180 likes | 530 Views
Database Security and Data Protection. Suseel Pachalla, CISSP. Outline. Why is Database Security Critical? Database Environment Database Security Threats Database Hardening Database Activity Monitoring/Auditing Database Encryption Risk Reduction Business / Solution Challenges
E N D
Database Security and Data Protection Suseel Pachalla, CISSP
Outline • Why is Database Security Critical? • Database Environment • Database Security Threats • Database Hardening • Database Activity Monitoring/Auditing • Database Encryption • Risk Reduction • Business / Solution Challenges • Solution requirements • Recommendations • Q&A
Why is Database Security Critical ? • Protect Data from Internal/External Threats-Intellectual, Business Confidential Information, Customer and Consumer Data, Employee data etc • Separation of Duties • Data Integrity • Regulatory Requirements-GLBA, HIPAA etc… • Of course, to protect sensitive Data
Database Environment • Network Environment-Internal/External • Hardware- Server, Desktop etc • SHARED Environment- Co-Existence of different Applications • Off Shore Environment • Environment-Specific to OS/Database
Database Security Threats • Insider Threat • Authentication, Authorization and Access Control-(AAA) • Privilege Abuse-Legitimate/Excessive/Elevation • SQL Injection • Weak Audit Trail • DB Platform Vulnerabilities • DB Communication Protocol Vulnerabilities • DOS Attacks
Database Hardening • Least Privilege • Secured Infrastructure • Access Control • Disable/Rename unwanted accounts • Password Management • Patch Management • Securing Ports
Database Activity Monitoring/Auditing • Monitoring is a Detective control, not preventive. • Access Policies-Well Defined to Monitor • Impact on application and Network Performance-Monitoring • Auditing • Audit what is required • Disk Space Issues • Audit as per Regulatory Requirements
Database Encryption - Strategies • Encryption of Data within or outside the database Encryption within DB Encryption outside DB Client Application Server Client Application Server Key management server Database Database
Database Encryption - Methods • Generic Encryption Methods: • Symmetric Encryption – uses same key to encrypt and decrypt, usage of Block Cipher or Stream Cipher, Algorithm usage such as 3DES, AES with a key length of at least 128-bits. • Asymmetric Encryption- Uses a pair of keys, mainly used for data transmissions. • Kinds of DB Encryption: • DB File Level Encryption • DB Column Level Encryption
Symmetric Database Encryption • Encryption Process SSN - 123 45 6789 Encryption Key + Encryption Algorithm Encrypted SSN – “4#@_&g_*9AS”
Risk Reduction – Database Encryption • Risk is reduced, in case of • Theft of media • Abuse of DBMS privilege • Abuse of OS system level privilege • Theft of Privilege • Transaction record tampering
Business / Solution Challenges • Business Challenges • Expensive • Need more resources to manage – security DBA • Need additional hardware and processing capabilities • Solution Challenges • Legacy application changes • Performance Issues • Application integration • Key Management-Encryption
Solution requirements • Native DB Security Tools • Third party tools – Protegrity, Vormetric, Voltage etc.. • Additional Hardware • Resources- Security DBA, Hardware maintenance etc …
Recommendations • Trade-off between security and performance • Apply appropriate security strategy keeping performance and data flow in mind • Separation of Environments • Encryption-Separate DB from Key storage location