03:50 PM
Connect Directly

Six Steps Toward Better Database Security Compliance

Discovery, assessment, and monitoring play key roles in compliance efforts, experts say

4. Monitoring Risky Behaviors And Users Unfortunately there is a built-in segregation of duties violation in every database -- and it's one you can't get rid of, Shaul says. It's called a database administrator.

"Databases in general don't give you the ability to take away DBAs' data access away from them," Shaul says. "And that's what auditors are coming in and flagging folks for, saying, 'First and foremost, you've got this easy-to-find segregation of duties violation. Your DBA can touch your data, modify your data, and take it out of the building.'"

This exposure is one reason why database activity monitoring is so critical to enterprises seeking to satisfy regulatory requirements. Unfortunately, all too many organizations fail to log, track, or monitor database activity because they worry that such monitoring may affect database performance.

"Typically, database logging is not turned on because it can generate a lot of log activity," Laliberte says. "And not having those elements turned on can make it difficult to monitor for inappropriate access."

DBAs and other database stakeholders should know that today's third-party monitoring tools aren't nearly as burdensome to database performance as in years past, experts say. Organizations can also balance their monitoring activity by prioritizing it based on risk.

"Typically, what I advise my clients is to look at it from a risk-based approach," Laliberte says. "You really want to structure the audit and logging settings appropriate to the risk factors that would be affecting the resources that you're trying to protect."

Among other metrics, enterprises should track failed login attempts, changes in privileged user access, and changes to highly sensitive data, experts say.

5. Reporting On Compensating Controls In those instances where organizations have appropriate compensating controls in place, auditors want proof that these controls actually exist, Laliberte says.

"In some instances they may have mitigating controls or compensating controls in place, but they may not have them very well-documented," he says.

For example, you may tell an auditor that you're conducting a biweekly review to ensure access controls are appropriate. But if you can't produce evidence that the review is taking place according to schedule, the auditor will likely flag you, Laliberte says.

"And by the way, usually when you can't produce evidence that a control exists, that tends to break down over time and somebody forgets to do it each week," Laliberte says. "Unless it's formally tracked and reported upon, the control will typically fail at some point."

While automation of these tasks certainly can increase the potential success of controls over time, it isn't always necessary. For example, Laliberte notes that if the company was conducting biweekly reviews, all they may need to do is implement a ticketing system that reminds the responsible party to do the manual review every two weeks. That person then can enter results of the review and close out the ticket once the job is complete. This creates a paper trail that's available when the auditors come knocking.

6. Following Defense-In-Depth Strategies Finally, it is important to remember to keep a little perspective on the matter of database security and compliance.

"This is really just a piece of what has to be a pretty large security program that's going to allow you to meet these regulations," says Mike Rothman, senior vice president of strategy for eIQnetworks, a security information and event management company. "There's no silver bullet."

Most security experts warn organizations they need to maintain layered "defense in depth" strategies to avoid runs around current database defenses, leaving an organization both noncompliant and insecure.

Take out-of-band access to databases, for instance. Phil Lieberman, president of Lieberman Software, a password management company, believes this is one of the biggest database risks of all. "They're accessing the database using secondary methods," he says.

For example, Lieberman notes, many organizations leave themselves at risk when they fail to encrypt database backup tapes. The data may be secure on the server, but if someone with ill intent gets hold of the unencrypted tape, then it will be compromised all the same. Similarly, out-of-band access via application connection accounts must also be addressed, he says.

"People getting into the database using development tools rather than getting into it via the application itself is a big risk," Lieberman says. "It depends on how strong the connection paths are. A lot of companies will implement the application and the database in a DMZ, in which case there is no direct access to the database; you can only get to the application."

Above and beyond these access concerns, Rothman believes companies need to be able to integrate database security information with the other security data to satisfy regulations and pinpoint attacks in real time.

"There is a lot of stuff that you have to do programmatically -- and then you have to have the technology in place and the infrastructure and processes working to be able to analyze all of this stuff that you're looking at in order to really be compliant," he says. "Your goal should be to be doing all of that stuff to secure your environment -- from there, the compliance [issue] works itself out."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.