When we talk about database security, we usually begin by talking about mammoth databases maintained by large enterprises. But It can be argued that the biggest database challenges of all are those faced by small and midsize companies struggling to just get basic security in place.
In SMBs, the database administrators bear much of the responsibility for security. Most wear at least three hats: administrator, architect and security expert. Security is woven into the normal operational cycles, and it competes with all other requirements.
The good news is that many security and automation tools are available to help DBAs get their jobs done. The bad news is that these products and services often cost more than smaller companies' budgets will allow for. Indeed, for SMB DBAs, there is always too much to do and not enough money to do it with, so these folks must be creative when looking for solutions.
Under these resource-constricted conditions, how do you approach database security? With small databases dotting your company landscape, which take priority? When you can't afford the latest and greatest tools, where do you focus your efforts? SMBs and workgroups need database security strategies and tools that don't require big budgets or skilled, dedicated security staff.
SMBs looking to tightly secure the data in their care will need to spend a good amount of time planning how they will allocate scarce resources. This means leveraging everything at their disposal, including the security tools included with the products they own, as well as whatever they can leverage from the community at large. Once a plan is in place, these organizations should look at automating as much as possible.
Your goal is to get the basic security systems installed and self-sufficient so you can spend your time on more time-sensitive and critical matters. Your security program will include a number of defensive security measures for the database (such as vulnerability assessment, configuration management and patching systems), controls over data access (including identity management and encryption systems) and -- resources permitting -- detective controls (such as auditing and monitoring system).
The first step in any security program is to do an inventory of what you need to secure, including a list of the servers, databases and sensitive data under your control. You'll need to understand where these resources are deployed on your network and how users access them to do their jobs. This can be tricky for companies that have databases -- including small databases -- distributed across many locations, but this understanding is critical.
Now that you know what systems need to be secured, and what requirements you areresponsible for, how will you secure these databases? It's at this phase of the process that we need to assess risks and requirements and figure out how to address them. Some issues are (relatively) simple, such as patching and reconfiguring a database when a vulnerability has been discovered. Some issues are more complex, such as HIPAA compliance and validating use of information.
The most critical factor in securing your network on a budget is successfully using what you have. Most DBAs are not even fully aware of the tools that come bundled with their databases. Some are not aware that other groups, or even their predecessors, may have acquired tools but never put them into production. Shelfware does not help you get secure, so take an inventory of what you have and put it to use.
For a detailed description of these initial steps -- and for an in-depth description of five additional steps toward securing small databases -- download the free database security report.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.