What must one do to protect the company’s biggest asset – its data? That’s a frequently asked question today that has no right or wrong answer! The solution is based on a number of different variables, such as, what is your database vendor, what is the purpose of your database, does your database store credit card information, who manages your database, and others.
Obviously, there is no single approach to securing your database. However, these are the general best practices utilized in he industry to protect a database system.
Be proactive in staying up-to-date on all current vulnerabilities related to the database type you are using, whether it’s an Oracle database or open source PostgreSQL. Usually when vendors announce vulnerabilities, a set of patches is published as well to address those vulnerabilities. If your database system is affected – make sure a patch is applied immediately, as the number of potential hackers increases exponentially once these vulnerabilities become public.
Protect the Perimeter
Protecting database at the perimeter of your network will always remain as one of the best practices, as you never want to allow connections to the database from outside of your network. It is common to have another set of firewalls right in front of database, to make sure that only your application servers are allowed to connect to the database on a given port and no other servers within your cluster. Corporations where database systems are used to store credit cards and customer information will almost always have these firewalls in place. Not only you are protecting an inbound access but also an outbound access from your database to outside, in case someone is trying to install or download any software to the database server.
Follow Least User Access Principle
Be super religious about user access and permissions. This usually is what gets most often overlooked as people tend to think no one from within the organization is actually a threat. While they might not be a direct threat, these are the people can misconfigure the database and leave it in the state vulnerable to some future external attacks. Least user access principle is always a good practice applied to any production system.
Conduct Regular Security Audits
Regular security auditing is another step towards protecting your database, which is similar to your regular physical checkup with your doctor. By doing this you validate that there are no abnormal conditions and activities being run on database. Port scan is part of this check to make sure server is listening on only database specific ports, some management related ports and nothing else.
Using encryption when communicating to your database is another way to keep data secured. However be aware that this usually adds additional latency to database requests and extra load on the server. I haven’t seen this being frequently used in real production systems and this measure should be used with caution.
Establish Security Policy
Last but not least, organization must have a clear database security policy that everyone within the organization must comply with.
These are the main general guidelines to follow securing your database and remember – taking baby steps to protect your data today may save you from a colossal meltdown tomorrow!