What is Database Security?
Database security refers to all of the measures taken to prevent breaches into database management systems (DBMS), and all associated software. Databases are often full of sensitive and confidential information, so protecting database contents is a critical cybersecurity objective. The following are best practices for protecting DBMS:
Control database access. Follow the principle of lease privilege (PoLP), an information security concept which asserts that a user or entity should only have access to the specific data, resources, and applications that they need to complete a required task. Also consider enforcing strong passwords, encrypting and salting password hashes, locking accounts after multiple failed login attempts, deactivating accounts from inactive users, and/or using access management software.
Firewalls. Use web application and database firewalls to protect your database servers from security threats and to protect your web applications from SQL injection cyberattacks that could be used to exfiltrate or delete data from the database.
Inventory and categorize sensitive data. Know what data you have in your database, and ensure that you maintain appropriate security controls for the given types of data.
Separate web and database servers. If you are maintaining physical database servers, be sure to keep them in a locked environment and on a separate physical machine from those that are running applications or web servers. Web servers are more likely to be compromised and, if the database servers are on the same machine, a cyberattacker will have access to those servers in a successful cyberattack.
Encryption. Encrypt data that is in motion and data that is at rest. Backup your database regularly, and ensure that the backups are encrypted and stored separately from decryption keys.
Monitor database activity. Audit and continuously monitor database activity to monitor logins, monitor attempted logins, and to detect unusual database activity. Alerts can be created that notify selected users about potentially malicious activity, shared accounts, and unauthorized account creation.
Regularly update. Regularly updating your operating system and database software with all recommended security patches ensures that you have protection against known security threats and vulnerabilities. Confirm that all database security controls are enabled, ensuring that databases connected to third-party applications are receiving timely updates; those security patches often come through the vendor and may need to be applied manually. Consider decommissioning legacy database systems that no longer receive security updates from the developers, as these systems are particularly vulnerable to cyberattacks.
Testing. Consider hiring a third-party service that offers penetration testing which will give your insight into the robustness of your database security infrastructure.