Analytics
10/9/2009
03:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Six Steps Toward Better Database Security Compliance

Discovery, assessment, and monitoring play key roles in compliance efforts, experts say

4. Monitoring Risky Behaviors And Users Unfortunately there is a built-in segregation of duties violation in every database -- and it's one you can't get rid of, Shaul says. It's called a database administrator.

"Databases in general don't give you the ability to take away DBAs' data access away from them," Shaul says. "And that's what auditors are coming in and flagging folks for, saying, 'First and foremost, you've got this easy-to-find segregation of duties violation. Your DBA can touch your data, modify your data, and take it out of the building.'"

This exposure is one reason why database activity monitoring is so critical to enterprises seeking to satisfy regulatory requirements. Unfortunately, all too many organizations fail to log, track, or monitor database activity because they worry that such monitoring may affect database performance.

"Typically, database logging is not turned on because it can generate a lot of log activity," Laliberte says. "And not having those elements turned on can make it difficult to monitor for inappropriate access."

DBAs and other database stakeholders should know that today's third-party monitoring tools aren't nearly as burdensome to database performance as in years past, experts say. Organizations can also balance their monitoring activity by prioritizing it based on risk.

"Typically, what I advise my clients is to look at it from a risk-based approach," Laliberte says. "You really want to structure the audit and logging settings appropriate to the risk factors that would be affecting the resources that you're trying to protect."

Among other metrics, enterprises should track failed login attempts, changes in privileged user access, and changes to highly sensitive data, experts say.

5. Reporting On Compensating Controls In those instances where organizations have appropriate compensating controls in place, auditors want proof that these controls actually exist, Laliberte says.

"In some instances they may have mitigating controls or compensating controls in place, but they may not have them very well-documented," he says.

For example, you may tell an auditor that you're conducting a biweekly review to ensure access controls are appropriate. But if you can't produce evidence that the review is taking place according to schedule, the auditor will likely flag you, Laliberte says.

"And by the way, usually when you can't produce evidence that a control exists, that tends to break down over time and somebody forgets to do it each week," Laliberte says. "Unless it's formally tracked and reported upon, the control will typically fail at some point."

While automation of these tasks certainly can increase the potential success of controls over time, it isn't always necessary. For example, Laliberte notes that if the company was conducting biweekly reviews, all they may need to do is implement a ticketing system that reminds the responsible party to do the manual review every two weeks. That person then can enter results of the review and close out the ticket once the job is complete. This creates a paper trail that's available when the auditors come knocking.

6. Following Defense-In-Depth Strategies Finally, it is important to remember to keep a little perspective on the matter of database security and compliance.

"This is really just a piece of what has to be a pretty large security program that's going to allow you to meet these regulations," says Mike Rothman, senior vice president of strategy for eIQnetworks, a security information and event management company. "There's no silver bullet."

Most security experts warn organizations they need to maintain layered "defense in depth" strategies to avoid runs around current database defenses, leaving an organization both noncompliant and insecure.

Take out-of-band access to databases, for instance. Phil Lieberman, president of Lieberman Software, a password management company, believes this is one of the biggest database risks of all. "They're accessing the database using secondary methods," he says.

For example, Lieberman notes, many organizations leave themselves at risk when they fail to encrypt database backup tapes. The data may be secure on the server, but if someone with ill intent gets hold of the unencrypted tape, then it will be compromised all the same. Similarly, out-of-band access via application connection accounts must also be addressed, he says.

"People getting into the database using development tools rather than getting into it via the application itself is a big risk," Lieberman says. "It depends on how strong the connection paths are. A lot of companies will implement the application and the database in a DMZ, in which case there is no direct access to the database; you can only get to the application."

Above and beyond these access concerns, Rothman believes companies need to be able to integrate database security information with the other security data to satisfy regulations and pinpoint attacks in real time.

"There is a lot of stuff that you have to do programmatically -- and then you have to have the technology in place and the infrastructure and processes working to be able to analyze all of this stuff that you're looking at in order to really be compliant," he says. "Your goal should be to be doing all of that stuff to secure your environment -- from there, the compliance [issue] works itself out."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-7194
Published: 2014-11-20
TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive information or modify data by leveraging agent access.

CVE-2014-7195
Published: 2014-11-20
Spotfire Web Player Engine in TIBCO Spotfire Web Player 6.0.x before 6.0.2 and 6.5.x before 6.5.2, Spotfire Deployment Kit 6.0.x before 6.0.2 and 6.5.x before 6.5.2, and Silver Fabric Enabler for Spotfire Web Player before 1.6.1 allows remote authenticated users to obtain sensitive information via u...

CVE-2014-8000
Published: 2014-11-20
Cisco Unified Communications Manager IM and Presence Service 9.1(1) produces different returned messages for URL requests depending on whether a username exists, which allows remote attackers to enumerate user accounts via a series of requests, aka Bug ID CSCur63497.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?