Five tips for database security
19 December 2019
In a business environment in which customer experience is everything, trust is a huge issue. At the top of the customers’ minds is data security. A single breach can cause debilitating damage to a brand not only on the legal, regulatory and financial fronts, but also to the image of the brand the business has carefully nurtured.
So how does an IT manager ensure their customer data is safely stored? What are the secrets to successful database security when security threats are a constant reality in business?
In SCU’s online Master of IT Management, students develop a powerful understanding of how a business can be prepared for the future of IT, including ensuring rock-solid security.
Here are five top tips from our security experts.
#1 Hack your own systems
We’re not talking about implementing a full-scale attack on your company’s systems (although this can be a good process for organisations such as banks and other security-dependent businesses), but rather searching for the cracks which could open up space for breaches and attacks to occur.
It involves the development of a system-wide chart that clearly indicates where every database in the organisation sits.
Before the current IT security system was put in place, and potentially since it was implemented, simple database applications such as SQL Server Express may have been downloaded to local machines. Utilise automated tools, such as SQLPing3, to search your networks for particular types of databases and bring them all into a common, secure server area which, of course, is kept separate from the web server and behind a firewall.
Just like implementing an organisation-wide process for the use of strong passwords on laptops, tablets and smartphones, this is a relatively simple and immediate way to increase data security across the business.
#2 Ditch the shared server
There is a lot to be said for the use of shared web servers in terms of simplicity and cost. As data transfer speeds have increased and hosting businesses have become more mainstream, the field of shared hosting has boomed.
This solution is fine for low-traffic and low-security purposes, but even then it’s important to speak with the hosting business about their own security set-up and policies, and what process can be expected should a security event occur.
As soon as sensitive information is involved, however, it’s time to bring the information in-house, into an environment that can be controlled by your own organisation. There is rarely an excuse to place the security of your customers’ data into the hands of another business, unless that business is clearly more proficient in the field of security.
#3 Encrypt everything, including backups
The idea of encryption of sensitive data is not new, but too often it is reserved for data in a specific environment, such as data that is being transferred. Once that data is in storage behind a firewall and on the ‘secure’ database server, it is believed to be safer and therefore does not require encryption.
An excellent habit is to consider all data to be vulnerable. Whether it’s being transferred across systems or online, stored behind a firewall or in an offline backup system, all data deserves to be protected.
Why encrypt backups? According to a 2019 report from Egress, 60 per cent of data breaches that occurred in the first half of 2019 and were reported to the British Information Commissioner’s Office were due to human error.
The company’s Insider Data Breach Survey 2019 said, “79 per cent of IT leaders believed that employees have put company data at risk accidentally in the last 12 months, whilst 61 per cent believe employees have done so maliciously”.
Businesses that only focus on external threats are potentially turning a blind eye to a greater data security threat coming from inside their organisation.
#4 Update and secure all applications and plug-ins
Some database discovery applications such as the aforementioned SQLPing3 also contain password cracking programs that can be used to automatically identify parts of your system that are not password protected, or that are protected by a weak password. Other password-specific software, such as Distributed Password Recovery and Cain & Abel, can be employed to do a similar job.
After making sure all databases have security controls switched on and are well password protected, it’s also important to update all patches, and not only for database software. In an environment that is rich with applications, widgets and other third-party components, as is the case with many corporate websites and internal systems, there can be hundreds of plug-ins that can become a way-in for those attempting to access sensitive data.
Keeping patches updated across all of these can be challenging, but it only requires one door to be opened for sensitive data to be compromised. The best-practice process is to:
- Reduce as much as possible the number of third-party applications that draw data from an internal database, keeping only the ones that are absolutely necessary. Those that are kept should be confirmed to have been created by a developer or vendor that has processes in place to keep their code secure.
- Compile and maintain a thorough list of all applications and plug-ins being used within the business.
- Use this list to develop a regular and rigorous process that involves an administrator being responsible for systematically updating all patches, whilst constantly reducing the number of third-party applications being used.
- For greater protection and Payment Card Industry compliance, put a web application firewall in place, which controls access to the database utilised by a web application.
#5 Protect cloud data
As providers profit from the massive migration to cloud that has taken place over the last decade, many have developed reputations for having strong security policies and processes. But even the very best can experience difficulties, so the final responsibility for the safety of data still remains with the owners of that data.
Many processes and protections can be put in place to ensure greater data security in the cloud environment. These include encryption at all levels including transfer and storage, user access control systems including permissions and a log of all who have accessed the data, web application firewalls and checking on physical security around the servers themselves. Cloud servers should always receive the same security treatment as corporate networks.
By studying a Master of IT Management with SCU Online, you will develop a comprehensive understanding of all aspects of information security including policies, practices and risk assessment, as well as enterprise security from a management perspective.