Home > Uncategorized > Beating the Breach: 10 Best Practices for Database Security and Compliance

Beating the Breach: 10 Best Practices for Database Security and Compliance

Life for security professionals used to be simpler. You could stop outsiders from accessing your data by establishing perimeter defenses such as firewalls and anti-virus systems, and by having on-site security guards and identity checks at the entrance to your corporate data center.In today’s interconnected world, that’s no longer the case because the boundaries of our business infrastructure are constantly being extended by the emergence of cloud, mobility, Big Data and more.

To be useful, a company’s data must be continuously connected to its customers, partners and employees. That exposes sensitive data to more automated and targeted attacks than ever before. We’re now seeing numerous attacks that easily bypass traditional perimeter defenses by exploiting Web application vulnerabilities such as SQL injection, or by spear phishing key employees and then using stolen administrative credentials to compromise back-end databases.

Despite more attention being paid to secure coding practices, SQL injection continues to be the #1 high-volume signature tracked by IBM Managed Security Services and a favorite attack vector amongst malicious groups, according to the 2011 IBM X-Force Mid Year Trend & Risk Report.

Lowering compliance costs by streamlining processes is also an important driver for implementing database security technologies. Many organizations are now looking to replace their manual, siloed compliance processes with a single unified set of centralized, standardized and automated controls for all key applications, database platforms and compliance mandates.

Based on our engagements with Global 1000 organizations, the following best practices have emerged for strengthening database security and compliance in enterprise environments.

Discover: Data can’t be secured if you don’t know it exists in the first place. Discover all locations of sensitive data including rogue databases and legacy applications. Don’t forget about non-regulated data and corporate intellectual property (IP) such as strategic plans, product designs and proprietary algorithms. Execute automated discovery scans on a regular basis because sensitive data locations are constantly changing.

Assess vulnerabilities: Regularly assess database configurations to ensure they don’t have security holes or missing patches. Use standard checklists such as the CIS Database Server Benchmarks and the DISA Security Technical Implementation Guides (STIGs). Don’t forget to check OS-level parameters such as file privileges for database configuration files and database configuration options such as roles and permissions, or how many failed logins result in a locked account (these types of database-specific checks are typically not performed by network vulnerability assessment scanners).

Harden the database: The result of a vulnerability assessment is often a set of specific configuration recommendations to take as next steps. You should also remove all database functions and options that you don’t use.

Audit configuration changes: Once the hardened configuration is established, continually track it to ensure the “gold” configuration hasn’t changed. Use change auditing tools that compare configuration snapshots and immediately alert whenever a change is made that affects your security posture.

Deploy Database Activity Monitoring (DAM) and Database Auditing: Continuous, real-time monitoring is crucial for rapidly detecting suspicious or unauthorized activity – such as a customer service rep downloading hundreds of customer records in a single day. Monitoring privileged users — such as DBAs, developer and outsourced personnel — is also a requirement for most compliance regulations, as well as for detecting intrusions from outside attackers, since cyber attacks frequently result in the attacker gaining control of privileged accounts. DAM is also essential for finding “behavioral vulnerabilities” such as users sharing privileged credentials. Database auditing allows organizations to generate a secure, non-repudiable audit trail for all critical database activities — such as creation of new accounts and viewing or changing sensitive data — and it’s also important for forensic investigations.

Authenticate, control access and manage entitlements: Controlling access to sensitive data on a “least privilege” basis is essential to ensuring full accountability. You should also periodically review entitlement reports as part of a formal audit process.

Monitor the application layer: Well-designed DAM solutions associate specific database transactions performed by the application with specific end-user IDs, in order to deterministically identify individuals violating corporate policies. In addition, combining database auditing information with OS and network logs via a security information and event management (SIEM) system to see everything that a user has done can also provide critical information for forensic investigations.

Encrypt: Encryption renders sensitive data unreadable, so an attacker can’t gain unauthorized access to data from outside the database. File-level encryption at the OS layer, combined with granular real-time monitoring and access control at the database layer, is typically accepted as a practical alternative to column-level encryption and a compensating control for Requirement 3.3 of PCI-DSS.

Mask test data: Masking is a key database security technology that de-identifies live production data, replacing it with realistic but fictional data that can then be used for testing, training and development purposes, because it is contextually appropriate to the production data it has replaced.

Automate and standardize compliance processes: Most compliance regulations require implementation of data security measures to reduce risks to a reasonable and appropriate level. Achieving compliance is not only important because no one likes to fail an audit, but it also provides third-party validation that your organization has implemented the proper controls to ensure the confidentiality, integrity and availability of your data. Automating and standardizing compliance processes is essential for reducing compliance costs, minimizing last-minute audit fire drills and easily addressing ever-changing regulations.

Once these 10 steps have been taken, enterprises should feel confident that they have taken the necessary steps to mitigate the risk of a data breach.

 

Security | Guest Opinion | Phil Neray, Thursday, November 3, 2011
Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: