1 / 15

Database Security and Data Protection

Database Security and Data Protection. Suseel Pachalla, CISSP. Outline. Why is Database Security Critical? Database Environment Database Security Threats Database Hardening Database Activity Monitoring/Auditing Database Encryption Risk Reduction Business / Solution Challenges

adora
Download Presentation

Database Security and Data Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Database Security and Data Protection Suseel Pachalla, CISSP

  2. Outline • Why is Database Security Critical? • Database Environment • Database Security Threats • Database Hardening • Database Activity Monitoring/Auditing • Database Encryption • Risk Reduction • Business / Solution Challenges • Solution requirements • Recommendations • Q&A

  3. Why is Database Security Critical ? • Protect Data from Internal/External Threats-Intellectual, Business Confidential Information, Customer and Consumer Data, Employee data etc • Separation of Duties • Data Integrity • Regulatory Requirements-GLBA, HIPAA etc… • Of course, to protect sensitive Data

  4. Database Environment • Network Environment-Internal/External • Hardware- Server, Desktop etc • SHARED Environment- Co-Existence of different Applications • Off Shore Environment • Environment-Specific to OS/Database

  5. Database Security Threats • Insider Threat • Authentication, Authorization and Access Control-(AAA) • Privilege Abuse-Legitimate/Excessive/Elevation • SQL Injection • Weak Audit Trail • DB Platform Vulnerabilities • DB Communication Protocol Vulnerabilities • DOS Attacks

  6. Database Hardening • Least Privilege • Secured Infrastructure • Access Control • Disable/Rename unwanted accounts • Password Management • Patch Management • Securing Ports

  7. Database Activity Monitoring/Auditing • Monitoring is a Detective control, not preventive. • Access Policies-Well Defined to Monitor • Impact on application and Network Performance-Monitoring • Auditing • Audit what is required • Disk Space Issues • Audit as per Regulatory Requirements

  8. Database Encryption - Strategies • Encryption of Data within or outside the database Encryption within DB Encryption outside DB Client Application Server Client Application Server Key management server Database Database

  9. Database Encryption - Methods • Generic Encryption Methods: • Symmetric Encryption – uses same key to encrypt and decrypt, usage of Block Cipher or Stream Cipher, Algorithm usage such as 3DES, AES with a key length of at least 128-bits. • Asymmetric Encryption- Uses a pair of keys, mainly used for data transmissions. • Kinds of DB Encryption: • DB File Level Encryption • DB Column Level Encryption

  10. Symmetric Database Encryption • Encryption Process SSN - 123 45 6789 Encryption Key + Encryption Algorithm Encrypted SSN – “4#@_&g_*9AS”

  11. Risk Reduction – Database Encryption • Risk is reduced, in case of • Theft of media • Abuse of DBMS privilege • Abuse of OS system level privilege • Theft of Privilege • Transaction record tampering

  12. Business / Solution Challenges • Business Challenges • Expensive • Need more resources to manage – security DBA • Need additional hardware and processing capabilities • Solution Challenges • Legacy application changes • Performance Issues • Application integration • Key Management-Encryption

  13. Solution requirements • Native DB Security Tools • Third party tools – Protegrity, Vormetric, Voltage etc.. • Additional Hardware • Resources- Security DBA, Hardware maintenance etc …

  14. Recommendations • Trade-off between security and performance • Apply appropriate security strategy keeping performance and data flow in mind • Separation of Environments • Encryption-Separate DB from Key storage location

  15. Questions

More Related