Databases are an integral part of an application, and without database security an application would fail. A properly constructed and secured database can help result in a sound efficient application (assuming the application itself is designed properly). This topic is also important in the fact that without it, anyone would have access to data that should be kept private, and nothing would necessarily be secure. Databases store large amounts of data in one location which makes it easy to retrieve and change data.
This is a good thing in the sense that all of the data is easy to access, located in one spot, organized, etc. However, there is also a downside to all of these benefits: security. This is a security issue because the data is all located in one spot (physically and logically), and if this place is compromised your data can be stolen or manipulated. Databases are critical resources and they must be protected. There are 2 basic ideas that go into security of a database. These are the physical security and the logical security mechanisms as they relate to database protection. Physical security of a database pertains to actual damage of equipment due to physical problems from natural disasters, failures, or actual physical theft or unauthorized access. Logical security consists of protecting the data and implementing access controls.
Logical security can be simple things such as access controls, logically locating the data in a smart way (inside or outside of a DMZ, VLAN location, etc.), encrypting and authenticating database connections, and application security. Physical security may appear to be more common sense than logical security. With physical security you are concerned with backups of data in case of a disaster and protecting the physical devices that store the data. You should always keep current backups based on a scheduled plan. This will ensure that you can retrieve and replace the data in case of an emergency or disaster. This also applies to hardware, in addition to backups of data; you should also have backups of hardware devices to utilize the data that has been backed up. Data without the hardware to utilize it is useless. You must also be concerned of natural disasters and other emergencies such as fire.
A disaster recovery plan must be in place to provide the steps for recovery and protection in case an emergency strikes. This plan should also include instructions to getting the data back onto the hardware and getting everything setup and configured for it to be operational again. In some cases a remote off-site backup center will be in place in case of an emergency. The actual location of the data (the building or room) should be secured in some way as well. This will prevent unwanted guests from having physical access to the data.
Recent Comments