The document discusses the importance of securing company databases that store proprietary and sensitive information. It outlines four key aspects of database security - availability, authenticity, integrity, and confidentiality. Specifically, it focuses on ensuring confidentiality by preventing unauthorized access to or disclosure of data, both internally and from external hacking or theft. Vendors provide built-in security solutions, while some companies implement additional third-party database activity monitoring starting at $20,000.

2.  Every company needs places to store institutional knowledge and
data.
 Frequently that data contains proprietary information
› Personally Identifiable Data
› Employee HR Data
› Financial Data
 The security and confidentiality of this data is of critical importance.

3.  There are four key issues in the security of databases just as with
all security systems
› Availability
› Authenticity
› Integrity
› Confidentiality

4.  Data needs to be available at all necessary times
 Data needs to be available to only the appropriate users
 Need to be able to track who has access to and who has accessed
what data

5.  Need to ensure that the data has been edited by an authorized
source
 Need to confirm that users accessing the system are who they say
they are
 Need to verify that all report requests are from authorized users
 Need to verify that any outbound data is going to the expected
receiver

6.  Need to verify that any external data has the correct formatting and
other metadata
 Need to verify that all input data is accurate and verifiable
 Need to ensure that data is following the correct work flow rules for
your institution/corporation
 Need to be able to report on all data changes and who authored
them to ensure compliance with corporate rules and privacy laws.

7.  Need to ensure that confidential data is only available to correct
people
 Need to ensure that entire database is security from external and
internal system breaches
 Need to provide for reporting on who has accessed what data and
what they have done with it
 Mission critical and Legal sensitive data must be highly security at
the potential risk of lost business and litigation

8.  Although the 4 pillars are of equal importance we are focusing on
Confidentiality due to the prevalence of data loss in financial and
personal areas
 We are going to review solutions for
› Internal data loss
› External hacking
› Securing data if hardware stolen
› Unapproved Administrator Access

9.  Another set of security issues come from
middleware that sits between the user
and the data
 Single sign on authentication
› Allows users to just have one password to
access all systems but also means that the
theft of one password endangers all systems

10.  Most companies have several types of databases so to ensure total
security across databases they hire 3rd
party Database Security
 Those companies have solutions for Database Activity Monitoring
(DAM)
 Prices range from $20K to $1 Million
 Another option is data masking – buying a fake data set for
development and testing.

11.  Vendors such as Oracle, Microsoft and IBM know that security is a
big concern for data systems.
 They create built in solutions such as:
› Password Controls
› Data access based on roles and profiles
› IP restrictions for off site access
› Auditing capabilities of who has run what reports
› Security logging

12. Solution Description Pros Cons
Complex Passwords
(require numbers and
symbols) as well as
frequent password
changes
Makes passwords harder
to guess and harder to
crack
Users write them down
and keep them next to
computer or forget and
need multiple resets
Keep Internal and
External facing
databases separate
Makes it very hard to
hack one and then get
through to the other
Reduces functionality of
databases and restricts
flow of internal data
Restrict Downloading Keeps data in the
database and not loose
in excel, etc
Restricts reporting
capabilities and off line
functionality
Restrict Unwanted
Connections
Again makes it harder
to worm from one
system to another
Makes integration more
difficult and can reduce
user acceptance
SAML (Security Assertion
Markup Language)
SAML is the standard
that is used for Single
Sign On functionality
If not in use blocks the
usage of single sign on