The use of database management systems in the storage of data has been one of the major improvements in the technology sector. From the recent past, more organizations transform from the manual way of storing data that involves too much paperwork to use of computer storage. Even more, the current technology allows centralization of data and information storage in such a way that organization can access all the data from a central server. However, as these innovations got made, security issues have undermined the efforts made; therefore, organizations should understand that there are possible threats to the data and information stored, and they should find all possible means to prevent, control and avoid such threats.
Database refers to an organized collection of data, in the form of objects such as tables, queries, schema and reports. Database Management Systems (DBMS) on the other hand refers to the collection of the interrelated data and set of programs for storage and retrieval of the data in an efficient and easy way. According to database systems principles, data is stored in such a manner that the storage space required by the data is very minimal since the design of database highly recommends removal of redundant (duplicate) data (Bidgoli, 2006). For example, in a bank, suppose a customer has two accounts (savings and current account). If the bank stores the data for the two accounts separately, then there will be too much repetition of the person’s details. With the use of database systems, the system allows for the designer to develop a database that can link the person’s details and the two accounts, through a process called normalization, in such a way that redundancy gets minimized.
Database security got neglected for quite some time after the monolithic mainframes got replaced with the client-server systems that exposed the Structured Query Language (SQL) command line. As the size of the network grows larger, the number of loopholes for attacks multiplies; therefore there is a need to reinforce the separation of data layer security from application layer security to improve security.
Most companies store sensitive information in databases. However, sometimes they do not give database security as much importance and thought as other areas related to computer security. In the recent years, hackers have been able to gain access to large databases in an attempt to obtain sensitive personal information and bank credit card numbers. Due to the existence of such risks, there is needed to secure databases from threats and vulnerabilities. This paper intends to provide discussion about database security, the issues, threats and trends in technology regarding database security and the appropriate measures to combat the issue.
Some basic key concepts include data, database security and database assurance. Data refers to raw and unprocessed information. For example, data relating to a student include name, age, and height and telephone number. This data is sometimes very sensitive. For example, if the student details get connected to his / her bank account details, the attacker gains a chance to manipulate the student into letting go of his / her bank details, if there is cash in there. Data security can get defined as the process or system of protection of the database Confidentiality, Integrity, and Availability. Loss of confidentiality gets signified by unauthorized access to database resources; loss of integrity means that there is an unauthorized alteration of database data, and loss of availability means the lack of access to the database. If any of the three key concepts gets lost, then it will impact highly on the database security. Also, database assurance is yet another factor that should get addressed in the examination of database security. Database assurance is related to trust that users have in the company database. For example, if a company’s web application that deals with selling of online products faces the cross-site-scripting threat, then the trust that the customers have to the company’s information will decrease (Bidgoli, 2006). Such loss of trust or assurance in company’s data may lead to losses in the business.
Threats and Vulnerabilities, and Possible Remedies
This guideline accounts identification of threats and vulnerabilities to database security. A threat can get defined as any event that compromises the Confidentiality, Integrity and the Availability (CIA) of the DBMS. There are so many attacks on the database in the recent years; one of the possible reasons is that the increase in the size of the network has led to increasing in vulnerabilities and attack points. On another hand, the users play a part in failing to protect their data such as login credentials, from the attackers by using simple passwords.
Even as the technologists invent measures to combat such threats and system vulnerabilities, the attackers learn new ways to make their way into those systems. There are various trends that have occurred in the view of database security. Firstly, malicious activity has changed to be web-based. Secondly, the attackers have shifted their target to the end-users instead of computing devices. Also, the subversive economy unites and develops and finally, the attackers and their activities are rapidly adapting to new technological changes in database systems.
There are several threats and vulnerabilities to database security. The size of the impact of threat different as some has minor while others greatly impact on the database security. One of the major vulnerabilities exists within operating system (such as Linux and Windows) and related services. When attackers access the system without user authorization, they may interfere with the system services, leading to Denial of Service (DoS) attack. Recently, attackers have been using the database rootkits to gain access to database data.
Rootkits are procedures or programs hidden within the database, which provide administrative privileges to access the database data. The rootkits may turn off alerts triggered by the Intrusion Prevention Systems (IPS). Possibilities of installing rootkits happen after the operating system gets compromised. In some cases, if the users employ weak techniques of authentication, attackers can easily gain access to the systems by using strategies such as brute force and social engineering to get login details and eventually accessing the system (IFIP TC11 Working Conference on Database Security et al., 1997).
A popular attack on the database involves SQL injection, whereby the attacker alters the user input form to allow unauthorized commands to pass through. SQL injections easily g identified by the application firewalls such as Heroes, Sanctum, and NetContinuum, which identify such abnormal behaviors and block attacks on databases.
