Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Guardians of the Crown Jewels

Database security products promise an extra measure of security for your most valuable assets. Are they worth the price?

Database security products promise an extra measure of security for your most valuable assets. Are they worth the price?

The crown jewels are at risk: intellectual property, customer ID information and financial records encased in corporate databases. If they're vulnerable, so are your company's finances and reputation. And regulatory compliance failure, triggered by a serious breach or audit that reveals lax database security, can bring heavy fines and/or jail time.

Perimeter defenses alone, such as firewalls, IPSes and Web app shields, can't ensure security in the face of Web-based attacks that exploit myriad database configuration vulnerabilities and insecure front-end Web code.

Your best strategy against these attacks is to harden their target: Properly configured databases will stand strong against most attacks. Moreover, the landscape is changing. Industry database leaders Oracle and Microsoft are beefing up security in new versions of 10.g and SQL Server, respectively, which are better configured out of the box than their predecessors and have much easier native encryption options.

But, database security doesn't end with your initial configuration. Ongoing vigilance is required because even good DBAs make mistakes and malicious or ill-informed users alter configurations. Regular vulnerability scanning and testing, and continuous monitoring for unauthorized change will help keep your databases hardened against attacks. There are number of scanning and IDS/monitoring tools that address these needs.

Database Vulnerability Scanning
If you're in charge of security, chances are you don't have direct, high-privilege access to the database; you need to secure it from the outside. As with network VA, you have two general options: scanners and penetration testing.

Network scanners, like open-source Nessus and eEye Digital Security's Retina Network Security Scanner, may tell you if your database patches are up to date, but they won't find database-specific vulnerabilities, such as sloppy configurations that leave you open to deep SQL manipulation, injection or directory traversal attacks.

To do that, you'll have to turn to one of the handful of database VA scanners, or to professional pen testers who specialize in attacking databases.

Database-specific vulnerability assessment tools take a much more granular look at the database's configuration and the vulnerabilities associated with poor configurations than network VA scanners.

U.K.-based Next Generation Security Software's flagship database scanner, NGSSquirrel, has database-specific versions for SQL Server, Oracle and DB2, as well as DominoScan II for Lotus Domino. Each includes specific checks that target insecure configurations, patch levels, default user accounts, underlying platform vulnerabilities and even some Web-based interface vulnerabilities.

Application Security's AppDetective includes modules for Oracle, SQL Server, DB2, Sybase, Lotus Domino and MySQL. AppDetective performs application discovery, tests that identify database-specific vulnerabilities and configuration-related audits. Application Security also offers a console product, AppSecIncConsole, to manage its suite of security products.

Safety-Lab's Shadow Database Scanner is an open-source, ActiveX-based tool that allows programmers direct access to modify its functionality. As an open-source product, its advantage over commercially products is that it enables security consultants and admins alike to easily customize the tool for target environments. The downside is the lack of technical support.

DB Vendors Beef Up Security
With all of these new products and one-stop database security shops, it may be easy to forget about the current features within the actual databases. It's far better to write cleaner code, initially configure systems securely, conduct periodic code reviews, create accurate threat models and continually break down applications than to bolt on protections for inherently insecure applications. The good news is that Oracle has baked improvements into its 10.g release (with more to come), and Microsoft's next SQL Server release promises extensive security improvements.

Oracle already got a security jump on Microsoft with its 10.g release, in which it implemented a series of advanced encryption and decryption technologies--including role-based access control management and an expansion of supported algorithms--to complement its upcoming full-featured, role-based encryption access control. Additionally, Oracle 10.g features improved documentation and scripts, and easier security configuration.

The much-anticipated SQL Server 2005, due for release this summer, will reflect Microsoft's "security by default" mantra. It comes with minimal running services, user accounts, and exploitable temporary files and scripts. In essence, a DBA must change the configuration to become insecure. A top feature is its advanced cryptography, with the ability to implement multiple RSA, SSL, Kerberos and other symmetric algorithms for user-to-database communication streams. These algorithms will now be easily accessible for DBAs and developers. SQL Server 2005 also boasts improved file system encryption capabilities through OS-kernel upgrades.

