Universities, banks, SMBs and large brands alike are waking up to the fact that their databases are no longer safe inside their perimeter firewalls, intrusion prevention systems and other edge protections.
“One of the main concerns we hear from our clients is security of their databases,” says Steven King, CTO of Data Intensity, a Bedford, Mass.-based managed IT services provider that manages databases, including enterprise resource programs (ERP), and other sensitive database applications. “At the end of the day, our clients know that the database is where their crown jewels are.”
Database security awareness has reached the point where some sort of database logging and auditing now occurs at 83 percent of organizations, based on a survey of 260 IT professionals sponsored by encryption vendor, Vormetric, released in October.
The question is, how and what are they logging and auditing? And how are they handling the remaining security areas — access controls and assessment — particularly in light of what Noel Yuhanna, principal analyst at Forrester, calls a “security gap” in current database technologies.
“Right now, database topologies are not flexible enough to differentiate between a user and an attacker,” Yuhanna says. “If there's a suspicious activity around user queries — say, they're querying sensitive data a hundred times — the database doesn't care, so long as the user has a valid name and password. All database vendors have the same gap.”
Third-party providers, including Imperva, Guardium, Tizor and others, are first on the scene to fill this gap. These companies represent a $180 million market, which Yuhanna says is likely to double over the next three years.
Meanwhile, database vendors themselves are making improvements. Oracle and IBM, in particular, have advanced security features, Yuhanna continues. And, according to the Vormetric survey, native database encryption is being used more than third-party products. Of the 46 percent that used encryption, 79 percent used database vendor encryption, according to the survey.
Where it is going
It may take years to get there, but bringing security to data at its source — inside the database — is exactly what needs to be done, says Chris Clifton, associate professor of computer science at Purdue University, who is involved in research around this topic.
In particular, the database needs to support fine-grained access controls internally to prevent a compromised application – through SQL injections and other methods – from getting to all the data within that application. With the right access controls inside the database, the only thing a successful intruder (or authorized user) could see is the data sets assigned to that individual user.
“If we're really going to protect what's in the database, we should be doing it within the database,” Clifton notes. “You need to be able to write rule sets like, ‘Certain voter records are viewable, but not writable,' or, ‘Only people from the voter registration office can change a record.'”
Structuring issues with database queries and tables, along with complications with views and updates (among other limitations), have so far inhibited administrators from enforcing policy inside the database, where it should be, says Clifton.
The next stage in database security, he contends, is to come up with a simple database language that allows for strong access controls within the database without making administration a nightmare. These systems, he says, should be built to take advantage of up-and-coming federated identity networks because of their ability to tie fine-grained controls to attributes at the user level (instead of an application or groups, which is how most access controls are currently handled).
In terms of database improvements, Oracle's Database Vault, akin to a firewall that sits inside the database kernel, can be used to set access control rules based on time of day, location of user, and data being requested.
“There is inherent benefit in doing security from inside the database server, particularly in the areas of performance and management,” says Vipin Samar, vice president of database security products at Oracle. “Encryption at the column or the entire application level, changing access rules — all of that can be conducted within the database and natively managed within the database application.”
However, Oracle's Database Vault is virtual, meaning it's more a layer on the database than an actual change to the database structure. Not to mention, it is an Oracle-centric solution, and most networks run various flavors and types of databases needing monitoring, says King, who's company uses Guardium to monitor its client databases.
Washington Metropolitan Area Transit Authority (WMATA) in Washingon, DC, also uses Guardium to monitor, audit and manage vulnerabilities and changes on its critical database systems. With more than 11,000 employees, WMATA conducts more than seven million financial transactions a year, making it responsible for passing Level 1 merchant audit, according to the PCI DSS.
“It used to be that all we could see was what application, such as PeopleSoft, was accessing the database. Now, with Guardium, we can see who's accessing the database through the application,” says Victor Iwugo, director of IT security at WMATA.
Combined with its database vulnerability features, Guardium has helped his organization carry out separation of duties, wherein administrators can't have access to the critical data itself, catch and block attempted SQL injections and other pests, repair systems, and finetune access control policy.
Guardium also gets close to the database while not in the database. In this case, it resides in the database's underlying operating system to avoid impact on performance.
In yet another approach, appliance-based IPS-like devices are being stood up in front of databases. This approach works well for a web-front-end business, such as Intuition Systems, a Jacksonville, Fla.-based national payment processing firm for government agencies and utilities.
“We originally wanted to see what traffic is happening from our website, but also began to use it to protect against insider threat,” says system manager Kevin Alwood, who's organization uses Imperva to watch the database and web server connections.
On the database side, his team can monitor user IDs running, the queries they were running, what tables they were accessing, and compare that to their permissions, he says. And on the web application side, they can see attempted scans and intrusions — which can be blocked based on location and other rules.
Ultimately, database security controls will need to tie into management infrastructures that support database monitoring, system hardening, and encryption and access control rules. Beyond that, they'll need to tie into larger overall data loss prevention and security information management frameworks.
This eventuality makes vendor-agnostic frameworks an appealing option. Novell's Sentinel offerings (identity and access management, threat and vulnerability management) answer this need.
“The issue is, how do you ensure that the databases themselves are fortresses in this complex, layered environment?” says Nick Nikols, vice president of identity and security products at Novell. “To do this, you need an understanding of identity-based events through your SIM.”
How to proceed depends on what's in your database and how you want to protect it, says Purdue's Clifton. “Unfortunately, to do it right, the database security configuration is more complex than the data itself,” he adds.