Database platforms continue to grow in size and complexity, particularly when it comes to security. Many platforms now feature role-based encryption and key management, user administration add-ons and more robust APIs for third-party product integration. These capabilities, coupled with new product vulnerabilities and emerging automated threats, present a challenging scenario for ensuring current and future database security.
Microsoft SQL Server, Oracle Database, IBM DB2 and MySQL are all to blame. More specifically, each has created a suite of features for their database offerings that easily permit system administrators to create and manage user and group accounts, backup data and implement patches when appropriate. Unfortunately, these features are product dependant.
Here are a few tips to not only help keep database security under control, but also save a few dollars in the process.
Cost-saving tip No. 1: Pick one platform and standardize.
The number of tools and administration features required to maintain and manage enterprise databases continues to grow. The database companies have started to build in additional value-added services and product add-ons with the goal of expanding to the midmarket. This business-driven motivation has spawned a number of technical ramifications. For instance, additional services and components have led to increased administration labor costs; the combination of multiple platforms only further complicates this issue. Standardizing on one platform will decrease the cost of labor, reduce potential training and would put you in a powerful position to receive more favorable prices from the vendor of choice. From what I have seen, these guys will cut at least 10% off if you tell them they are replacing the competition.
Microsoft and Oracle have augmented their platforms with updated encryption and virtual segmentation features. Oracle's Virtual Private Database (VPD) and Microsoft's user-defined data rules allow you to specify user access at the column-level within tables. The overarching encryption value proposition has always been "defense in-depth." If encrypted data ever falls into the wrong hands, then it is still safe. These vendors have taken a big first step in eliminating the need for external granular encryption products.
Cost-saving tip No. 2: Implement built-in encryption and data access features.
The big boys are as ruthless as they come and hate to lose the smallest niche in their markets. Given this and the fact that each keeps implementing new features at a rapid pace, it makes little sense to invest your monies in something that is already in the product or will be within a calendar year. The rule of thumb is that when you buy database innovation, make sure it's at least two years ahead of platform integration.
With this said, expect the "add-on" vendors to focus their efforts on multiplatform key management. Unless Oracle and Microsoft turn their business models upside down, this will always be at least one small selling advantage for the little guys.
Database security means different things to different people, yet all should agree that multiple levels of security are required for critical enterprise applications. Log management and intrusion detection/access monitoring are now included within several compliance regulations: the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX) and California's General Security Standard for Businesses, A.B. 1950. Such initiatives require that databases containing various types of sensitive information backup and save logs in certain formats. Additionally, regulations require that organizations monitor database access and or intrusions.
Cost-saving tip No. 3: Physically/virtually house databases in close proximity.
Storing your enterprise databases in close proximity greatly reduces network management and potential network-based security components. This alone could save tens of thousands of dollars in capital expenditures outside of the benefits in labor reduction. Put them all on a single, consolidated network, then implement a system to manage the single segment.
Ensuring that your database has the current vendor patches is only half of the battle. The majority of application and database intrusions exploit poor configurations and application-layer logic. Fortunately, the National Security Agency and Center for Internet Security publish materials to help get you moving in the right direction. The next step is to harden the actual database configuration. Setting up the proper group access controls, file restrictions, and use of encryption is no easy task. The pros even have difficulty balancing security and performance. Too many group restrictions could lead to increased development burdens whilst encryption could task the CPU an extra 30%.
Cost-saving tip No. 4: Use consultants for configuration testing, tools for vulnerabilities.
Creating a "gold standard" database platform build is something that should coincide with major software releases for a minimum of at least every two years. Since the frequency of creating these baselines is seldom, it's better to invest in one-time consulting -- someone who will hand you the deliverable versus buying additional software to sit on the shelf.
Vulnerability testing is mandatory. The frequency, depth and type are variable. Depending on the use of the database and its corresponding applications, it may be necessary to scan at three levels: network or infrastructure, platform and application. Weekly network and platform scanning along with application-layer scanning when applications change is considered industry best practice. Vulnerability testing across all databases should be accomplished on a frequent, recurring basis, while configuration testing should take place on major upgrades only.
Cost-saving tip No. 5: Do your homework on product roadmaps.
Last but certainly not least, it is extremely important to understand where the databases are heading. Having deep knowledge of your vendor's five-year plan is overkill, yet you should be familiar with the enhancements coming in the next two releases. That means research is key. The Web will probably only publish what's coming up next, versus changes that may be in the works for future releases. A quick call to your reseller or email to the vendor is a stride in the right direction. These steps will ensure that you reduce excess add-on purchases, in-house custom development and "band-aid" workarounds.
Cost will be a factor in any database solution as each option comes with a corresponding labor and technology component. A threat model identifying and weighing your risks combined a budgetary ROI perspective will quickly bring to light the defenses that you can afford.
About the author:
James C. Foster runs a software security practice for a private firm near Washington D.C. He has authored more than 20 books, including Buffer Overflow Attacks and Writing Security Tools and Exploits.
This was first published in December 2006