The importance of securing sensitive information cannot be denied. Fortunately, most organizations today have solid cybersecurity programs that use a diverse set of controls to achieve defense-in-depth security. Through these programs, corporate servers have been hardened, enterprise endpoints have been secured and monitoring tools have been implemented. Organizations have also been able to eradicate highly sensitive information from endpoint devices and consolidate the most crucial corporate data in enterprise systems and the databases that support them.
But just how strong are the controls around those central stores?
It is safer, without a doubt, to store information in a secure, centralized database rather than on laptops and file shares. However, if enterprises are not careful about database security, they may unwittingly be building a treasure trove of sensitive information that is ripe for the taking.
Many enterprise databases are prone to vulnerabilities caused by configuration errors or poor implementation. From poor password hygiene to SQL injection attacks to cross-site scripting vulnerabilities, these database-related threats must be addressed.
However, beyond these vulnerabilities, there are database security best practices every enterprise should follow -- and review on a regular basis -- to maintain the safety and security of their crown jewels: the confidential data housed in their databases. This is a tempting target for any attacker; securing them is of the utmost importance.
Here are four tasks enterprises should complete to improve the security of their databases and the data stored within them.
1. Enforce the principle of least privilege
The concept of limiting users' access to the smallest set of privileges necessary to carry out their job functions is usually covered in the first chapter of any cybersecurity book. How well that theoretical goal maps to the reality of our enterprise databases is an important question to ask. To assess this, enterprises should ask themselves several questions, including the following:
- Do developers have full access to production databases?
- Do system engineers have access to the databases on the systems under their care?
- Do database administrators have full access to all databases or just those that fall within their areas of responsibility?
Limiting access as much as possible is an important safeguard against the insider threat.
2. Conduct regular access reviews
It is no secret that privilege creep affects virtually every technology organization. As technical and nontechnical staff move between job roles and project assignments, they accumulate new and different permissions each time their responsibilities change. New permissions are quickly sought and approved because the lack of permissions gets in the way of work. However, old and unnecessary permissions may persist for months or years because they do not cause operational issues for the employee's everyday work. They do, however, expand the scope of an attack should that user become a malicious insider or fall victim to an account compromise.
Enterprises should conduct regular, scheduled reviews of database access to ensure the principle of least privilege still applies. Pay particular attention to users who have direct access to the database, as this access may bypass application-level security controls.
3. Monitor database activity
Database auditing used to be a tremendous performance burden, causing organizations to sacrifice logging for the sake of operational efficiency. Fortunately, those days are behind us since all the major database platform players now offer scalable monitoring and logging capabilities.
Enterprises should make sure they have enabled database monitoring on their systems and that the logs are sent to a secure repository. Also, be sure to implement behavior-based monitoring rules that watch for unusual user activity, particularly among users with administrative access.
4. Encrypt sensitive data
Encryption is a database security best practice no-brainer. Enterprises should use strong encryption to protect their databases in three ways:
- require all database connections use Transport Layer Security encryption to protect data in transit;
- encrypt the disks containing data stores to protect against their loss, theft or improper disposal; and
- use column-level encryption capabilities to protect your most sensitive fields against snooping.
Now is the time for enterprises to step up their database security game. Organizations that follow the database security best practices of enforcing least privilege -- conducting regular account reviews, monitoring database activity and encrypting sensitive data -- will find themselves more well positioned against modern, sophisticated threats than those that forget about database security and do not adhere to and review the aforementioned tasks on a regular cadence.