Leveraging database security investments

There's more than one way to receive Threat Monitor Listen to this database security tip on your computer or MP3 player.

Microsoft SQL Server, Oracle Database, IBM DB2 and MySQL are all to blame. More specifically, each has created a suite of features for their database offerings that easily permit system administrators to create and manage user and group accounts, backup data and implement patches when appropriate. Unfortunately, these features are product dependant.

Here are a few tips to not only help keep database security under control, but also save a few dollars in the process.

Cost-saving tip No. 1: Pick one platform and standardize.

The number of tools and administration features required to maintain and manage enterprise databases continues to grow. The database companies have started to build in additional value-added services and product add-ons with the goal of expanding to the midmarket. This business-driven motivation has spawned a number of technical ramifications. For instance, additional services and components have led to increased administration labor costs; the combination of multiple platforms only further complicates this issue. Standardizing on one platform will decrease the cost of labor, reduce potential training and would put you in a powerful position to receive more favorable prices from the vendor of choice. From what I have seen, these guys will cut at least 10% off if you tell them they are replacing the competition.

Microsoft and Oracle have augmented their platforms with updated encryption and virtual segmentation features. Oracle's Virtual Private Database (VPD) and Microsoft's user-defined data rules allow you to specify user access at the column-level within tables. The overarching encryption value proposition has always been "defense in-depth." If encrypted data ever falls into the wrong hands, then it is still safe. These vendors have taken a big first step in eliminating the need for external granular encryption products.

Cost-saving tip No. 2: Implement built-in encryption and data access features.

The big boys are as ruthless as they come and hate to lose the smallest niche in their markets. Given this and the fact that each keeps implementing new features at a rapid pace, it makes little sense to invest your monies in something that is already in the product or will be within a calendar year. The rule of thumb is that when you buy database innovation, make sure it's at least two years ahead of platform integration.

With this said, expect the "add-on" vendors to focus their efforts on multiplatform key management. Unless Oracle and Microsoft turn their business models upside down, this will always be at least one small selling advantage for the little guys.

More information on database security Read this tip before leaping into database encryption. Learn the simple steps for secure database management.

Database security means different things to different people, yet all should agree that multiple levels of security are required for critical enterprise applications. Log management and intrusion detection/access monitoring are now included within several compliance regulations: the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX) and California's General Security Standard for Businesses, A.B. 1950. Such initiatives require that databases containing various types of sensitive information backup and save logs in certain formats. Additionally, regulations require that organizations monitor database access and or intrusions.

Cost-saving tip No. 3: Physically/virtually house databases in close proximity.

Storing your enterprise databases in close proximity greatly reduces network management and potential network-based security components. This alone could save tens of thousands of dollars in capital expenditures outside of the benefits in labor reduction. Put them all on a single, consolidated network, then implement a system to manage the single segment.

Ensuring that your database has the current vendor patches is only half of the battle. The majority of application and database intrusions exploit poor configurations and application-layer logic. Fortunately, the National Security Agency and Center for Internet Security publish materials to help get you moving in the right direction. The next step is to harden the actual database configuration. Setting up the proper group access controls, file restrictions, and use of encryption is no easy task. The pros even have difficulty balancing security and performance. Too many group restrictions could lead to increased development burdens whilst encryption could task the CPU an extra 30%.

Cost-saving tip No. 4: Use consultants for configuration testing, tools for vulnerabilities.

Creating a "gold standard" database platform build is something that should coincide with major software releases for a minimum of at least every two years. Since the frequency of creating these baselines is seldom, it's better to invest in one-time consulting -- someone who will hand you the deliverable versus buying additional software to sit on the shelf.

Vulnerability testing is mandatory. The frequency, depth and type are variable. Depending on the use of the database and its corresponding applications, it may be necessary to scan at three levels: network or infrastructure, platform and application. Weekly network and platform scanning along with application-layer scanning when applications change is considered industry best practice. Vulnerability testing across all databases should be accomplished on a frequent, recurring basis, while configuration testing should take place on major upgrades only.

Cost-saving tip No. 5: Do your homework on product roadmaps.

Last but certainly not least, it is extremely important to understand where the databases are heading. Having deep knowledge of your vendor's five-year plan is overkill, yet you should be familiar with the enhancements coming in the next two releases. That means research is key. The Web will probably only publish what's coming up next, versus changes that may be in the works for future releases. A quick call to your reseller or email to the vendor is a stride in the right direction. These steps will ensure that you reduce excess add-on purchases, in-house custom development and "band-aid" workarounds.

Cost will be a factor in any database solution as each option comes with a corresponding labor and technology component. A threat model identifying and weighing your risks combined a budgetary ROI perspective will quickly bring to light the defenses that you can afford.

About the author:
James C. Foster runs a software security practice for a private firm near Washington D.C. He has authored more than 20 books, including Buffer Overflow Attacks and Writing Security Tools and Exploits.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis Tracing malware's steps with RE:Trace Worst practices: Learning from bad security tips Worst practices: Encryption conniptions Stopping malware in its tracks Built-in Windows commands to determine if a system has been hacked Exploit research: Keeping tabs on the hacker underground Database Security Fortinet acquires database vulnerability scanner from IPLocks Information security book excerpts and reviews Product review: Symantec Database Security 3.1 New SQL injection technique threatens Oracle databases Oracle fixes 41 flaws in April CPU The ins and outs of database encryption Product Review: Imperva's SecureSphere Database Gateway Product review: Application Security Inc.'s DbProtect Oracle patches serious holes with latest CPU Survey finds thousands of database servers open to attack Database Security Research Disk Encryption and File Encryption Websense, Reconnex top Forrester ranking of DLP vendors Embedded Security Safeguards Laptops Should whole disk encryption products be used with data backup software? Does FTPS encrypt data packets at the hardware or software level? Should disks be encrypted at the hardware level? Is Triple DES a more secure encryption scheme than DUKPT? Windows BitLocker: Enabling disk encryption for data protection NAC, disk encryption gaining attention, survey shows Symantec fills gap with whole disk storage encryption Case Study: Company Deploys Full-Disk Encryption on All Laptops RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.