Open-Source Databases Pose Unique Security Challenges

Most open-source database platforms aren't supported by third-party database activity monitoring and security policy tools
As the growth in Web 2.0 applications spurs adoption of open-source databases within the enterprise, many organizations need to expand their security priorities to include these increasingly important data stores. While the security principles that drive proprietary database protection also apply to open-source databases, there are a few additional challenges to locking down such platforms, which include Postgres, Ingres, and MySQL.

"This is a difficult problem," says Adrian Lane, CTO and analyst at Securosis. "The reason is there is very little effort or research put into security policies for the open-source databases. Comparing Oracle to Postgres, as an example, is a little like comparing Microsoft Windows to Apple's OS: Windows may be the more secure platform now, but only a few people write exploit code for Snow Leopard. Since we don't hear about attacks that often, we assume it's more secure."

The market for open-source databases was at about $850 million in 2008, according to Forrester Research, which predicted that figure to increase to $1.2 billion by the end of this year. Gartner is more conservative in its prediction for the market, expecting open-source databases to be at $1 billion by 2013.

Several converging trends are likely to bear out analysts' expectations of this market growth, including the exponential growth of Web 2.0 and homegrown applications that open-source databases often support, economic trends that continue to spur enterprises to avoid database license costs for new projects, and increased feature sets offered by open-source platforms.

"Open-source databases, such as Ingres, MySQL, and PostgreSQL, continue to expand their features and functionality, providing viable alternatives that can support most small to moderately sized business applications," wrote Noel Yuhanna, an analyst with Forrester, last year.

Of course, as any good security expert will tell you, the viability of any given alternative can be seriously hampered if risks can't be addressed properly. And there are a few challenges unique to open-source databases that organizations need to consider.

One of the biggest is the issue of the security industry's support of these database platforms. True, the biggest open-source databases offer a similar spectrum of native security features that enterprises have come to expect of closed-source vendors. Take Ingres, for example, which Yuhanna said was the best open-source database and whose executives tout its security features.

"Ingres is deployed in many situations where securing data is crucial to national, public, and personal security; as such we include all of the security controls that one would expect to find in an enterprise class database solution," says Emma McGrattan, senior vice president of engineering at Ingres. "Security features, such as role separation, fine-grained security auditing, encryption, and security alarms, enable proactive and preventive security measures."

But Ingres and most other open-source databases aren't supported by third-party database activity monitoring and other security policy tools.

"MySQL is the only open-source database that is covered by database activity monitoring products. Imperva and Guardium both provide monitoring, but I am not sure if they support 100 percent of their capabilities. SIEM vendor Nitro also offers a flexible DAM solution that covers MySQL, as well," Securosis' Lane says. "Monitoring, assessment, and auditing policies for Postgres are not created by the security product vendors, and the open-source community does not feel compelled to create them either. MySQL is widely deployed -- especially backing Web applications -- so we see some security product coverage, but that pales to what we see for Oracle."

Lane suggests a few fill-in techniques to improve databases not covered by database activity monitoring, but reminds users they won't be as effective.

"For the other platforms, use of built-in auditing functions, select use of triggers, network monitoring, and even Syslog capture can help capture activity and provide visibility, but not the real-time analysis of events," he says.

Another consideration is that in combination with the types of applications that use the open-source databases, these platforms could be more prone to SQL injection.

"I would say another consideration about open-source databases is they tend to be used either with homegrown apps or with other open-source apps, and that means those apps are more likely to have SQL injection vulnerabilities," says Phil Neray, vice president of security strategy of Guardium, an IBM company.

In terms of hardening the open-source databases, though, all of the same rules apply as with proprietary databases, Neray says. This includes locking down privileges, managing passwords well, patching regularly, and so on.

Above all else, Lane says administrators should work on a secure configuration. "Don't leave the default settings," he says. "As with every commercial database, open-source databases are nowhere near being secure out of the box."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: