The Database environment is third level of concern in the Confidentiality, Integrity and Availability of the ITSE. Database data is arguably the most valuable asset of a business. It is the lifeblood of the organization, without which it cannot function. The variety of information that data can describe is possibly limitless, with each variety just as important as the next, to the business it belongs to. Some examples of information that data may be used to describe include:

  • An Application Backend/Data store
  • Customer/Client Contact Details
  • Financial Information / Banking Systems / Credit Card Processing
  • Company Sales Figures
  • Order Inventory System
  • Website Content
  • Aircraft Reservation
  • Library / DVD / Car Rental
  • etc

Database security mechanisms protect the confidentiality, integrity and availability of your organization’s most sensitive data. Some of our concerns of the ITSE – Database are detailed as follows;

  • Inference Attacks on Databases

    One of the main issues faced by database security professionals is avoiding inference capabilities. Basically, inference occurs when users are able to piece together information at one security level to determine a fact that should be protected at a higher security level.

  • SQL Injection Attacks on Databases

    One common type of database attack, the SQL Injection, allows a malicious individual to execute arbitrary SQL code on your server

  • Access Controls in SQL

    Security is paramount to database administrators seeking to protect their gigabytes of vital business data from the prying eyes of unauthorized outsiders and insiders attempting to exceed their authority. All relational database management systems provide some sort of intrinsic security mechanisms designed to minimize these threats. They range from the simple password protection offered by Microsoft Access to the complex user/role structure supported by advanced relational databases like Oracle and Microsoft SQL Server

  • HIPAA Compliance (Privacy and Security)

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a large regulatory burden on organizations that deal with certain types of health-related information. Now, if you’re about to stop reading this and say to yourself “I don’t work for a health-related organization,” stick with me for at least one more paragraph. As HIPAA deals with the security and privacy of health information, it’s of direct importance to database administrators. There are a number of ways you may qualify as a “Covered Entity” that is required to comply with the terms of HIPAA. Some of these are obvious – health care providers come immediately to mind. However, some require a little more thought. If your organization qualifies as a “health plan,” you are considered a Covered Entity

The commonly recurring issues and problems that practitioners–even the most experienced database professionals–seem to systematically misunderstand are, namely:

  • Unstructured data and complex data types
  • Business rules and integrity enforcement
  • Keys
  • Duplicates
  • Normalization and denormalization
  • Entity subtypes and supertypes
  • Data hierarchies and recursive queries
  • Redundancy
  • Quota queries
  • Missing information

It is important to compare the severe costs of mishandling the above to the practical benefits of implementing the correct solutions, with an emphasis on both principles and practice.

Before you can establish policies that protect data, you need to identify what types of information require protection, where it reside, how it is used, and who accesses it. Structured information, such as customer and financial data, is fairly straightforward to identify and protect. It is the more complex assets—designs, formulas, code, marketing, and sales strategies—and other intellectual property essential to your success that can be difficult to identify and secure because it is scattered throughout your company and moves among colleagues and partners and across countries and continents -www

Doing business outside national borders is a necessary competitive tactic for many companies and one that requires broad sharing and storing of your most valuable assets—intellectual property (IP) and sensitive data. In a 2009 report on the risks of doing business globally, researchers report that $12 million of an average company’s sensitive information resides abroad. This data is premium currency for cyberthieves and financially desperate or laid-off employees. It is at risk because of a lack of security standards found in some countries as well as from inconsistent security policies found among your own employees and partners – McAfee.

The following key make a strong case for prioritizing data security as a key business driver – McAfee;

  • Valuable data is being moved and lost. In 2008, surveyed companies worldwide each lost an average of $4.6 million in intellectual property and spent approximately $600 million repairing damage from data breaches.
  • The current economic downturn may be the perfect storm for security breaches. Many companies cut security spending during challenging economic times, making themselves vulnerable to damaging information loss. Threats come from external cybercriminals as well as from corporate insiders.
  • Geopolitical perceptions have become a reality in information security policies .Differing legal, cultural, and economic factors in countries around the globe are emerging as threats to the security of sensitive data and intellectual property.
  • Intellectual property is a new currency for cybercriminals. A company’s most valuable asset and one that is difficult to secure—intellectual property—is a prime target for thieves. Thirty-nine percent of survey respondents cited attacks from data thieves as a chief threat to their organization.

GetAdvise approaches the above concerns with the following key distributed controls – isaca.org;

  • Perimeter controls (e.g., firewalls, intrusion protection,malware detection).
  • User identity and access management is the essence of deciding who is allowed to do what and then monitoring to ensure things are as they are supposed to be.
  • Application systems (particularly ERP systems) are a focal point for data access protection. And, if user identity and access management is complex, application systems can be more so. Applications administer remote (sometimes global) access by customers, remote and local employees, and often business partners.
  • Privileged users have access rights beyond those needed for routine business operations. Database technical and
    operational controls (such as backup/recovery, system upgrades, checkpoint/restart, maintaining pointer integrity, optimizing physical data storage and performance) take place outside of the access constraints of application systems and most of the identity and access management processes, but must also be closely coordinated with application and user requirements.

In addition the Top Ten Database Security Threats reported by Imperva are as follows;

  1. Excessive Privilege Abuse
  2. Legitimate Privilege Abuse
  3. Privilege Elevation
  4. Database Platform Vulnerabilities
  5. SQL Injection
  6. Weak Audit Trail
  7. Denial of Service
  8. Database Communication Protocol Vulnerabilities
  9. Weak Authentication
  10. Backup Data Exposure

By addressing these top ten threats, organizations will meet the compliance and risk mitigation requirements of the most regulated industries in the world.

The above texts are a sample of the advisory research & analytical rigor we undertake in our pursuit to get you the right advise!