Most common mistakes when
securing databases"> eWEEK.COM: What are the most common mistakes made when it comes to securing databases? DAVIDSON: The most common mistake overall is for anyone to assume that something "behind the firewall" will not be attacked, or alternatively, that their insiders are all upstanding citizens. I believe John Pescatore at Gartner has a quote that states, "Seventy percent of the attacks are from the Internet, but 70 percent of the damage is from insiders."Start with basic security (lock unused accounts, require strong passwords or strong authentication, ensure least privilege, audit regularly and maintain secure configurations). Next, think defensively: assume that someone gets past your firewall and the middle tier; now, how do you protect the database? Assume someone wants to get your data, not that "nobody would ever do that." If you expect that a burglar will try to break into your house, you are going to plan and act differently than if you think, "Well, I live in a nice neighborhood, so I dont need to worry about being robbed." Cyberspace is not a safe neighborhood. eWEEK.COM: What are, or can, vendors do to make their databases more secure/more easy to secure? For example, what is Oracle doing differently with 10g than it did with 9i? DAVIDSON: Making default configurations more secure out of the box is important, but surprisingly difficult because of the "dependency problem." For example, if I change one security setting (in the database) from "true" to "false," what happens to all the products that run on that database? Do they require the security setting to be "true?" Coming up with security settings is not difficult; it is making sure that changing those settings does not break anything else. We have built some security health checks into 10g that help automate best practices. Also, we are able to determine if customers have applied the latest security patches. Both of these enhancements make it easier for customers to secure their systems and maintain that security. Will locking the database down by default help secure this vital enterprise component? Can vendors do more to help? Tell me your thoughts at firstname.lastname@example.org. Database Center Editor Lisa Vaas has written about enterprise applications since 1997. Do you trust Oracle to inflict a more complex database on you without compromising your enterprises security? Chime in on the discussion at eWEEK forum.