Keys to Locking Down Storage Security on a Database

Enterprises most often keep their most valued data in structured storage inside a database of some kind, and hackers know it. Security consultant Ted Julian of Application Security offers a detailed look in several steps at how he believes database security should be implemented, starting with data discovery and moving all the way through the implementation of intrusion detection.

All storage, structured or unstructured, requires security of some kind, even if it's simply flipping an on/off switch or pulling the USB plug on a direct-attached external disk.

Database storage security, the subject of this article, can be slightly more complicated than that.

I talked recently with Ted Julian, vice president of consultancy Application Security, about the often-thorny security issues surrounding structured content in databases. Julian drew up a detailed look, in several steps, at what he sees as important in database security, starting with data discovery and moving all the way through how to implement intrusion detection.

The Starting Point: Data Discovery

First of all, you need to know exactly what you are securing.

"This is perhaps one of the easiest, yet most critical, steps in getting started in protecting your data—knowing where it is," Julian said. "The point being that, if you are looking to shore up protection against attacks on your data, if you aren't sure where that data resides, chances are that it's not currently protected. Once you can establish where your databases are residing within your environment, you can get started on assessing your overall environment and taking an inventory of your data assets."

Julian said database administrators need to inventory all databases, identify the vulnerabilities that are present and create a baseline of current security assets for ongoing comparison.

The ability to track and monitor progress is an important component of most compliance initiatives. This process will help organizations identify common flaws, including unpatched systems, weak or default passwords, excessive privileges and a lack of system monitoring. The task can be streamlined by utilizing technological solutions to assist with discovery, to establish a security posture baseline and to generate fix scripts to speed along remediation.

A complete database security solution will also include policies to monitor for threats and vulnerabilities in real time, Julian said.

DBAs need to prioritize their most pressing issues up front.

"Comprehensive database security efforts are based on vulnerability and threat data, including vulnerability severity and the criticality of the database information," Julian said. "Once priorities are documented, an organization should to enact a formal security plan, report on progress and demonstrate ongoing improvement."