Database security

Translate Request has too much data
Parameter name: request
Translate Request has too much data
Parameter name: request

Database Security is one of the broader topics that Securosis covers. Database servers are highly complex systems – storing, organizing, and managing data for a wide array of applications. Most mid-sized firms have dozens of them, some embedded in desktop applications, while others serve core systems such as web commerce, financials, manufacturing, and inventory management. A Fortune 100 company may have thousands. To address the wide range of offerings and uses, we will cover database security from two different angles. The first is the security of the application itself, and the second is the use and security of the data within the database.

Database Vulnerability Assessment (VA), access control & user management, and patch management are all areas where preventative security measures can be applied to a database system. For securing the data itself, we include such topics as Database Activity Monitoring (DAM), auditing, data obfuscation/masking, and database encryption. Technologies like database auditing can be used for either, but we include them in the later category because they provide a transactional view of database usage. We also include some of the database programming guidelines that can help protect databases from SQL injection and other attacks against application logic.

Papers and Posts

If you are just getting started, we recommend you read the following blog posts and papers in order. (In keeping with our Totally Transparent Research policy, for sponsored papers we also link to the original blog posts so you can see how the content was developed, and comments).

1. Database Activity Monitoring research paper remains a reader favorite and can be downloaded here: “Understanding and Selecting a Database Activity Monitoring Solution” white paper.
2. Understanding and Selecting a Database Assessment Solution is now available. We are very happy with this paper. We have even been told by database assessment vendors their product teams learned some tips from this paper, and we think you will too.
3. Our Understanding and Selecting a Database Encryption or Tokenization Solution paper is available.
4. Database Audit Events is a comprehensive list of database events available through native database auditing techniques.
5. Many supporting posts on Database Encryption: Application vs. Database Encryption and Database Encryption: Fact vs. Fiction, Format and Datatype Preserving Encryption, An Introduction to Database Encryption, Database Encryption Misconceptions, Media encryption options for databases,and threat vectors to consider when encrypting data.
6. The 5 laws of Data Masking.

Database Security Patch Coverage

1. Oracle Critical Patch Update, July 2009.

General Coverage

1. SQL Injection Prevention
2. Database Audit Performance in this Friday Summary introduction
3. Database Encryption Benchmarking
4. Three Database Roles: Programmer, DBA, Architect
5. Database Security: The Other First Steps
6. Sentrigo and MS SQL Server Vulnerability.
7. Amazon’s SimpleDB.
8. Information on Weak Database Password Checkers.
9. Database Connections and Trust, and databases are not typically set up to validate incoming connections against SQL injection and misused credentials, and this post on recommending Stored Procedures to address SQL Injection attacks
10. Separation of Duties and Functions through roles and programmatic elements, and putting some of the web application code back into the database.
11. Native database primary key generation to avoid data leakage and inference problems, and additional comments on Inference Attacks.
12. Your Top 5 Database Security Resolutions.
13. Posts on separation of duties: Who “Owns” Database Security, and the follow-up: DBAs should NOT own DAM & Database Security.
14. A look at general threats around using External Database Procedures and variants in relational databases.
15. Database Audit Events.
16. Database Security Mass-Market Update and Friday Summary - May 29, 2009
17. Database Patches, Ad Nauseum
18. Acquisitions and Strategy
19. Comments on Oracle’s Acquisition of Sun
20. Oracle CPU for April 2009
21. Netezza buys Tizor
22. More Configuration and Assessment Options. Discusses recent Oracle and Tenable advancements.
23. Policies and Security Products applies to database security as well as other product lines.
24. Oracle Security Update for January 2009.
25. Responding to the SQL Server Zero Day: Security Advisory 961040 includes some recommendations and workarounds.
26. Will Database Security Vendors Disappear? and Rich’s follow-on Database Security Market Challenges considerations for this market segment.
27. Behavioral Monitoring for database security.
28. NitroSecurity acquired RippleTech.
29. Database Monitoring is as big or bigger than DLP.

Presentations

• Rich’s presentation on Understanding and Selecting a Database Activity Monitoring Solution. (PDF)
• Oracle database Security in a Down Economy. (PDF)

Podcasts, Webcasts and Multimedia

None at this time

Vendors/Tools

The following is just an alphabetized and categorized list of vendors and products in this area (including any free tools we are aware of). It does not imply endorsement, and is meant to assist you should you start looking for tools. Please email info@securosis.com if you have any additions or corrections.

Database Activity Monitoring

• Application Security Inc. (DBProtect)
• Fortinet.
• GreenSQL.
• IBM (Guardium).
• Imperva (SecureSphere)
• McAfee (Sentrigo).
• nitrosecurity.
• Oracle (Secerno).

Database Vulnerability Assessment

• Application Security Inc.. (AppDetective, DBProtect)
• Fortinet. (IPLocks).
• IBM (Guardium).
• Imperva. (DAS, Scuba)
• McAfee. (Sentrigo)
• Oracle. (mValent, Config. Packs)
• Qualys.
• Tenable Network Security. (Nessus)
• Next Generation Security Software NGS. (Squirrel)

Database Encryption

• NetLib.
• Oracle. (TDE, API)
• Protegrity.
• Prime Factors.
• Relational Wizards.
• RSA. (Valyd)
• SafeNet. (Ingrian)
• Sybase.
• Thales. (aka nCipher)
• Trustwave. (Vericept)
• Voltage.

Note that some of the vendors listed provide transparent disk encryption or application layer encryption that can be applied to database files or content.

Database Auditing

• Oracle.
• SoftTree Technologies. (DB Audit Expert)
• Quest. (InTrust for DB)

Database Masking

• Axis Technology.
• Camouflage.
• dataguise.
• Embarcadero.
• Grid-Tools.
• GreenSQL.
• Hexaware/Akiva.
• IBM. (Optim/Princeton Softech)
• Informatica. (ETL + Applimation)
• MENTiS Software.
• Voltage. (ETL + Dynamic)

Note that there are several vendors who offer format preserving encryption and tokenization, such as NuBridges, Prime Factors, Protegrity and Voltage, which also provides some masking capabilities.

Database Vendors

• IBM.
• Oracle. (Oracle, MySQL)
• Sybase.
• Teradata.
• Apache. (Derby)
• PostgreSQL. (Postgres)
• Ingres. (Open Ingres)

There are dozens of vendors, both big and small, who offer databases – many with specific competitive advantages. We aren’t even attempting to comprehensive, and specifically ignored any without widespread mainstream adoption. There are also dozens more open source databases with small numbers of deployments, perhaps primarily embedded in applications or backending non-commercial web applications.

Related Post :