Database Security Controls - Literature review Example

DATA SECURITY CONTROLS Database Security Affiliation Data Introduction A database is a collection of data that is stored in large disks and units and can be accessed easily with the help of software. It is also known as the electronic filing system. A database is an important requirement for the organizations working all around the world. It helps the organizations in managing, accessing and updating their data in the best way possible with easy access as the data is saved in a systematic record. As new software is present with innovative technology for a database, the risk to secure the data from malicious sources is also a prime concern of the administration and the IT Department of any organization (Natan, 2005; Loch & Carr, 1992). Databases are a new way to save information and store big quantities of data in specific units around the world. “A database is a data structure that stores organized information” (Rabassa, 2013). However, we can see that with all the changes and innovations, the risk on security of the databases is a new challenge and constant concern for everybody in our time. Keeping in mind the recent attacks to different companies and government entities, this paper will help to identify any of the controls that administrators and IT professionals will need to take in consideration to secure all the databases. The research paper will also provide the perspective on how companies are keeping secure the diverse data and all the steps and policies that companies need to take in consideration in the new era of cybercrimes. In this paper, we will see how IT professionals and the administration can help to secure the database of the company. We will discuss in detail the different risks a database has and the importance the database holds in the success of the company. This paper also outlines the damage, the breach in the security in database can cause. Existing Work The aim of this research is to analyze the current attacks and to assess the security of corporate databases and the related issues which are increasingly becoming significant as enterprises are growing and considering the data they have stored in them. In the last couple of months the news said, the databases for different stores and organizations were attacked by different group of hackers, these people steal sensitive information. There is a high alert for the public and the companies, but no one knows yet how high is the damage due the lack of controls or the minimal security control of each specific database (Elmasri, 2007). Database Security Controls Database of an organization is of high importance as it may contain the confidential information about the clients and the policies and procedures of the company. As Rabasa, Brebbia & Bia (2013) state: “a database is a data structure that stores organized information”. According to Rouse (2014), “a database is a collection of information that is organized so that it can easily be assessed, managed and updated. In this a scenario, databases can be classified according to types of content, bibliographic, full text, numeric or images”. This collection of data is of great importance as it is the personal information of the organization. The security of database is equally important and the corporate responsibility of the organization. Outlined below are the steps IT Professional and administrators can take to secure the database and how they can work together to have a much stronger protection program to guard against the risks of hackers and IT Viruses. Control Policies by Administrative staff to secure database Special considerations are made to confirm that no external access is in operation to reach the sensitive information of the database. These control policies are especially designed by the administrator so that they can safeguard the database from any outside security threats. Hence special authentication procedures are established for validating user’s identity, limiting their log on attempts and administering data properly. The administrative staff can implement the following control policies to provide maximum security to the database of the company (Gertz & Jajodia, 2007; Turban, Leidner, McLean, & Wetherbe, 2005). Database User Management The administrator is responsible for maintaining the database security. First the all the special privilege to add database users should be in the hands of a trusted staff members. In many organizations it is the sole responsibility of the administrator to manage the database users. It is significant for the administrator to properly develop a security policy for the databases as it also protects the database from accidental damage or destruction to the infrastructure of the database. The administrator is the one who is responsible for implementing and maintaining the security policy related to databases. If database is large then an individual person is required for managing the database security related procedures (Rabasa, Brebbia, & Bia, 2013). User Authentication The database users can be verified with the use of passwords, secure socket layer or with thumb impression. Managing users in a database require critical administrative functions which are more user’s specific. A basic security requirement for any database is to know each and every user present in the network of database. For external authentication of users connecting database requires defining users in a way that authentication is performed by the operating system. The middle tier server authenticates and takes the responsibility for assuming the identity of the user which is allowed to enable