For database security following framework can be adapted by any organization to ensure database security system established within organization. This has been written by Prakash Sharma.
Database Security Framework
Quality Assurance will need to be performed for all the processes defined above
- Physical Access Control needs to be established
- Installation sites need to be secured
- Lock and expire all default database accounts
- Change default passwords
- Lock and expire all default user accounts
- Enforce password management
- Enable data dictionary protection
- Grant least privilege to maximum number of users
- Enforce access controls
- Restrict operating system access
- Restrict network access
- Apply security patches periodically
- Enable SSL to provide mechanism for data integrity and data encryption
- Set up certificate authentication for client and servers
- Restrict privileges to listener which acts as a database gateway to the network
- Restrict physical access to network
- Use Firewalls
- Never keep vulnerable ports open (example 1521)
- Prevent unauthorized administration of Listener
- Encrypt Network traffic
- Harden the Operating System by disabling unnecessary services
- Ensure Audit trails enabled where ever security threats foreseen
Data Base Security Terms and Definition
Data base Security
- Data base Security is a mechanism to protect database against intentional or accidental threats. Security controls are established to mitigate the risks emerging due to threats pertaining to critical assets in the organization. Database is a critical asset for any organization hence organizations need to invest budget for data base security requirements
What is a threat?
- Any intentional or accidental event that may adversely affect the system
- An unauthorized resource gets into an organization with a pen drive and copies organization data and moves out of premise. Someone intentionally decides to store database backup on a public storage system
- Any tampering to data and changing the content without authorization is a fraud
- Any data or data base if available for public purview leads to confidentiality compromise unless an an organization intentionally decides to publish data for public.
- Any personal information if available for public purview leads to privacy compromise unless an organization intentionally decides to publish data for public
- Any tampering to data and loss of data and its audit trail leads to integrity compromise
- Any data should be available to its intended user always and if the data base is not available or data base gets corrupted then it is an availability compromise
Examples of Threats
- Using another person’s log-in name to access data
- Unauthorized copying of data
- Illegal injections by hacker
- Data Alteration
- User-Access Policies needs to be defined for database access.
Authorization is a mechanism to grant privileges to enable user to access the system.
- Authentication is a mechanism to verify whether the right user logs in to the system. System Administrator is responsible for providing user rights to individual users who can access the system.
- Whenever there is a need to perform queries on multiple related tables, it is important for creating views and granting privileges to users to ensure user is not aware of existence of any columns or rows which are missing from the view.
Backup and Recovery
- The backup and recovery processes are vital for organization to ensure a copy of database and log file is stored on an offline storage media. It is important to test the tapes by recovering the data to ensure backup is performed successfully.
- Integrity of data base systems can be maintained by securing the database from virus and malicious code attacks and preventing data from becoming invalid.
- It is a concept to use special algorithms to render data unreadable by any program and you need to have decryption key to read the data. Performance degradation exists when there is a need to encrypt too many data columns
- RAID stands for Redundant Array of Independent Disks. RAID is implemented on a hardware system where the database is installed to ensure DBMS continue to function even if one of the hardware components fails.
- Privilege is a right given to user to access the database and its relevant data. Read, Write, Read-Write access given to the database or data base tables or rows or columns of a table.