Finally, a fragile inventory logging system in a database server signify a serious risk to a business especially in retail, finance, medical care, and other traders with strict regulatory conformance. Regulations such as Payment Card Industries (PCI), Sarbanes-Oxley (SOX), and Health Insurance Portability & Accountability (HIPAA) require extensive records of actions to duplicate an event at a later time, in the case of an event. Record of vulnerable or strange transactions occurring in a database should get done in a computerized way of resolving events. Audit traces act as the final line of database protection (IFIP TC11 Working Conference on Database Security et al., 1997). In an attempt to protect the database from threats, here are some of the rudimentary measures that should get performed.
The first line of defense involves putting up access controls and authorization procedures. It should get noted that database authentication and domain authentication are two different things. This operation warrants scrutiny to ensure proper design of accounts as well as the deployment of the database system. As the database gets operated for longer, more access rights are drifted from the secure base. In this move, the following are recommended. First, the default user passwords should get changed upon the installation of the database. Inactive accounts and public accounts should get locked since they can easily get exploited by attackers. Also, policies should be set to enforce the use of strong passwords. For example, the system should be programmed in such a way that users do not use easily known passwords on sign up or when changing passwords. The security analysts should also decide on one of the authentication models (either domain or database authentication but not mingle both). More importantly, the user roles should easily get examined. Their permission, roles and participation within groups should get listed and reviewed. In fact, the administrative rights should get protected. The roles, functions and stored procedures meant for administrators should solely be for the administrators and rather not considered for delegation to other users. Finally, the database administrative tasks should get divided among admin who operates under different administrative accounts.
The next important measure that determines security and operational integrity are the database configuration assessment. In this technique, we analyze the database configuration, through database queries, analysis of configuration files, or through the available assessment tools. Later on, the modules and services that are not needed are removed, because their presence may open the way for attackers/ hackers. The approved configuration baselines are then documented and then finally, use of scanning tools to discover available databases is very important (Lunt et al., 1992).
Database communications are very important areas as far as security is of concern. In an attempt to keep communications private, the first attempt is to encrypt the sessions between applications and database, especially for the connection in web applications. Database encryption exists in two forms: transparent encryption, which covers the whole database and needs no changes to business activities, and user encryption that gets practical only to specific objects in the database that demands changes made in the application code. Transparent encryption is devised to protect information in storage media, such as drives and tapes, from getting accessed outside of the database. User encryption can get used for both protection of media and data. The port number of the database should get set to non-default value. In this way, it gets harder for the attacker to get information through automation. A blocking ad-hoc connection from unknown locations, at a given time or via unknown applications, is very important. Such kind of connections can get detected and reject by login triggers, firewalls, and access control systems.
Media protection as well as log and event review is also very important. Protection of backup media is important as it contains almost all of the company data. If the backup gets lost, it becomes a cause of data breach. Logging of events involves keeping an inventory of all the events that occur in a transaction. By creating a log retention policy, you can determine and filter out the events you don’t need any longer. You should continuously review the database and system logs and log settings, while focusing on the failures of functions of systems that logins were showing system survey.
It is very recommendable to update the database regularly by installing certified, depending on the database vendor. The major goal of database update/ patching is to influence the database vendor’s skills and capability, thereby allowing them to spot and tackle security challenges. Firstly, you should set up an environment to execute reasonable function assessments on the database before production deployment. Only install the verified and certified patches from vendors. To know that the patches are genuine, you can synchronize the patch cycles with patch vendor releases. Web /database firewalls are important applications in verification of patches (Lunt et al., 1992).
The technology is ever-changing, and while the network, as well as database, grows bigger, there is a need to develop measures of controlling and preventing issues facing database security. Data is very important both to the users and the organizations. To ensure that database data is secure, all users must get involved, beginning from the administrator to the end user who knows nothing about the conceptual structure of the system. Database security is a communal role that is managed by all the involved parties since the attacker does not categorize the users but his/her intention is to get away with benefits.
Bidgoli, H. (2006). Handbook of Information Security Volume 3. Hoboken: John Wiley & Sons.
IFIP TC11 Working Conference on Database Security, Samarati, P., Sandhu, R. S., & International Federation for Information Processing. (1997). Database security: Proceedings of the tenth annual IFIP TC11 Working Conference on Database Security, July 1996. London: Chapman & Hall on behalf of the International Federation for Information Processing (IFIP.
Lunt, T. F., & Rome Air Development Center. (1992). Research directions in database security. New York: Springer-Verlag.