Database security: things a good compliance officer ought to know
Starting the article, I decided to assume most people are already common with the database development and the details of its organization. Still I realized in the process that sometimes people dealing with the data protection aren’t really well informed about a lot of needful things. As we speak about databases, not all the developers actually know the aspects of the database security, as well as some issues that are security related can easily pass them. Moreover some databases are literally full of rather sensitive information.
So why would the companies through away awesome sums of money to keep their desktops and perimeters secure? Here are the main reasons to do so:
1. “I don’t see so I don’t care”. Usually the databases won’t get our attention unless they get slow or break down.
2. “Cat in a box”. Most compliance officers have no idea, what does actually happen inside the database aside from getting the needed information out of it.
3. “Welcome if you get access”. The feature of DBA is that they stay secure as long as you have the access, they will just go on tuning the performance of the database.
4. “Enforce the password”. Some of the users are allowed to avoid the enforced password policies for the reason they fear to be locked out. Still the security level tends to turn down in this case.
5. “Never share your account”. Sometimes users tend to share the same account to provide the 24/7 support service. In this case you will never relate the activity in the database to the definite user.
6. “Logging the access”. The database development enabled the performance and logging processes being run at the same time. Now you’re in control of all the transactions for better database application security.
7. “Don’t forget to scan the database”. The newest tools offer the capability to scan the following database and check its vulnerability against SQL injections, Web flows etc.
8. “Update the privileged users’ list”. Every user shall obtain the level of access that is absolutely necessary and nothing over it. Review and correct the list of privileges if necessary.
9. “Delete the unneeded accounts”. Clean up after the user has abandoned his account. Make the account disabled or simply remove it.