Nowadays Organisations rely on data heavily to increase the efficiency and effectiveness of their business activities. It is necessary for organisations to secure their database from external attack in other to ensure confidentiality, integrity and availability. Different approaches to protect sensitive database are needed in an enterprise environment and can be combined together to strengthen an organization's security posture, while minimizing the cost and effort of data protection. Some of which are explained below. 1
2. 1
Introduction
Nowadays Organisations rely on data heavily to increase the efficiency and effectiveness of
their business activities. It is necessary for organisations to secure their database from external
attack in other to ensure confidentiality, integrity and availability. Different approaches to
protect sensitive database are needed in an enterprise environment and can be combined
together to strengthen an organization's security posture, while minimizing the cost and effort of
data protection. Some of which are explained below.
1 Combining Encryption With Tokenization And Hashing
There are radically different ways to render data unreadable including two-way cryptography
with associated key management processes, one-way transformations including truncation, one-
way cryptographic hash functions and index tokens and pads. Two-way encryption of sensitive
data is one of the most effective means of preventing information disclosure and the resultant
potential for fraud. Cryptographic technology is mature and well proven. There is simply no
excuse for not encrypting sensitive data. The choice of encryption scheme and topology of
the encryptionsolution is critical in deploying a secure, effective and reasonable control. The
single largest failure in deploying encryption is attempting to create an ad-hoc cryptographic
implementation. Hash algorithms are one-way functions that turn a message into a fingerprint,
usually more than a dozen bytes long. Truncation will discard part of the input field. These
approaches can be used to reduce the cost of securing data fields in situations where you do not
need the data to do business and you never need the original data back again.
2 Use Network Attached Encryption Devices With Care
The Network Attached Encryption (NAED) is implemented as a Network Attached Encryption
Appliance that scales with the number of Network Attached Encryption Appliances available. A
NAED is a hardware device that resides on the network, houses the encryption keys and
executes all crypto operations. This topology has the added security of physically separating the
keys from the data. However, this added security comes with a heavy price; performance can be
5 - 1000 times worse than alternative methods and some critical security exposure with API
level attacks when using Network Attached Encryption Devices.
3. 2
3 Using System Triggers
Using system triggers to help detecting when something suspicious is going on in the database
can result in a reasonable level of performance, functionality and security. Three system events
that could be triggered are CREATE, ALTER and DROP. These triggers can either fire
BEFORE or AFTER the actual action. What is better will be discussed below. Only committed
triggers are fired. For example, if you create a trigger that should be fired after all CREATE
events, then the trigger itself does not fire after the creation, because the correct information
about this trigger was not committed at the time when the trigger on CREATE events was fired.
On the other hand, if you DROP a trigger that should be fired before all DROP events, the
trigger fires before the DROP. This would mean that the triggers could protect themselves. If
trusting system triggers alone you need to ensure they are not possible to reset externally, e g by
Oracle SGA modification.
4 Using firewalls
A firewall is essential where there is any external connectivity, either to other networks or to the
internet. It is important that firewalls are properly configured, as they are a key weapon in
combating unauthorised access attempts. The importance of firewalls has increased as
organisations and individuals increasingly avail of "always-on" internet connections, exposing
themselves to a greater possibility of attack.
5 Implementing Physical Security
Physical security safeguards should include the following considerations
a. Perimeter security (monitoring of access, office locked and alarmed when not in
use);
b. Restrictions on access to sensitive areas within the building (such as server
rooms);
c. Computer location (so that the screen may not be viewed by members of the
public);
d. Storage of files (files not stored in public areas with access restricted to staff with
a need to access particular files); and
e. secure disposal of records (effective "wiping" of data stored electronically;
secure disposal of paper records).
4. 3
6 Having a Back-up systems
A back up system is an essential means of recovering from the loss or destruction of data. While
some system should be in place, the frequency and nature of back up will depend, amongst
other factors, on the type of organisation and the nature of data being processed. The security
standards for back-up data are the same as for live data. Click here for more information on
back-up data.
7 Having Incident response plans
Even with the best designed systems, mistakes can happen. As part of a data security policy, an
organisation should anticipate what it would do if there were a data breach so that it can be
ready to respond.
