Databases are a treasure trove of data, often highly sensitive data, and not surprisingly are an important area
of emphasis for compliance programs. Almost all enterprise compliance regulations feature requirements concerning who can access what database and when, and managing these permissions can easily be a full-time job. In this tip, we’ll cover the basic database security requirements necessary for database compliance with major regulations such as PCI DSS and HIPAA, as well as best practices for managing database permissions and upkeep in order to maintain compliance with those regulations.
All five of the most common enterprise core database environments (1. Microsoft SQL Server; 2. IBM DB2; 3. MySQL; 4. Oracle; 5. Postgres) have the ability to be appropriately provisioned, hardened, secured and locked down when conducting an initial installation. The challenge is understanding the important components that actually need to be in place. It's not just the database itself; it’s the server the operating system and the database reside on.
PCI DSS currently requires the following explicit controls for databases:
- All users are to be authenticated prior to accessing any databases.
- All user access to any databases, user queries and user actions (such as move, copy and delete) are done so through programmatic methods only (such as stored procedures).
- Database and application configuration settings restrict only direct user access or queries to database administrators (DBA).
- For database applications and the related application IDs, application IDs can only be used by the applications, not by individual users or other processes.
Regarding HIPAA, the above measures are not specifically stated as requirements for HIPAA compliance, but should be looked upon as best-of-breed security controls for complimenting, and ultimately, helping meet the needs for the “security” provisions within HIPAA. Specifically, those provisions of HIPAA require the following:
- Ensure the confidentiality, integrity, and availability of all e-PHI created, received, maintained or transmitted;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
Additionally to compliment the regulatory compliance initiatives, such as PCI DSS, the following are considered best practices for securing all database environments listed above.
Regarding the host operating system on the server that supports the database, the following best practices should be in place:
1. System administrators and other relevant IT personnel should have adequate knowledge, technical skill-sets and an understanding of all critical operating system security requirements.
2. Industry-leading configuration standards and supporting internal documentation should be utilized when deploying operating systems into the managed services environment.
3. Only necessary and secure services, protocols, daemons and other essential functions should be enabled on the operating systems.
4. All unnecessary functionality and all insecure services and protocols should be effectively disabled on the operating systems.
5. Root accounts should be appropriately secured with the selection of a unique password that is changed on a regular basis.
6. Root accounts should be restricted to the fewest number of personnel necessary.
7. Syslog should be configured for sending and copying syslog data to a central syslog server, for which log information is reviewed.
8. The principle of "least privilege," which states users are only given privileges that are required to efficiently and properly perform their job function, should be in place regarding operating system access rights.
9. All relevant and critical security patches should be applied to operating systems as warranted.
For the actual database itself, the following best practices are recommended:
1. A list of authorized users who have access to databases within the managed application services environment should be maintained and kept current by appropriate personnel.
2. System administrators and other relevant IT personnel should have adequate knowledge, technical skill-sets and an understanding of all critical database security requirements.
3. Industry-leading configuration standards and supporting internal documentation should be utilized when deploying databases into the managed services environment.
4. Default user accounts that are not necessary for database functionality should be locked and expired.
5. For all user default accounts that remain in use, passwords should have been effectively changed to invoke strong password measures.
6. Administrative accounts within the databases should have different passwords assigned to them, with no shared or group passwords being used for these accounts.
7. Measures should be in place for protecting the data dictionary and the supporting metadata that describes all objects in the database.
8. For any host-based authentication measures in place for accessing the database, appropriate procedures should be in place for ensuring the overall security of this type of access.
9. Database monitoring should be in place consisting of tools that alert appropriate personnel as needed.
10. All relevant and critical security patches should be applied to the databases as warranted.
Thus, companies should first and foremost have an IT staff that is well-trained, knowledgeable in database security, and has the necessary provisioning guidelines and hardening documents for implementing effective database security. For all existing database platforms in place and for future database installs, a highly structured and standardized approach needs to be in place for effectively provisioning, hardening, securing and locking down the database environment. Follow these best practices and with any luck your enterprise database compliance efforts will pay off handsomely when your next assessment rolls around.
About the author:
Charles Denyer is a member of NDB Accountants & Consultants, a nationally recognized boutique CPA and advisory firm specializing in Regulation AB, SAS 70, SSAE 16, ISAE 3402, FISMA, NIST, HIPAA, ISO and PCI DSS compliance, along with other regulatory compliance initiatives. Mr. Denyer is actively involved in numerous professional associations and organizations for a wide range of industries and business sectors. He is also an advanced social media expert, having spent years working in the field of search engine optimization (SEO) and various forms of online marketing and social media.
Mr. Denyer holds numerous accounting and technology certifications along with a Masters in Information and Telecommunication Systems from the Johns Hopkins University and a Masters in Nuclear Engineering. He is also currently an MBA candidate for the Johnson School of Business at Cornell University.