specific roles of the users (Shulman, 2011). Operating System Security The administrator should also have the responsibility of deleting and creating files. The normal users should not have this privilege as it may cause harm to the operating system if an important file is deleted by mistake. It is required by the administrator to include the common types of security procedures such as breach of confidentiality, availability, integrity and theft of service. The operating system security procedures must also include denial of service attacks and one of the latest attack techniques which is known as man in the middle (Jajodia, 1999). Password Security The password security should be managed by implementing the change of passwords every month by each office personnel. Passwords must be defined in a unique style and manner and they must be unique and distinct. If any outside person tries to enter the database the system will try to hold the attacker. The password security techniques which can be applied here are brute force, social engineering and direct credential theft. If the attacker tries to repeatedly enter the username and password combinations it involves systematic enumeration of possible username and password combinations (Shulman, 2011). End-User Security The administrator must define end user security. Many privileges should be assigned to roles instead of individuals. For example, the role of manager can have privileges which can be assigned to individuals who are managers. End user security is also concerned with users and their access to the server which involve client applications and the access to read and write in the database (Rouse, 2014). Control Policies by IT professional to secure the database The security of a database on a well secured server can only be achieved with the help of a diligent IT department of the organization. The staff of the IT department has to work cooperatively to make sure that the database is protected as it contains confidential information. The IT department and the administrative staff should also join hands for the security of the database. A security professional for a server database in an organization should make sure that the developers follow the basic codes of secure coding. It is also important to ensure that the policy to follow security coding is fully implemented and followed. A single failure in doing so can bring breach in the security system of the database. A security professional must consider the views and the feedback about a certain situation concerning the database security. Reports should contain answers of queries as feedback and not the usual tables that convey incomplete information (Jajodia, 1999; Hoffer, Prescott, & McFadden, 2007; Guimaraes, Murray, & Austin, 2007). Collaboration of a Database Administrator and Security Professional A Database Administrator works to organize and manage the data whereas the Security Professional use control to restrict access by external sources. In many organizations, it has been observed that a database administrator and the security professional do not work as a team. As database contains the sensitive information within the enterprise and has a strong chance of being attacked by hackers, the collaboration between the database administrator and the security professional can work to implement better control policies in safe guarding the data. The benefit of the collaboration of the two professionals can make the company more resilient. In this regard, the database administrator should be informed about the security risks that the security professional has to face. This complete knowledge will help in creating such a database environment which is not only functional but highly secured. This is possible by appreciating the work of each department and providing assistance at different levels to increase the security (Lane, 2013). The importance of Database Security The database security is of paramount importance. The corporate database contains the information of the financial activities, personal files, information of the clients and bank account details. If this information gets in to the wrong hands it can harm the business and the reputation of the organization. It is important for every organization to assess the risk to its database and the devise a strategy in implementing a system that will protect the data from theft. The areas of vulnerability should be assessed and the policy for security should be implemented accordingly. Proper backup should be made available to secure the data in case of system crash, theft of laptops or any natural cause like earth quake or flood that can erase the database of a corporation (Spamlaws.com, 2014). As threat and risks to a database has increased, there is increase in the use of secutiy policies and secuity equipment to ensure that the database is fully protected from risks that may harm the company. As majority of companies store their sensitive data in database, they sometimes ignore the importance of securing the data from hackers. The basic facets of database security are assurance, confidentialty,integrity and availability. According to the US Department of Defense “database security should provide controlled, protected access to the contents of a database as well as preserve the integrity, consistency, and overall quality of the data”. These should be followed when a security policyis assigned to a database (Anuramn, 2011; Goodrich & Tamassia, 2011). Security Risks to a Database A database is believed to be the heart of any organization as it contains the most important information of the organization, which is the complete record of the