Keys to Locking Down Storage Security on a Database

By Chris Preimesberger  |  Posted 2008-09-12 Print this article Print

Enterprises most often keep their most valued data in structured storage inside a database of some kind, and hackers know it. Security consultant Ted Julian of Application Security offers a detailed look in several steps at how he believes database security should be implemented, starting with data discovery and moving all the way through the implementation of intrusion detection.

All storage, structured or unstructured, requires security of some kind, even if it's simply flipping an on/off switch or pulling the USB plug on a direct-attached external disk.

Database storage security, the subject of this article, can be slightly more complicated than that.

I talked recently with Ted Julian, vice president of consultancy Application Security, about the often-thorny security issues surrounding structured content in databases. Julian drew up a detailed look, in several steps, at what he sees as important in database security, starting with data discovery and moving all the way through how to implement intrusion detection.

The Starting Point: Data Discovery

First of all, you need to know exactly what you are securing.

"This is perhaps one of the easiest, yet most critical, steps in getting started in protecting your data-knowing where it is," Julian said. "The point being that, if you are looking to shore up protection against attacks on your data, if you aren't sure where that data resides, chances are that it's not currently protected. Once you can establish where your databases are residing within your environment, you can get started on assessing your overall environment and taking an inventory of your data assets."

Julian said database administrators need to inventory all databases, identify the vulnerabilities that are present and create a baseline of current security assets for ongoing comparison.

The ability to track and monitor progress is an important component of most compliance initiatives. This process will help organizations identify common flaws, including unpatched systems, weak or default passwords, excessive privileges and a lack of system monitoring. The task can be streamlined by utilizing technological solutions to assist with discovery, to establish a security posture baseline and to generate fix scripts to speed along remediation.

A complete database security solution will also include policies to monitor for threats and vulnerabilities in real time, Julian said.

DBAs need to prioritize their most pressing issues up front.

"Comprehensive database security efforts are based on vulnerability and threat data, including vulnerability severity and the criticality of the database information," Julian said. "Once priorities are documented, an organization should to enact a formal security plan, report on progress and demonstrate ongoing improvement."

Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel