Database security

November 1, 2011

At the heart of almost every breach resulting in information leakage lays a database that was compromised - a compromise that usually goes unnoticed for weeks, months or years. Maybe someone forgets to encrypt sensitive data, maybe an application accessing the database is poorly written and exchanges an administrative credential in clear text, or maybe the database is exposed to injection attacks or other threats and vulnerabilities. 

Protecting assets that reside inside the database is one of the biggest challenges facing administrators and IT pros. In today's threat landscape, it's reasonable to assume that one's database may fall victim to unauthorized access or compromise - whether from an insider or an external threat. How can we lower our risk of a breach or the unauthorized use of our raw data? How do we ensure that we don't allow unnecessary access to people or systems that should not need to touch sensitive data? If we are compromised, how do we reduce the time to identify and remediate the threat?

We typically provide layers of security in an effort to reduce the risk of a breach. We may use technologies - like network- and host-based intrusion detection and prevention systems, data leakage, encryption, application and database assessment, application firewalls, logging and auditing, vulnerability assessment and code scanning. We may have a couple to several of these solutions deployed in our environments. 

For this month's review, we looked for offerings that provided an additional layer of security over what is provided by default in one's databases. By that definition, we were open to any and all solutions that provided layered database security. None of the technologies previously mentioned are new to the security space, and most pros have some level of these deployed. I was eager to see a creative offering that would bring the various point solutions together into a useful interface and, ultimately, provide some tools to evaluate all the data our multitude of products deliver and, more importantly, turn that information into actionable intelligence.

Our responsibility is to deploy sufficient layers of security to meet our risk tolerance. In doing so, we need to know if these solutions are indeed delivering on that goal. We need to be able to quickly identify and respond as risks change. As well, we need our information in a timely fashion, so we will want real-time alerting and tools for helping us make sense of the raw data. 

As we reviewed the solutions, the concentration was on how these offerings delivered not only on their intended use, but if and how they could combine multiple defense-in-depth components into a unified, easy-to-use interface with the goal of using the combined views of the data to either proactively prevent a breach or, at least, provide early alerting to help reduce the impact of a compromise. We did not test the products' performance or catch rates. Our focus was on the deployment and configuration effort necessary to provide integrated protections. 

We didn't see any new, game-changing products. We had adaptations and combinations of log parsers, application firewalls, IDS/IPS systems and user/rights management technologies. However, we were pleased to see that, with some work, we gained some great benefits from the integration, correlation of log data and centralized policy creation and management capabilities. When one brings these products in house, it will be necessary get the data needed to quickly react  to prevent serious impact to one's organization.

The pricing of the systems we examined in this Group Test varied greatly. Some were appliance-based, while others were delivered as software requiring one to add the cost of the server hardware to the overall cost. Some systems had multiple components. Users will spend some time getting any of these solutions deployed and tuned into the enterprise, but once there, these products will provide exceptional value and help protect the company's critical data.

prestitial ad