Database management: The security checklist for every data-driven deployment

Security threats have become a ubiquitous problem for American companies, and a report from Cybersecurity Ventures found that damage related to cybercrime is projected to hit $6 trillion annually by 2021. According to Accenture, the most expensive component of a cyberattack is data loss, which represents 43 percent of cybercrime costs.

The first few months of 2019 have shown that the ever-growing threat of data breaches continues to trouble companies across industries, with vulnerabilities striking everywhere including dating apps, data analytics firms, hotel databases and medical records. Stolen data is now showing up for sale on the dark web, extending the life and reach of these violations. And it’s likely that the emergence of 5G will add to the complexity of data security, as companies prioritize first-to-market strategies rather than focusing on security.

Cybersecurity threats are very real but organizations can mitigate problems by adhering to a security ‘checklist’ to limit their chances of exposure. According to the Pew Research Center, 64 percent of Americans say they have personally experienced a major data breach and now lack trust in key institutions that hold sensitive information.

Despite the threat, some organizations neglect to take adequate steps to protect their databases. Sites that scan the internet for databases show deployments that do not take even the simplest security steps. There are four mandatory activities that every organization should be aware of when deploying a database to ensure data security and protect against a variety of common security threats, both malicious and accidental.

1. Secure the environment

The simplest step for environmental security is ensuring that your server has a firewall enabled to limit access to only the necessary ports and interfaces. If whole-internet access is not needed, limiting incoming connections by specific IPs, ranges or subnets protects the good and keeps out the bad.

The servers hosting your database should have limited user access and should be kept up to date with all security patches for the operating system and database system you are running. 

It is also beneficial to use encryption between clusters over a secure tunnel or intra-cluster TLS encryption when sending data over the public internet.

For databases collecting massive volumes of data, you may also want to encrypt the data at rest. Enabling this protection tends to have a minimal effect on throughput and can protect from certain attacks on a disk or server that is physically stolen. When considering file encryption, you may also want to encrypt backup files as these are frequently moved to remote locations and may become a target for intruders.

2. Limit attack surface area

There are various ways companies can reduce their exposure to vulnerabilities and increase database security. One strategy includes using non-default ports to make port-scanning harder. While changing the ports from their default values does not increase security, it does limit the vulnerability of servers by making port scanners, that cast a wide net looking for exposed vulnerable servers, work harder.

Companies should direct all database traffic to internal networks or encrypted tunnels, rather than the public internet. Many servers have multiple network interfaces, which allows you to route different types of traffic on different networks. Select a database that allows you to route traffic on specific interfaces that are on internal networks. By having client applications, database replication and administrative functions using an internal network, it becomes harder for outside attackers to gain access to your database through an open port.

Regardless of whether the interfaces are internal or external, the standard method for securing web traffic is through Transport Layer Security (TLS/SSL). When protecting an internal interface, not only can you encrypt the data between clients and the database, you can also encrypt data between the individual nodes of the cluster, or, the internal interfaces. Though using TLS/SSL encryption on the internal interfaces of a database cluster can impact latency, if your database's internal interface is connected to a public network, it’s an important option to consider.

If your clients connect to the database via a public network, in addition to enabling security on the database itself, consider encrypting the communication between the clients and the database servers. You can do this as well with TLS/SSL.

3. Enable database authentication and access control

Enable database security options that require a username and password or some other authentication mechanism for access to data. Selecting a database that allows role-based access control (RBAC) is one of the most effective ways to increase security. RBACrefers to giving the right levels of access by assigning roles to users and applications that connect to the database. A role is a collection of permissions or privileges to objects or operations in the database.

Organizations should implement security using the principle of least privilege to limit access of client applications and users to include no more privileges than is absolutely necessary. In the event of a leak or theft of credentials, minimal privileges will limit the ability of attackers to get full access to sensitive systems and information. Access control can also be used to prevent access to sensitive data records by database operators and administrators.

Being on the receiving end of hackers who access your database username and password can be a nightmare. Database deployments should use safe and secure methods for authentication. This can be a centralized and secure authentication technology, such as Kerberos, or username/password based security. Between client and server, passwords should never be sent in plaintext when sent across the wire, and can be further protected when paired with TLS/SSL encryption.

4. Audit access and behavior

Lastly, after implementation, companies should consistently monitor for failed or unusual authentication attempts in their security logs to ensure that authentication attempts follow expected patterns. Organizations should also be sure to capture database configuration changes and administrative actions, especially those that attempt to modify security settings.

Unfortunately, even with best-practices and all precautions taken, organizations are still at risk of breaches. With massive influxes of data promised to arrive with IoT and 5G, being confident in cybersecurity will make data operations far more manageable. With these four measures in place, organizations can feel increasingly confident in their day-to-day ability to handle the data appropriately.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.