SQL Server 2005 also includes strong password policy enforcement for user accounts and granular access control. This is made possible by Microsoft's ability to separate database users from system objects, which can be integrated easily with either Microsoft Visual Basic .NET or C#. The execution of stored SQL statements can also be controlled with the use of appropriate SQL statement access control lists. Database mirroring will be simplified; in addition to allowing admins to leverage the new fail-over clustering, it will sharply reduce the near-prohibitive effort required to create a mirror, making it a more viable option for testing than a live database.

With Microsoft's new slew of security features, the real question isn't whether Oracle is "unbreakable," but whether it will be able to keep up with Microsoft.

IBM faces a tough challenge to keep up with Oracle and Microsoft database security, but DB2 8.2 adds several key authentication and user management features that improve security and ease administration. Changes include Kerberos authentication, Windows Local System Administrator (LSA) accounts and support for two-part user names.

--James Foster

It supports Oracle, SQL Server, DB2, Lotus Domino, MySQL and MiniSql.

These tools will find most common vulnerabilities and configuration problems, and are cheap enough to be cost-effective. But they're still limited. Professional penetration testing services are more thorough, using powerful tools and manual techniques to dig into databases, rooting out both obvious and hidden holes; however, these services are expensive and invasive.

Auditing and Intrusion Detection
Scanners and pen tests give you a good snapshot of your database security posture, but there are no guarantees that change won't creep in and attackers won't try to exploit new or previously undetected vulnerabilities.

Several database IDS and auditing products can maintain a continuous vigil on databases, logging and alerting on attacks, suspicious activities and all changes that violate security policies. Their comprehensive logging and reporting capabilities are designed to meet both auditing and regulatory requirements.

Guardium's SQL Guard monitors and analyzes potentially unsafe and malicious traffic for Oracle, SQL Server, sybase and DB2 It monitors and logs all user activity. Its unique hierarchy-based, three-tiered approach--audit, health and policy--allows you to passively audit your environment against about a dozen categories of tests.

SQL Guard's standout feature is its user activity logging and drill-down capabilities. From the management interface, you can select any of your database users and click through a tree of activities. Audit features include SQL account creation details, administrator-level queries and newly created stored procedures. SQL Guard is also a valuable tool for incident response and data collection, allowing you to search activity based on users, commands and time of day.

IPLocks offers comprehensive security monitoring for Oracle, SQL Server, DB2, Sybase, Teradata Database and Hitachi's HiRDB. It flags configuration vulnerabilities, and issues alerts, detailed reports and trend analyses. It monitors user activity and flags suspicious behavior and changes to access privileges, roles and schemas/tables/ elements.

Lumigent Technologies' Entegra monitoring and auditing tool is available for SQL Server and Oracle. Entegra records all data accessed, enabling you to track user activity and database changes. The Web-based GUI allows you to drill down on specific database activities.

Application Security's AppRadar is an intrusion detection product identifies complex application-layer attacks against SQL Server. Application Security says version 2.0, scheduled for release this month, adds support for Oracle, granular activity monitoring and built-in HIPAA and Sarbanes-Oxley policies.

Multifront Defense
Some may say that the obvious answer to database security is encryption. But encryption doesn't obviate the need for secure configuration, diligent testing and continuous monitoring.

Encrypting and decrypting data to meet real-time business/transaction needs requires serious hardware: multiprocessor systems and accelerators that require gobs of memory, either in purpose-built appliances or software products on high-end servers. Key management can be a major headache and may be a full-time job. What's more, Microsoft and Oracle are building stronger native encryption capabilities that will put the squeeze on encryption vendors (see "DB Vendors Beef Up Security").

Vulnerabilities, poor system and application configurations, industry regulations and day-to-day security challenges aren't going away. Technological advances aside, your best bet is to formulate strong operating policies, purchase technology that has the highest ROI, create internal response teams that consistently work together on a range of daily security operations--including database compromises, and secure and standard configurations--and conduct semiannual user account reviews.

The majority of database security risks can be remedied through proper configuration, perimeter protections (that you most likely have already implemented) and DBA training. That may make it hard to justify the additional spending for most bolt-on database-specific security products, especially given the promises of Oracle and Microsoft's embedded security features.

Nevertheless, if publicly available databases are your company's lifeblood, these tools will add an extra layer of defense that offers real value.

Article 3 of 15

Dig Deeper on Database Security Management-Enterprise Data Protection

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All