Locking down database applications

Data Protection Security School

Locking down database applications

Andreas Antonopoulos
In this lesson, learn how to secure database apps by building roles and privileges and monitoring access to prevent insider abuse, plus satisfy regulators by properly segregating duties and limiting application access to sensitive database data.

Watch the video, listen to the podcast, read the tech tip then take the quiz to see how much you have learned. Passing the quiz earns you one CPE credit from (ISC)².

View our Security School Course Catalog to view more lessons eligible for CPE credits.

About the author:
Andreas M. Antonopoulos is the former Senior Vice President of Nemertes Research.

In this part:

Video: Holistic security for database-centric applications

A database-backed application consists of dozens of loosely coupled components, each of which must be secured independently. Securing such an application requires a holistic approach. Security professionals must layer security controls to compensate for multiple points of attack (internal and external), multiple points of access (via application, via SQL, via underlying OS, via storage system, via physical access) and multiple types of threats (deliberate theft of data, accidental disclosure, deliberate destruction, accidental loss, etc). Furthermore, security is a constantly moving target: patches must be maintained, logs reviewed, accounts enabled and disabled. On top of all that, the application is likely to keep changing with continuous development for new features and bug fixes, all of which make security harder. This video will provide an executive overview of the security issues of securing database-centric applications and the key tactics essential to success.

Tip: Database application security: Balancing encryption, access control

Database applications are often the epicenter of a company's sensitive data, so security is paramount, but maintaining a balance between security and business use can be tricky. In this tip, Andreas Antonopoulos discusses best practices for database application security when it comes to protecting sensitive data and establishing an encryption/access control balance.

Podcast: Database application security myths and misconceptions

"Our database application data is encrypted, so our data is locked down tight." "Only our secure application can access our sensitive data, so it's clearly safe." These are just a few of the misconceptions many enterprise information security teams have when it comes to application security. In reality, many successful attacks exploit insecure or misconfigured applications to gain access to mission-critical databases. In this "Fact or Fiction"-style podcast, we debunk several widely held misconceptions about database-centric applications, explain why they don't hold true, and detail what organizations must really do to ensure applications aren't the soft spot for attackers to gain access to key data.

Quiz: Database application security

How much do you know about database application security? Take this short quiz to determine what you've learned.

take the quiz