Cybercriminals keep getting more sophisticated, and database protection methods need to do the same to keep up with them. The good news is that database vendors have taken notice and added more robust security features to their products to help address the situation.
In recent years, cyberattacks have expanded beyond distributed denial-of-service attacks and the theft of credit card numbers to include breaches aimed at extracting massive amounts of personal data for comprehensive identity theft. Attackers are also increasingly targeting critical intellectual property and unstructured content, such as emails and documents.
In the first half of 2017, nearly 800 data breaches were reported in the U.S., according to the Identity Theft Resource Center and security services provider CyberScout; that was a record high for the period, and a 29% increase over the 2016 level. The numbers clearly show that the risks of data exposure aren't diminishing -- quite the contrary.
At the same time, growing public concern about breaches and inappropriate data usage are spurring increased regulatory attention. Most notably, in May 2018, the European Union will implement the General Data Protection Regulation (GDPR), a new law that greatly increases security and privacy protections on the personal data of EU residents. The GDPR will affect not only companies that operate within the EU, but also ones doing business with organizations that handle the data covered by the law.
Steps to take to secure your databases
At a high level, efforts to improve database security should focus on determining which data assets contain sensitive information, what types of policies need to be put in place and how those policies can be operationalized. In practice, that encompasses four primary steps:
- inventorying and cataloging available data assets;
- finding data sets that include personally identifiable information, protected health information or other at-risk data;
- defining data protection policies; and
- enforcing those policies once they're in place.
A number of database protection methods and tools are now available to support such security initiatives. Currently, the most widespread method is probably role-based access control. RBAC enables an organization to define different roles for its employees, and then to tailor data access privileges and limits to the various roles. Depending on the vendor, the access controls can be set at the database, table, record or even data attribute level.
A more recent addition is sensitive data discovery software, which scans through a collection of data sets to find those that might require increased scrutiny for security and privacy. These tools use predefined templates to check data sets against known formats of sensitive data, such as Social Security numbers, healthcare identifiers, names, addresses, credit card numbers, bank routing numbers, and financial or medical diagnostic codes.
Once a pattern is recognized, different actions can be initiated, ranging from investigating the flagged data set more closely to automatically designating it as sensitive and assigning a level of sensitivity to it. Database security policies can then be defined based on how sensitive the data is. The policies should address not only who in an organization is allowed to view the data, but also ways to prevent unauthorized individuals or systems from accessing and exfiltrating the data.
Protecting data from prying eyes
Two other database protection methods that are gaining in popularity are data encryption and data masking.
Encryption isn't a new technology, but it wasn't directly integrated into databases until relatively recently. As a result of that integration, data can be encrypted while it's at rest in a database, adding to separate capabilities for encrypting data that's in transit between systems and in use.
In a database, encryption tools convert data into a form that makes it unreadable until it's accessed by an authorized user. Some database vendors support a technology called transparent data encryption, which automatically encrypts data as it's written to a database. Alternatively, encryption can be done manually. Data can also be encrypted at various levels of a database, from tablespaces or filegroups (depending on the particular database being used) down to individual columns and cells within columns.
Data masking is another technique that uses substitute characters to avoid exposing the actual data values in a database. An example is replacing the numerals in a Social Security or credit card number with the letter X when it's displayed on a computer screen. Some database security tools now enable sensitive data to be automatically masked.
Diffferent database protection methods can be combined based on the data policies that an organization defines. For example, a database administrator can implement role-based data masking that obfuscates data values from an end user who isn't authorized to view them. The masking can also be applied based on location -- if, say, someone in the U.S. attempts to view protected data that's stored in a database server located in Europe.
It's also important to recognize that not all data breaches originate from outside an organization. There are numerous instances of insider breaches in which data is misappropriated by an employee. To address them, DBAs can use database activity monitoring tools to look for and analyze suspicious data access patterns. By reviewing who has accessed data, at what times and in what volumes, such tools can help identify situations that appear to involve unauthorized data access and movement.
While it's certainly true that organizations face increasing threats to their data, database security tools and techniques are rapidly being improved. Integrating the functionality they provide into your database systems can be a big step toward ensuring compliance with both internally defined and externally mandated data protection policies.
More on different types of database security tools and what they do
Running databases in the cloud raises additional security questions
Consultant Craig Mullins eyes the top databases and their features