clients. As these clients bring business to the organization, their personal information is critical for other organizations. If hackers or other malicious insider gain access to the database of a company they can retrieve information or harm the operational capacity of the organization. Some of the major threats to a database are as follows (Shulman, 2006): Excessive and unused Privileges When an employee gets extra privileges which are not in accordance with their job requirement, a breach in the confidentiality may occur as the user may get information which he is not authorized to have knowledge of. This happens when the mechanism of privilege control is not properly implemented in the organization. In such scenarios specialized database security and privilege control mechanisms must be defined which allows database administrators to double check the database security threats. If an individual is granted with a high level of database privilege then also that person must be evaluated using certain system checks in order to assure that no privileges are being abused. It is also the responsibility of the database administrator to remove access rights of employees who have left an organization so that they cannot utilize their old privileges and steal company credentials and secrets (Imperva, 2011). Privilege Abuse Users can abuse the power of the privilege that is given to them. They can retrieve the personal information of clients and may forward it to other companies in return of financial reward. It is the responsibility of the administrator to properly manage access of the users and perform the required actions which the management has outlined in the database security plan. The privilege abuse can take two forms it can either be legitimate privilege” or “excessive privilege”. The legitimate abuse of privileges happens if the malicious user misuses their database access rights and intentionally misuses the information stored in the database for malicious purposes. If an attacker is looking for excessive privilege abuse then the individual will access the database functionalities and will try to destroy critical information which becomes more difficult to stop (Kayarkar, 2012). Input Injection There are two types of injection attacks. One is SQL injection attack and the other is no SQL injection attack. The SQL injection attack target the traditional data abuse system where as no SQL system attacks the Big Data platform. SQL injection is injection malicious statement in to the input field of web application whereas No SQL attack is injecting inserting malicious statement in to big data components (Ray, 2009). Malware Cyber criminals, state spies use different tactics to abuse a database of a company. Email and malwares are used to retrieve the sensitive information about the organization. The problem with this threat is that the company is mostly unaware that malware has infected the system. All the desktop and laptops need to have the latest spywares, antivirus software and malwares that are up to date installed on them and additional firewall software’s need to be active on them at all times. By following these simple steps the database security administrators can bring down the security threats and attacks that we are currently being faced with (Shulman, 2006; Hoffer, Prescott, & McFadden, 2007). Weak Audit Trail Automated recording of a database should be the common practice of the database system of the company. But if the system mal functions there are a lot of risks that are involved which a company can suffer. The government regulatory system required that the company should have a proper database audit mechanism. In case the company fails to do so it can have many harmful effects. Many organizations turn to local audit systems or manual systems to keep a track of their database. These systems are easy to get hacked by the hackers and cyber criminals. It is important for organizations to use state of the art database systems for managing their data (Shulman, 2006; Hoffer, Prescott, & McFadden, 2007). Storage Media Exposure Backup media is totally vulnerable to risks. That’s why it is unprotected from attacks. Data backup disks and tapes are a source of security breaches in the databases Virtual storage packs are risky and information stored in them has a very acute chance of getting lost or stolen. If implemented insecurely, these virtual tools are a well formed buffet dinner for the cyber attackers. Having a small window to enter, the hackers have an opportunity to access an extremely confidential information source of the company and they can make use of the information to lay out bigger crimes (Gertz & Jajodia, 2007). Exploitation of Vulnerabilities and Misconfigured databases In many organizations, it is common to have vulnerable and un-patched the database or old default accounts and configured parameters. The attackers are quite experience in exploiting such vulnerabilities and initiate an attack. Patches in a database makes the dates vulnerable which is taken advantage of by the hackers. It takes mostly months for organizations to patch the database during that time the database of the company is susceptible for any attack by the hackers (Natan, 2005). Unmanaged sensitive data Sometimes companies are unable manage properly the data which is sensitive in nature. This causes the database to be breached. Companies may forget their old data which is replaced by the new data. This old data may be accessed by hackers. The database administrator should ensure that the old data is properly backed up and maintained in log files and this data must also be kept secured and safe