Most common mistakes when

By Lisa Vaas  |  Posted 2003-12-08 Print this article Print

securing databases"> eWEEK.COM: What are the most common mistakes made when it comes to securing databases? DAVIDSON: The most common mistake overall is for anyone to assume that something "behind the firewall" will not be attacked, or alternatively, that their insiders are all upstanding citizens. I believe John Pescatore at Gartner has a quote that states, "Seventy percent of the attacks are from the Internet, but 70 percent of the damage is from insiders."
Start with basic security (lock unused accounts, require strong passwords or strong authentication, ensure least privilege, audit regularly and maintain secure configurations). Next, think defensively: assume that someone gets past your firewall and the middle tier; now, how do you protect the database? Assume someone wants to get your data, not that "nobody would ever do that." If you expect that a burglar will try to break into your house, you are going to plan and act differently than if you think, "Well, I live in a nice neighborhood, so I dont need to worry about being robbed." Cyberspace is not a safe neighborhood. eWEEK.COM: What are, or can, vendors do to make their databases more secure/more easy to secure? For example, what is Oracle doing differently with 10g than it did with 9i? DAVIDSON: Making default configurations more secure out of the box is important, but surprisingly difficult because of the "dependency problem." For example, if I change one security setting (in the database) from "true" to "false," what happens to all the products that run on that database? Do they require the security setting to be "true?" Coming up with security settings is not difficult; it is making sure that changing those settings does not break anything else. We have built some security health checks into 10g that help automate best practices. Also, we are able to determine if customers have applied the latest security patches. Both of these enhancements make it easier for customers to secure their systems and maintain that security. Will locking the database down by default help secure this vital enterprise component? Can vendors do more to help? Tell me your thoughts at Database Center Editor Lisa Vaas has written about enterprise applications since 1997. Do you trust Oracle to inflict a more complex database on you without compromising your enterprises security? Chime in on the discussion at eWEEK forum.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel