Leveraging database security investments

There's more than one way to receive Threat Monitor Listen to this database security tip on your computer or MP3 player.

Microsoft SQL Server, Oracle Database, IBM DB2 and MySQL are all to blame. More specifically, each has created a suite of features for their database offerings that easily permit system administrators to create and manage user and group accounts, backup data and implement patches when appropriate. Unfortunately, these features are product dependant.

Here are a few tips to not only help keep database security under control, but also save a few dollars in the process.

Cost-saving tip No. 1: Pick one platform and standardize.

The number of tools and administration features required to maintain and manage enterprise databases continues to grow. The database companies have started to build in additional value-added services and product add-ons with the goal of expanding to the midmarket. This business-driven motivation has spawned a number of technical ramifications. For instance, additional services and components have led to increased administration labor costs; the combination of multiple platforms only further complicates this issue. Standardizing on one platform will decrease the cost of labor, reduce potential training and would put you in a powerful position to receive more favorable prices from the vendor of choice. From what I have seen, these guys will cut at least 10% off if you tell them they are replacing the competition.

Microsoft and Oracle have augmented their platforms with updated encryption and virtual segmentation features. Oracle's Virtual Private Database (VPD) and Microsoft's user-defined data rules allow you to specify user access at the column-level within tables. The overarching encryption value proposition has always been "defense in-depth." If encrypted data ever falls into the wrong hands, then it is still safe. These vendors have taken a big first step in eliminating the need for external granular encryption products.

Cost-saving tip No. 2: Implement built-in encryption and data access features.

The big boys are as ruthless as they come and hate to lose the smallest niche in their markets. Given this and the fact that each keeps implementing new features at a rapid pace, it makes little sense to invest your monies in something that is already in the product or will be within a calendar year. The rule of thumb is that when you buy database innovation, make sure it's at least two years ahead of platform integration.

With this said, expect the "add-on" vendors to focus their efforts on multiplatform key management. Unless Oracle and Microsoft turn their business models upside down, this will always be at least one small selling advantage for the little guys.

More information on database security Read this tip before leaping into database encryption. Learn the simple steps for secure database management.

Database security means different things to different people, yet all should agree that multiple levels of security are required for critical enterprise applications. Log management and intrusion detection/access monitoring are now included within several compliance regulations: the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX) and California's General Security Standard for Businesses, A.B. 1950. Such initiatives require that databases containing various types of sensitive information backup and save logs in certain formats. Additionally, regulations require that organizations monitor database access and or intrusions.

Cost-saving tip No. 3: Physically/virtually house databases in close proximity.

Storing your enterprise databases in close proximity greatly reduces network management and potential network-based security components. This alone could save tens of thousands of dollars in capital expenditures outside of the benefits in labor reduction. Put them all on a single, consolidated network, then implement a system to manage the single segment.

Ensuring that your database has the current vendor patches is only half of the battle. The majority of application and database intrusions exploit poor configurations and application-layer logic. Fortunately, the National Security Agency and Center for Internet Security publish materials to help get you moving in the right direction. The next step is to harden the actual database configuration. Setting up the proper group access controls, file restrictions, and use of encryption is no easy task. The pros even have difficulty balancing security and performance. Too many group restrictions could lead to increased development burdens whilst encryption could task the CPU an extra 30%.

Cost-saving tip No. 4: Use consultants for configuration testing, tools for vulnerabilities.

Creating a "gold standard" database platform build is something that should coincide with major software releases for a minimum of at least every two years. Since the frequency of creating these baselines is seldom, it's better to invest in one-time consulting -- someone who will hand you the deliverable versus buying additional software to sit on the shelf.

Vulnerability testing is mandatory. The frequency, depth and type are variable. Depending on the use of the database and its corresponding applications, it may be necessary to scan at three levels: network or infrastructure, platform and application. Weekly network and platform scanning along with application-layer scanning when applications change is considered industry best practice. Vulnerability testing across all databases should be accomplished on a frequent, recurring basis, while configuration testing should take place on major upgrades only.

Cost-saving tip No. 5: Do your homework on product roadmaps.

Last but certainly not least, it is extremely important to understand where the databases are heading. Having deep knowledge of your vendor's five-year plan is overkill, yet you should be familiar with the enhancements coming in the next two releases. That means research is key. The Web will probably only publish what's coming up next, versus changes that may be in the works for future releases. A quick call to your reseller or email to the vendor is a stride in the right direction. These steps will ensure that you reduce excess add-on purchases, in-house custom development and "band-aid" workarounds.

Cost will be a factor in any database solution as each option comes with a corresponding labor and technology component. A threat model identifying and weighing your risks combined a budgetary ROI perspective will quickly bring to light the defenses that you can afford.

About the author:
James C. Foster runs a software security practice for a private firm near Washington D.C. He has authored more than 20 books, including Buffer Overflow Attacks and Writing Security Tools and Exploits.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Application and Platform Security,   Database Security Management,   Enterprise Data Protection,   Disk Encryption and File Encryption,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.