Scope of the ProblemA recent study from Forrester Research highlighted the hurdles enterprises have to face when it comes to securing their databases. Eighty percent of the businesses surveyed said they did not have a database security plan, which should contain information such as the business’ approach to migration, patching schedules, what databases should be encrypted and other relevant information.
Choose a Hardening ListThere are a number of checklists out there that can help you decide how best to configure your database securely. There is no need to reinvent the wheel. Resources like the Defense Information Systems Agency have detailed guidance on how to properly configure SQL Server and Oracle, as well as generic guidelines for other databases, said Josh Shaul, vice president of product management at Application Security.
Things to Consider for Your List Some database vulnerability tools can be used to automate the process of determining whether your databases meet the requirements of the list. “Pick one or two of the highest risk issues (such as default passwords and/or missing patches) and attack those first,” Shaul said. “Layer on additional checks and tests as you see progress. This approach will have a dramatic impact on security in the shortest possible timeframe.”
Password Strength Protects the Door to DataAs Imperva’s recent analysis of the 32 million RockYou passwords showed, many people are still using weak passwords to access their accounts. When it comes to enterprise databases, the cost of having a guessable password can be high. Businesses should consider forcing password changes every so often.
Controlling PrivilegesA top concern in most environments is what the super users are doing, said Phil Neray, vice president of security strategy at Guardium. Keeping track of super users routinely rates as a top security challenge for enterprises in the annual survey by the Independent Oracle Users Group, and can be solved with database activity monitoring tools, though they can present challenges in terms of performance. Maintaining role separation also is a key part of controlling privileges.
Virtual Patching Offers Temporary Protection Virtual patching is another feature of security tools from Sentrigo, Guardium and other database security vendors. It works by detecting and blocking new exploits whether an actual patch is available for the vulnerability. It also offers a degree of protection while database patches are being tested prior to deployment.