the majority of companies utilize Oracle alongside Postgres and MySQL as well as DB2, Sybase and SQL Server — each of them serving its distinct and essential tasks.
Equally problematic is the fact that the requirements for compliance and security in the enterprise are usually focussed on protecting the data rather than the infrastructure. Security of data, in contrast is more than protecting the database container. the manner in which data is usedand in what context is a matter that isn’t addressed by databases and the role-based systems for access control.
This is why database security tools play an important, if perhaps the major role for protecting information of companies within the database center. Let’s look more closely into these security tools, and see how they will fill in the gap in capabilities for data security of databases that are used in enterprises.
Monitoring the activity of databases
The most important aspect of security for databases can be found in activity tracking, also known as what is commonly referred to as”database activity monitoring” (DAM) systems. They record every SQL activities that are logged that is logged into the database, including administrative actions and examine the statements for any behavioral, contextual or security-related misuse. They can identify and alert users to a array of security threats. many of them have the ability to block certain statementshowever, very few companies use this block feature.
The reason why most organizations are able to implement DAM to their security arsenals is not only to spot threats, but also because it’s the most effective way to keep a precise record of events for reports on regulatory compliance and also to offer data and filters that are not accessible with integrated audit logs of databases. It’s as simple as this: DAM is to databases as security information , and log management and event management is for general IT information security as well as reporting.
The drawback of DAM is that it takes time to set up local agents. It can also cost a lot to buy and requires regular adjustments to policies in order to ensure that alerts are alerted of any inappropriate activity. Additionally, companies can opt not to block queries from databases, since it could cause undesirable side impacts on the application’s state as well as data integrity.
It’s worth noting that there’s a smaller part in the DAM vendor market that offers more secure platforms, often known as database firewalls. They’re similar to a Web Application Firewall (WAF) in the sense that they act as proxy servers that are placed behind the database — not to the application and are designed to stop malicious traffic. Like WAFs the database firewalls analyze the traffic that comes in and filter it on the basis of particular security rules, and also blacklists and whitelists of queries.
In the event that databases are exposed to exposed to direct external (i.e., Internet) threats, databases firewalls prevent SQL injection attacks and block unneeded queries. They can be beneficial in situations when it’s too expensive or time-consuming to modify the software. In addition proxy services are available that can mask or redact results of queries depending on the user’s credentials. They are referred to as data masking. platforms alter the results that are provided to a user in the event that the request is deemed to be untrustworthy or if the user is not able to view all the data asked for.
Assessment of databases
Tools for assessing databases, also called vulnerability assessment tools for databases test the configuration of databases and patches levels. Contrary to common endpoint and server assessment tools, the database vulnerability assessment tools examine operating system-specific settings and configuration information that is stored within the database, which is not accessible to the server assessment tools. These tools are specifically designed for databases and include thousands of pre-built tests for specific errors, as well as the presence of commonly used attacks. They cover not only the vendor-recommended security of databases best practices but also industry-recommended security protocols as well.
Some databases have basic security checks that are integrated into their standard administrator capabilities. However, the truth of the situation is that third party security analysis products are crucial, since they provide details and data that most database companies decide not to provide. Although a vendor can warn organizations about specific vulnerabilities in their databases and related patches, third-party vendors offer additional alternatives, reconfigurations, and analysis that unlike the database vendors. They may, for instance suggest the elimination of databases with options that could pose security risks.
Additionally, the majority of tools from third parties are created with non-technical users in mind. They provide the required separation of duties for security teams and DBA teams, individuals who do not have a solid understanding of technical details of databases are able to ensure that the right policy is in effect and followed.
Encryption
Many databases have encryption features, typically to protect certain cells or columns within the database. These internal features are generally managed by the application. it’s the application that has to be upgraded to call the databases encryption libraries to secure the data or reverse it. This kind of encryption, also known as”application-layer encryption” (despite it being offered through the databases) is now out of use because of performance and integration problems.
Nowadays, the majority of customers who use databases employ what’s known as transparent encryption of databases or TDE abbreviated. TDE applies to every data item, and encrypts information to as well as from databases when it is written or read-out from the disk. In addition, and somewhat paradoxically it’s faster than encryption using an application layer. The major advantage to TDE is that it’s not visible for the end user as well as the program and even the database. This means that encryption is able to be added without modifications to the code of the application or queries to the database. This results in disk files and databases are protected from the prying eyes of others.
The flaw of TDE is in two ways It needs a robust key management system that can ensure data security. Additionally, any authorized user or program will receive encrypted information upon demand. Therefore, even though TDE solves the majority of data-at-rest security concerns, it also requires assistance to verify access and use.
Masking and tokenization
If an organisation doesn’t have confidence in an existing database, or cannot guarantee that the database’s integrity in the long run, how can it ensure that the data is safe? It may delete it, but any program which relied on the data will cease to function. There are two security tools based on data have been a hit by achieving Payment Card Industry Data Security Standard compliance and testing data management.
Since these tools for database security incorporate compliance and security information in the policies that are already built and procedures, they ease the workload on operations and security teams. This means that companies aren’t making rules from the ground up.
Two of them include masking and tokenization.
Tokenization replaces sensitive data by using an alternate that looks and behaves as the original in the same way as arcade or subway tokens is similar to cash. The applications will remain in operation as usual however there is no risk that the data goes missing or stolen. Tokens are only worth their significance as a reference to the original value. They are kept in a separatehighly secure database known as the token vault. It is only accessible by a select group of users.
Tokens are great for the substitution of just one information element, such as the credit card number however, what happens when an organization is able to store a lot of data that is complex and used for analysis?
Data masking — also called static data maskingis a technique used to swap sensitive data sets using masked copies, while preserving the value of the entire database. The term “mask” can be described as a way of hiding information, for example, changing values within a salary column or replacing real names for those pulled randomly from a phone book or changing the date of birth of a person by a few days from what they actually have. In this manner the actual information is hidden, however the masking copy maintains sufficient resemblance to the original to produce useful results.
Data masking and tokenization swap sensitive data for an equivalent, thus removing sensitive data completely, which may eliminate the requirement for security in databases entirely.
Procurement
Security tools for databases are offered by database companies as well as third-party security vendors and are included on open source software distributions. However, with security software for databases the old saying “you receive what you spend for” applies. Log data scanners and vulnerability scanners mining tools are typically cheap, and sometimes free. They typically do not have the full range of functionality and features as well as provide a bad experiences for users, and can’t allow for the customization required by most firms. Monitoring activity and encryption is extremely complex security tasks that require the best tools made by third-party security experts. There are better tools available out of the box capabilities, but with a substantial cost.
Support and training
Because these security tools integrate the security and compliance expertise into pre-designed policies and procedures, they reduce the load on the security and operations teams, so that organizations do not have to worry about creating rules from beginning from scratch. However, each kind of security software for databaseswhether it is a the tool or the platform is sufficiently complex in implementation and management that some training is needed.
In all instances, third-party suppliers of these security software tools offer trainingthat is typically included with the price of purchase. In the majority of instances, two to five days of training is enough for getting up to speed on the use of the platform. While these platforms will require regular maintenance and management however, these can easily be handled by internal staff with no need to hire a competent, dedicated support team.