You could be forgiven for thinking that database security should actually be down to the RDBMS (Relational Database Management System) vendors.
After all, they are the experts and should, in theory, be the ones to go to for security but, in practice, they actually only offer a small part of the security needed.
Some of the more critical security needs are already included in the relational database platform – access control, identity managements, network communication encryption, etc. – but that still leaves an awful lot to be covered.
In some cases, the security that the RDBMS vendor offers just isn’t robust enough for enterprise use, not having enough information or with too-slow encryption, for example.
One of the biggest problems faced today is the fact that requirements for enterprise compliance and security tend to be more focused on data and not on the infrastructure itself and, for that reason, database security tools play a major part in protecting information stored in the data center.
So what exactly is database security?
Database security is an umbrella term for the different measures that are needed to secure and protect a database from unauthorized access and malicious attacks and threats.
Included under this umbrella are a vast array of different tools, processes, and methodologies that ensure a database and its contents are kept secure.
As well as covering what security is required, it also covers enforcement of the security on all the different components and aspects of the databases, including:
- The data that is stored in the database
- The database server
- The DBMS – Database Management System
- Any other database workflow applications
Database security should be an integral part of the overall enterprise security planning and it should be implemented, monitored and maintained by an IT security professional, such as a database administrator.
Some of the security controls and implementations include:
- Restriction of the unauthorized use of or access to the database. This is done through the implementation of strong and/or multifactor access along with data management control
- Load testing, stress testing and capacity testing of each database to make sure that it will not crash if subjected to a DDoS – Distributed Denial of Service attack or just through sheer user overload
- Ensuring physical security of the database server and all the backup equipment to keep it secure from tampering, unauthorized access, theft and from natural disasters
- Constant monitoring and review of the existing systems for known vulnerabilities and for the unknown ones. The definition of an implementation of a plan to deal with the ones that have already happened and mitigate them for the future.
All of this has to be included in the enterprise security plan right from the beginning.
If the databases cannot be kept secure then the data contained within them is at high risk of compromise.
This puts them at the top of the list for importance, not left to RDBMS vendors to deal with.