What is database security?

Database security is the processes, tools, and controls that secure and protect databases against
accidental and intentional threats. The objective of database security is to secure sensitive data
and maintain the confidentiality, availability, and integrity of the database. In addition to
protecting the data within the database, database security protects the database management
system and associated applications, systems, physical and virtual servers, and network
infrastructure.
To answer the question "what is database security," it's important to acknowledge that there are
several types of security risks. Database security must guard against human error, excessive
employee database privileges, hacker and insider attacks, malware, backup storage media
exposure, physical damage to database servers, and vulnerable databases such as unpatched
databases or those with too much data in buffers. (A database buffer is a section in the main
memory that is used for the temporary storage of data blocks while moving from one location to
another. A copy of the disk blocks is kept in a database buffer.)

Types of database security

 Firewalls serve as the first line of defense in D database security. Logically, a firewall is a
separator or restrictor of network traffic, which can be configured to enforce your organization's
data security policy. If you use a firewall, you will increase security at the operating system level
by providing a chokepoint where your security measures can be focused.

Access management:

 Authentication is the process of proving the user is who he or she claims to be by entering the
correct user ID and password. Some security solutions allow administrators to centrally manage
the identities and permissions of database users in one central location. This includes the
minimization of password storage and enables centralized password rotation policies.

 Authorization allows each user to access certain data objects and perform certain database
operations like read but not modify data, modify but not delete data, or delete data.

 Access control is managed by the system administrator who assigns permissions to a user within
a database. Permissions are ideally managed by adding user accounts to database roles and
assigning database-level permissions to those roles. For example, row-level security (RLS)
allows database administrators to restrict read and write access to rows of data based on a user's
identity, role memberships, or query execution context. RLS centralizes the access logic within
the database itself, which simplifies the application code and reduces the risk of accidental data
disclosure.

Threat protection:

 Auditing tracks database activities and helps maintain compliance with security standards by
recording database events to an audit log. This allows you to monitor ongoing database activities,
as well as analyze and investigate historical activity to identify potential threats or suspected
abuse and security violations.

 Threat detection uncovers anomalous database activities that indicate a potential security threat
to the database and can surface information about suspicious events directly to the administrator.

Information protection:

 Data encryption secures sensitive data by converting it into an alternative format so only the
intended parties can decipher it back to its original form and access it. Although encryption
doesn't solve access control problems, it enhances security by limiting data loss when access
controls are bypassed. For example, if the database host computer is misconfigured and a
malicious user obtains sensitive data, such as credit card numbers, that stolen information might
be useless if it’s encrypted.
 Database backup data and recovery is critical to protecting information. This process involves
making backup copies of the database and log files on a regular basis and storing the copies in a
secure location. The backup copy and file are available to restore the database in the event of a
security breach or failure.

 Physical security strictly limits access to the physical server and hardware components. Many
organizations with on-premises databases use locked rooms with restricted access for the
database server hardware and networking devices. It's also important to limit access to backup
media by storing it at a secure offsite location.

Best practices

Because databases are nearly always network-accessible, any security threat to any component
within or portion of the network infrastructure is also a threat to the database, and any attack
impacting a user’s device or workstation can threaten the database. Thus, database security must
extend far beyond the confines of the database alone.

When evaluating database security in your environment to decide on your team’s top priorities,
consider each of the following areas:

 Physical security: Whether your database server is on premise or in a cloud data center, it must
be located within a secure, climate-controlled environment. (If your database server is in a cloud
data center, your cloud provider will take care of this for you.)

 Administrative and network access controls: The practical minimum number of users should
have access to the database, and their permissions should be restricted to the minimum levels
necessary for them to do their jobs. Likewise, network access should be limited to the minimum
level of permissions necessary.

 End user account/device security: Always be aware of who is accessing the database and when
and how the data is being used. Data monitoring solutions can alert you if data activities are
unusual or appear risky. All user devices connecting to the network housing the database should
be physically secure (in the hands of the right user only) and subject to security controls at all
times.

 Encryption: ALL data—including data in the database, and credential data—should be protected
with best-in-class encryption while at rest and in transit. All encryption keys should be handled in
accordance with best-practice guidelines.

 Database software security: Always use the latest version of your database management
software, and apply all patches as soon as they are issued.

 Application/web server security: Any application or web server that interacts with the database
can be a channel for attack and should be subject to ongoing security testing and best practice
management.
  Backup security: All backups, copies, or images of the database must be subject to the same (or
equally stringent) security controls as the database itself.

 Auditing: Record all logins to the database server and operating system, and log all operations
performed on sensitive data as well. Database security standard audits should be performed
regularly.
Controls and policies

In addition to implementing layered security controls across your entire network environment,
database security requires you to establish the correct controls and policies for access to the
database itself. These include:

 Administrative controls to govern installation, change, and configuration management for the
database.

 Preventative controls to govern access, encryption, tokenization, and masking.

 Detective controls to monitor database activity monitoring and data loss prevention tools. These
solutions make it possible to identify and alert on anomalous or suspicious activities.
Database security policies should be integrated with and support your overall business goals,
such as protection of critical intellectual property and your cybersecurity policies and cloud
security policies. Ensure you have designated responsibility for maintaining and auditing security
controls within your organization and that your policies complement those of your cloud
provider in shared responsibility agreements. Security controls, security awareness training and
education programs, and penetration testing and vulnerability assessment strategies should all be
established in support of your formal security policies.
Data protection tools and platforms

Today, a wide array of vendors offer data protection tools and platforms. A full-scale solution
should include all of the following capabilities:

 Discovery: Look for a tool that can scan for and classify vulnerabilities across all your databases
—whether they’re hosted in the cloud or on-premise—and offer recommendations for
remediating any vulnerabilities identified. Discovery capabilities are often required to conform to
regulatory compliance mandates.

 Data activity monitoring: The solution should be able to monitor and audit all data activities
across all databases, regardless of whether your deployment is on-premise, in the cloud, or in
a container. It should alert you to suspicious activities in real-time so that you can respond to
threats more quickly. You’ll also want a solution that can enforce rules, policies, and separation
of duties and that offers visibility into the status of your data through a comprehensive and
unified user interface. Make sure that any solution you choose can generate the reports you’ll
need to meet compliance requirements.

 Encryption and tokenization capabilities: In case of a breach, encryption offers a final line of
defense against compromise. Any tool you choose should include flexible encryption capabilities
that can safeguard data in on-premise, cloud, hybrid, or multicloud environments. Look for a tool
with file, volume, and application encryption capabilities that conform to your industry’s
compliance requirements, which may demand tokenization (data masking) or advanced security
 key management capabilities.

 Data security optimization and risk analysis: A tool that can generate contextual insights by
combining data security information with advanced analytics will enable you to accomplish
optimization, risk analysis, and reporting with ease. Choose a solution that can retain and
synthesize large quantities of historical and recent data about the status and security of your
databases, and look for one that offers data exploration, auditing, and reporting capabilities
through a comprehensive but user-friendly self-service dashboard.