Guardians of the Crown Jewels


This article can also be found in the Premium Editorial Download "Information Security magazine: What are botnets and how can you prepare for them?."

Download it now to read this article plus other related content.

DB Vendors Beef Up Security

    Requires Free Membership to View

With all of these new products and one-stop database security shops, it may be easy to forget about the current features within the actual databases. It's far better to write cleaner code, initially configure systems securely, conduct periodic code reviews, create accurate threat models and continually break down applications than to bolt on protections for inherently insecure applications. The good news is that Oracle has baked improvements into its 10.g release (with more to come), and Microsoft's next SQL Server release promises extensive security improvements.

Oracle already got a security jump on Microsoft with its 10.g release, in which it implemented a series of advanced encryption and decryption technologies--including role-based access control management and an expansion of supported algorithms--to complement its upcoming full-featured, role-based encryption access control. Additionally, Oracle 10.g features improved documentation and scripts, and easier security configuration.

The much-anticipated SQL Server 2005, due for release this summer, will reflect Microsoft's "security by default" mantra. It comes with minimal running services, user accounts, and exploitable temporary files and scripts. In essence, a DBA must change the configuration to become insecure. A top feature is its advanced cryptography, with the ability to implement multiple RSA, SSL, Kerberos and other symmetric algorithms for user-to-database communication streams. These algorithms will now be easily accessible for DBAs and developers. SQL Server 2005 also boasts improved file system encryption capabilities through OS-kernel upgrades.

SQL Server 2005 also includes strong password policy enforcement for user accounts and granular access control. This is made possible by Microsoft's ability to separate database users from system objects, which can be integrated easily with either Microsoft Visual Basic .NET or C#. The execution of stored SQL statements can also be controlled with the use of appropriate SQL statement access control lists. Database mirroring will be simplified; in addition to allowing admins to leverage the new fail-over clustering, it will sharply reduce the near-prohibitive effort required to create a mirror, making it a more viable option for testing than a live database.

With Microsoft's new slew of security features, the real question isn't whether Oracle is "unbreakable," but whether it will be able to keep up with Microsoft.

IBM faces a tough challenge to keep up with Oracle and Microsoft database security, but DB2 8.2 adds several key authentication and user management features that improve security and ease administration. Changes include Kerberos authentication, Windows Local System Administrator (LSA) accounts and support for two-part user names.

--James Foster

It supports Oracle, SQL Server, DB2, Lotus Domino, MySQL and MiniSql.

These tools will find most common vulnerabilities and configuration problems, and are cheap enough to be cost-effective. But they're still limited. Professional penetration testing services are more thorough, using powerful tools and manual techniques to dig into databases, rooting out both obvious and hidden holes; however, these services are expensive and invasive.

Auditing and Intrusion Detection
Scanners and pen tests give you a good snapshot of your database security posture, but there are no guarantees that change won't creep in and attackers won't try to exploit new or previously undetected vulnerabilities.

Several database IDS and auditing products can maintain a continuous vigil on databases, logging and alerting on attacks, suspicious activities and all changes that violate security policies. Their comprehensive logging and reporting capabilities are designed to meet both auditing and regulatory requirements.

Guardium's SQL Guard monitors and analyzes potentially unsafe and malicious traffic for Oracle, SQL Server, sybase and DB2 It monitors and logs all user activity. Its unique hierarchy-based, three-tiered approach--audit, health and policy--allows you to passively audit your environment against about a dozen categories of tests.

SQL Guard's standout feature is its user activity logging and drill-down capabilities. From the management interface, you can select any of your database users and click through a tree of activities. Audit features include SQL account creation details, administrator-level queries and newly created stored procedures. SQL Guard is also a valuable tool for incident response and data collection, allowing you to search activity based on users, commands and time of day.

IPLocks offers comprehensive security monitoring for Oracle, SQL Server, DB2, Sybase, Teradata Database and Hitachi's HiRDB. It flags configuration vulnerabilities, and issues alerts, detailed reports and trend analyses. It monitors user activity and flags suspicious behavior and changes to access privileges, roles and schemas/tables/ elements.

Lumigent Technologies' Entegra monitoring and auditing tool is available for SQL Server and Oracle. Entegra records all data accessed, enabling you to track user activity and database changes. The Web-based GUI allows you to drill down on specific database activities.

Application Security's AppRadar is an intrusion detection product identifies complex application-layer attacks against SQL Server. Application Security says version 2.0, scheduled for release this month, adds support for Oracle, granular activity monitoring and built-in HIPAA and Sarbanes-Oxley policies.

Multifront Defense
Some may say that the obvious answer to database security is encryption. But encryption doesn't obviate the need for secure configuration, diligent testing and continuous monitoring.

Encrypting and decrypting data to meet real-time business/transaction needs requires serious hardware: multiprocessor systems and accelerators that require gobs of memory, either in purpose-built appliances or software products on high-end servers. Key management can be a major headache and may be a full-time job. What's more, Microsoft and Oracle are building stronger native encryption capabilities that will put the squeeze on encryption vendors (see "DB Vendors Beef Up Security").

Vulnerabilities, poor system and application configurations, industry regulations and day-to-day security challenges aren't going away. Technological advances aside, your best bet is to formulate strong operating policies, purchase technology that has the highest ROI, create internal response teams that consistently work together on a range of daily security operations--including database compromises, and secure and standard configurations--and conduct semiannual user account reviews.

The majority of database security risks can be remedied through proper configuration, perimeter protections (that you most likely have already implemented) and DBA training. That may make it hard to justify the additional spending for most bolt-on database-specific security products, especially given the promises of Oracle and Microsoft's embedded security features.

Nevertheless, if publicly available databases are your company's lifeblood, these tools will add an extra layer of defense that offers real value.

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: