Securing Your Most Valuable Asset        [ PDF ]
By Dale Cover

When developing a security plan, securing a company's data should be a key focal point. However, this is often overlooked as the evaluation of security threats is very complex due to the increasing order of interconnected systems and network paths.

As new applications are introduced in an organization, the potential for unauthorized access to critical data is increased. The new application may expose new pathways to data; not intentionally but inherently. With a growing number of web based, networked applications in an organization, the potential threat cases are increased. Furthermore, the increased demand for rapid time to market and accelerated development time can result in insecure code which causes insecure applications which causes insecure systems. The result: a system that has security holes impossible to completely patch.

Taking the aforementioned into consideration, there is one very effective way to mitigate potential threats. That is to tightly secure the underlying database management system against these potential threats. If an intrusion does occur, the result will be the capability to call for help and to hold off attackers until help arrives. When help does arrive, the cause of the threat can be identified. Once identified, it is now possible to comprise a solution and eliminate this specific threat case. This process is accomplished by implementing the proper user account and security settings to control unrestricted access, implementing alerts and notifications to warn of an intrusion, and implementing a comprehensive auditing system to allow the capability to trace the origin of the specific threat case.

User account and security settings

One of the most common pitfalls in database security is weak user account settings. Database management systems typically do not have the rich security account management tools commonly found in operating systems. Moreover, the default settings usually are not disabled or changed allowing for easier penetration. Another problem is that most database security is performed in the client application. This is an excellent idea. However, remember that a database is a server. That means it is possible to access it directly and completely bypass any security provisions in the application. In this case, all client application security is null. It is a wise choice to take advantage of the security features available to the particular database server. Together, application and database level security can be very powerful.

Alerts

Alerts are yet another powerful and often unused feature of most database management systems. Configuring alerts allows the database to notify a system, or better yet, a security administrator of any breaches in security policies. For example, Microsoft SQL Server can send an email notification when a user attempts to password grind.

Auditing

Auditing allows for the capability to view the history of particular events with hopes of coming to conclusions of where, when, and what a particular user was attempting. Using auditing techniques can allow the administrator to pinpoint the cause of the security threat. Once a cause is identified, it is possible to then devise a solution for the elimination of the particular security hole therefore rendering the system that much more secure.

Using these three steps, securing, alerting and auditing, together can increase the level of security of your company's most valuable asset; its data.