This article is aimed at beginner to mediocre database admins who are always confused about the database best practices for optimizing one of the key objectives of an enterprise database, security. By definition, databases contain data that may include the most confidential information, like personal demographics and credit card information. The criminal hackers always want to steal. So, databases always remained the most appealing target of hackers, and this is why database security is considered as the most critical element in database administration.
Here, we cover the most fundamental best database security practices, which will help keep your database protected from hackers or intruders. An overview of these database best practices is as below:
- Ensure the security of the physical database.
- Using appropriate web application and firewalls
- Hardening the database to the maximum extent
- Data encryption
- Minimizing the database values
- Tightly managing the database access
- Monitoring and auditing database activities
Let us look into these points more in detail.
Physical database security
At the baseline database administration approach, ensuring physical DB security means placing your DB server securely in a monitored environment by ensuring all access controls. It should also be ensured that the database is kept in a standalone physical machine, which is isolated from the other machines running in the application or other web servers.
In usual cases, a web server is more likely to be the target of attacks as these tend to be in a DMZ and made accessible publicly. If a web server gets compromised and another DBMS server runs on the same machine, the hackers will have easy access to it as a root user and instantly get all the data in it.
Use the web application and firewalls
All database servers may be protected from known security threats with the help of a firewall, which will deny access to any unauthorized traffic. The only traffic authentic firewalls may allow is those who come through the specific application or the web servers which need to access the database. The firewall may also protect the databases from initiating any other outbound connections unless if it is specified so.
Along with protecting databases using firewalls, you also need to deploy another web application firewall. There is a high chance that the SQL injection type of attacks can be redirected as a web application can be easily used to delete or exfiltrate the database data. Database firewalls may not always prevent this approach if such an SQL injection attack comes from an authorized web application. However, a good web application firewall will cover this too.
Hardening the database to the fullest extent
It is also important to make sure that the databases you use are still well supported by the vendors, or there are open source projects which are responsibly supported. Also, ensure that you are running on the most recent database version with all security patches being updated and protection against all security vulnerabilities are there in place.
However, just doing this is not sufficient to ensure security. Adding to it, this is also crucial to disable or uninstall the features and services you do not need and ensure that you change default account passwords. It is a better approach to delete all the default accounts you do not need in real-time.
Ultimately, it is vital to ensure that every security control provided by the database vendors like RemoteDBA is enabled unless there is any justifiable reason to disable. Once all these had been done, you should also audit the set hardened configuration, which can be done using an automated tool for change auditing. There are plenty of such tools available, and you may be immediately aware of it if any such changes to this hardened configuration are made, which may end up compromising the database security.
Encryption of data
In most organizations, it is a default standard to encrypt the data stored in the DB. Along with this, it is also crucial to make sure that the backup data also gets encrypted and separately stored from the decryption keys. Considering the encrypting data, which is at rest, it is also very critical to ensure that all the confidential data gets encrypted over the network to protect it from any potential DB security threats.
Minimizing the database value
The attackers may usually try to put their hands on the data already stored in the databases, so it is essential to make sure that you don’t store any confidential info, which need not be stored there. You may always actively manage the data to add or delete any info you do not need out there. Data that has to be retained for compliance reasons or other vital purposes may have to be moved to another secured storage, preferably offline, which may be less susceptible to any data security risks.
Similarly, ensure that you always delete any historical files like the MySQL history files written by default by the servers during the installation procedure. Even though these files play a role in analyzing any installation failures, if you find the installation successful, then there is no point in keeping all these files, which may put your database more susceptible to the hackers to keep an eye on.
Managing the database accesses tightly
On handling enterprise databases, the DBAs should focus on making the individual’s access to the database as minimum as possible. Various admins even need to have bare minimum privileges to do their jobs right and only during the specified periods when they need such accesses. For the smaller organizations, this will not be so practical, but the permissions can still be custom managed by using the access groups and roles to allow it.
You may have to consider automation of the access management process by using any good access management applications. This will ensure only authorized users getting access with only needed privileges requires the time of access to manipulate the database. As an add-on layer of protection, access management systems will also log all the activities carried out by someone at particular periods, which are also reversible.
Along with all these, it also essential to follow the standard account security procedures as strong passwords, storing the password hashes in encrypted form, keeping the accounts locked after a certain number of failed logins, timely auditing, and continuous database monitoring, etc.