so that it does not get in the hands of the attackers or hackers who are in search of company private and confidential information (Natan, 2005). Limited Security Expertise and Education Security breach is a big problem for organizations where the expertise in the security of database is taken lightly and not much financial attention is given to it. The company may be controlling the cost by financing less in the database system but in the long run it may suffer the most if the security is breached and the database information is stolen. In some cases the system is the most modern with latest technology but the operating staff is not well equipped to handle it (Shulman, 2006; Hoffer, Prescott, & McFadden, 2007). Programs required against database threats By addressing the top ten threats, the company can meet global compliance requirements and industry’s best practices related to data protection. Many of the threats can be eliminated by using the DAP (Database Audit and protection) platform (imperva, 2014). DAM (database activity monitoring) is an additional security requirement. This program helps in monitoring which user access which part of data for information. It also produces reports in specific privacy-law-complaint format (IRI, 2014; Goodrich & Tamassia, 2011). Superior Technology for database The need for superior technolgy for the database protection is met by the superior application of database that adheres to the needs and demands of the consumers. The personal information of the clients, is made available for 24 hours a day as it can be needed by the client at any time. This makes the vulnerability of the database high as more improved programes and seurity systems are needed so that the hackers do not attack and the information is protected. Companies need to be vigilent about the protection of the persoanl information of the clients and the company’s procedure. In case, it reaches the hands of attackers, it can bring distrust from clients and a bad reputation. Databases have become an integral part of the functionality of the organziations. With the global markets, the clientel of massive companies is getting bigger and requires a database for better management of the perosnal information of the clients (Kayarkar, 2012). Conclusion Database security and data breaches are so common now that it has become a dominant area in research field. During the past one year, there is an estimation of more than 50% of the consumers who have been bitten by the snake of data breach. Moreover there are a number of threats that are targeting the current organization’s network structure. The Firewalls are vulnerable to potential attacks that seem to be on the rise according to recent analysis. The reputation and the efficiency of an organization are key aspects that rate the organization. If a mere irresponsibility on the part of the employees or the management is left un-noticed, there is a very rare danger of enduring even bigger damages of money as well as social wealth. Therefore, it is highly appropriate to make the systems secure enough to get into any trouble like that of the data breach and save your organization against lawsuits and a huge loss of customer loyalty and number of clients. References Anuramn. (2011). database security. brighthub.com. Elmasri, R. (2007). Fundamentals of Database Systems. Pearson Education India. Gertz, M., & Jajodia, S. (2007). Handbook of Database Security: Applications and Trends. Springer Science & Business Media. Goodrich, M. T., & Tamassia, R. (2011). Introduction to Computer Security. New York: Pearson Education. Guimaraes, M., Murray, M., & Austin, R. (2007). Incorporating database security courseware into a database security class . Proceedings of the 4th annual conference on Information security curriculum development. Kennesaw, Georgia: ACM New York, USA. Hoffer, J. A., Prescott, M. B., & McFadden, F. R. (2007). Modern Database Management, Eighth Edition. Pearson Education, Inc. Imperva. (2011). Top Ten Database Security Threats. Retrieved from Worldwide Security Products 2011–2014: http://www.imperva.com/docs/WP_TopTen_Database_Threats.pdf impervacom. (2014). Top ten database threats. IRI, 2014. (n.d.). IRI: THE CO SORT COMPANY. IRI.com. Jajodia, S. (1999). Database Security XII: Status and Prospects. Springer Science & Business Media. Lane, A. (2013). What every database adminitrator should know about security. retrived from dark reading.com. Loch, K. D., & Carr, H. H. (1992). Threats to Information Systems: Todays Reality,Yesterdays Understanding. MIS Quarterly, 6(2), 173-186. Mirkovic, J. (2005). Internet Denial of Service: Attack and Defense Mechanisms. Prentice Hall Professional Technical Reference. Natan, R. B. (2005). Implementing Database Security and Auditing. Digital Press. Oracle.com. (2013). Security Policies. Oracle database security guide. Ponemon, L. (2007). Database Security 2007: Threats and Priorities within IT Database Infrastructure. Independently Conducted by Ponemon Institute LLC. Rabasa, A., Brebbia, C. A., & Bia, A. (2013). Data management and security. WIT Press. Ray, C. (2009). Distributed Database Systems. Pearson Education India. Rouse, M. (2014). Database. TechTraget.com. Shulman, A. (2006). Top Ten Database Security Threats. Imperva, Inc. Shulman, A. (2011). Top Ten Database Security Threats How to Mitigate the Most Significant Database. Imperva, Inc. Spamlaws. (2014). Why data security is of parampunt importance. Journal of Data Security. Turban, E., Leidner, D., McLean, E., & Wetherbe, J. (2005). Information Technology for Management: Transforming Organizations in the Digital Economy . New York: Wiley. Read More