Some questions you might ask yourself:
a. What would your organisation do if it had a data breach incident?
b. Have you a policy in place that specifies what a data breach is? (It is not just lost USB
keys/disks/laptops. It may include any loss of control over personal data entrusted to
organisations, including inappropriate access to personal data on your systems or the
sending of personal data to the wrong individuals).
c. How would you know that your organisation had suffered a data breach? Does the
organisation's staff (at all levels) understand the implications of losing personal data?
d. Has your organisation specified whom staff tell if they have lost control of personal
data?
e. Does your policy make clear who is responsible for dealing with an incident?
f. Does your policy meet the requirements of the Data Protection Commissioner's
approved
8 Usıng Security Connected tool
The Security Connected framework from McAfee enables integration of multiple products,
services, and partnerships for centralized, efficient, and effective risk mitigation. Built on more
than two decades of proven security practices, the Security Connected approach helps
organizations of all sizes and segments—across all geographies—improve security postures,
optimize security for greater cost effectiveness, and align security strategically with business
initiatives. The Security Connected Reference Architecture provides a concrete path from ideas
to implementation. Use it to adapt the Security Connected concepts to your unique risks,
5. 4
infrastructure, and business objectives. McAfee is relentlessly focused on finding new ways to
keep thıer customers safe.
a. The Driving Concerns Of Mcafee About Securing Your
Database
Databases does not only store critical information, but they are often connected to multiple
systems providing essential business services. Any interruption, unintended disclosure, or loss
of data from databases has the potential to disrupt an entire company’s operations and
reputation. Also, since a database holds the regulated and sensitive data, a database breach
usually translates to a compliance breach, with its associated cleanup costs, loss of consumer
confidence, and possibly drastic market capitalization loss. To secure sensitive data against both
external and internal threats, real-time visibility into database activity is required. Most
organizations today leverage logging and auditing tools inherent in the database to provide this
protection, but these tools are woefully inadequate against modern hacking and social
engineering tactics. In order to properly secure a database from malicious code and data loss,
you must address these concerns:
Monitoring activities of unauthorised access
Auditing tool
Avoid downtime from patching
b. Technologies Used in The McAfee Solution
McAfee offers the following products specifically designed for database security: McAfee®
Vulnerability Manager for Databases, McAfee® Virtual Patching for Databases, and McAfee®
Database Activity Monitoring. Complete integration with centralized management through
McAfee ePolicy Orchestrator® (McAfee ePO™) ties this suite of products into a unified
database security and compliance management platform for your entire infrastructure. McAfee
Vulnerability Manager for Databases conducts more than 4,700 vulnerability checks against
leading database systems, including Oracle, Microsoft SQL Server, IBM DB2, Sybase, and
MySQL. By improving visibility into database vulnerabilities and providing expert
recommendations for remediation, McAfee Vulnerability Manager for Databases reduces the
likelihood of a damaging breach, and saves money through better preparation for audits and
compliance with regulatory mandates.
6. 5
CONCLUSION
With the implementation of these security measures in an organizations their database can be
secure to an extent thereby protecting its database from external attack. Whether technical or
physical controls that are placed on a system whether hardware or software systems, the most
important security measure is to ensure that staff are aware of their responsibilities. Passwords
should not be written down and left in convenient places; passwords should not be shared
amongst colleagues; unexpected e-mail attachments should not be opened unless first screened
by anti-virus software. Effective employee training about the risks of data compromise, their
role in preventing it and how to respond in the event of problems can be a very effective line of
defence. Many organisations set security policies and procedures but fail to implement them
consistently. Controls focused on individual and organisational accountability and ensuring that
policies are carried out are an important part of any system designed to protect personal data.
Identify essential controls first and ensure that these controls are implemented across the
organisation without exception. Once this is in place, move on to more advanced controls
designed to mitigate the risks specific to the organisation and the types of data processed.
7. 6
REFERENCES
Data Securıty Guıdiance Office of the Data Protection Commissioner
https://www.dataprotection.ie/viewdoc.asp?DocID=1091
Fennelly, L. (2012). Effective physical security. Butterworth-Heinemann.
Informatıon Week Dark Readıng (Connectıng The Informatıon Securıty Communıty)
http://www.darkreading.com/application-security/database-security/7-habits-of-highly-
secure-database-administrators/d/d-id/1141037?
Lyu, M. R., & Lau, L. K. (2000). Firewall security: Policies, testing and performance
evaluation. In Computer Software and Applications Conference, 2000. COMPSAC 2000.
The 24th Annual International (pp. 116-121). IEEE.
Mattsson, U. T. (2005). Database encryption-how to balance security with
performance. Available at SSRN 670561.
McAfee Security Products & Solutions
http://www.mcafee.com/us/products-solutions.aspx#/enterprise/
Stapleton, J., & Poore, R. S. (2011). Tokenization and other methods of security
for cardholder data. Information Security Journal: A Global Perspective, 20(2), 91-99.
Sun, H. (2012). Understanding user revisions when using information system features: Adaptive
system use and triggers. MIS quarterly, 36(2), 453-478.