Welcome Guest. | Log In| Register | Membership Benefits
  • Email this page E-mail this page
  • |  Print Print this page
  • |   Bookmark and Share

Six Steps Toward Better Database Security Compliance

Discovery, assessment, and monitoring play key roles in compliance efforts, experts say

Oct 09, 2009 | 03:50 PM | 

By Ericka Chickowski

In a sea of compliance initiatives, database security is often overlooked. But experts say no matter what the regulations say, securing the database is a critical part of any compliance effort.

"What I've found in my experience is that the database is often the forgotten layer, even though it's the layer where the crown jewels -- the data -- usually resides," says Scott Laliberte, global leader of information security assessment services for Protiviti, which conducts third-party audit assessments for enterprises.

But improving the security of the database as part of a larger compliance initiative is doable, experts say. The trick is to follow six steps toward database compliance. Let's take a look.

1. Database Discovery And Risk Assessment Before organizations can start their database compliance efforts, they must first find the databases -- and where the regulated data resides in them.

"That's a big challenge for a lot of folks. They know where their mainframes are, and they know where a lot of their systems are but...they don't really know which database systems they have on their network," says Josh Shaul, vice president of product management for Application Security, a database security company. "And even the systems they know about, they're not entirely sure which ones contain the sensitive data."

2. Vulnerability And Configuration Management Once an inventory has been developed, organizations need to look at the databases themselves. Before moving forward, they must ensure each database is securely configured and hardened to attack.

"Basic configuration and vulnerability assessment of databases is a key starting point for enterprises," Shaul says.

3. Access Management and Segregation of Duties Figuring out who has access to regulated data, what kind of access they are given, and whether that access is appropriate for their jobs is at the heart of complying with regulatory mandates.

The act of managing database accounts and entitlements can range from the simple to the incredibly complex. Laliberte recommends enterprises start with the simpler tasks, which are still ignored in many organizations.

"Sometimes it's as simple as account management, password controls, and removing default accounts," Laliberte says. "Those types of things we typically see not as well controlled at the database level as they are at the operating system or application level."

More complicated is the issue of segregation of duties and entitling permissions based on roles. "It's segregation of duties violations that get organizations every single time [when they're audited]," Shaul says. "Segregation of duties in the end is a cornerstone of the regulations that folks are trying to deal with."

The task of segregating users based on roles means understanding each user's duties, experts say. And it can't be a one-time task. Organizations need to be vigilant to constantly review roles and entitlements to prevent toxic combinations of privileges.

Take, for example, a payments clerk who gets a promotion to run the accounts payable department. In the new position, that person "owns" the AP system and has the ability to modify and delete checks that have been written. If his ability to write new checks hasn't been revoked, that person now has the ability to commit fraud.

1 |  2 |  Next Page » 



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Database Security Reports

report Ensuring Secure Database Access
Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. But proper provisioning is a growing challenging, due to the proliferation of "big data," NoSQLdatabases, and cloud-based data storage.

report Stop SQL Injection: Don't Let Thieves in Through Your Web Apps
Think your corporate website isn't vulnerable to a SQL injection attack? Start rethinking. SQL injection is among the most prevalent -- and most dangerous -- techniques for exploiting Web applications and attacking back-end databases that house critical business information at companies of every size. And it persists despite relatively simple and effective countermeasures. Here, we explain how SQL injection works, and how to secure your Web apps and databases against it.

report Database Breaches: Lessons Learned From Real-World Attacks
Recently, there's been a rash of major database breaches, including those at Gawker.com, McDonald's and Walgreens. All the companies had solid resources at their disposal, so what went wrong? In this Tech Center report, we profile five database breaches?and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk.

Other reports from the Database Security Tech Center:

Related Content

Data security and privacy: A holistic approach
This paper examines the complex data security and privacy threat landscape; compliance and regulatory requirements; and, the IBM InfoSphere portfolio of integrated solutions designed to help you stay focused on meeting your organization's business goals, achieving compliance and reducing risk. IBM InfoSphere solutions for data security and privacy support a holistic approach ensuring the protection and integrity of your data.

Ten Database Activities Enterprises Need to Monitor
Enterprises are paying too little attention to security risks associated with their databases. Auditors, security/risk professionals and data owners need to watch for behaviors that may indicate database security problems. Learn the 10 critical database activities & behaviors enterprises should audit now.

The Forrester Wave: Database Auditing And Real-Time Protection
Database auditing has become critical as enterprises deal with regulatory compliance and security requirements. Learn why Forrester Research named IBM InfoSphere Guardium a Leader with #1 scores in all 3 top-level categories: Current Offering, Strategy and Market Presence.

Look Beyond Native Database Auditing to Improve Database Security
This Forrester Consulting study provides real-world findings from in-depth interviews with enterprises that have implemented database auditing and real-time protection solutions to ensure comprehensive auditing, real-time monitoring and protection of critical database and enterprise applications from internal and external attacks.

HOWTO Safeguard Against the Latest Cyber-Threats
2010 saw 27% rise in new vulnerabilities with the largest category being Web Application vulnerabilities. Tom Cross discusses these security events from the "IBM X-Force 10 Trend and Risk Report." Learn more about APTs, virtualization and cloud security threats.