Q&A: Meeting the Challenges of Database Security
Proactive steps you can take to safeguard databases from internal and external attacks.
Security professionals know that their job encompasses more than just protecting an enterprise from viruses and e-mail hoaxes. As data volumes grow, database security becomes increasingly important.
To learn more about the threats to (and protection for) databases, we asked Slavik Markovich, CTO and founder of Sentrigo, a firm that specializes in safeguarding the data in enterprise databases.
Enterprise Strategies: While database security as a discussion topic has been around for several years, why has it been drawing more attention from industry analysts and security professionals in recent years?
Slavik Markovich: There are three reasons for this, and they are all related.
One is standards such as PCI-DSS that explicitly put the database where it belongs -- as the single most important IT asset that enterprises need to protect.
Second is the realization, mostly triggered by highly publicized data breaches, that the internal threat to organizations is real and that the difference between an internal threat and an external one is not as clear as it used to be. If criminals manage to threaten a DBA, who in turn sends them all the credit card numbers from a database the enterprise owns, is it an internal or external threat? What's clear is that the corporate firewall is worthless in such a case and the organization needs to protect its database from internal (and in many cases even the most privileged) users.
Third, database security technology has progressed to a stage where it can truly protect the database. Past approaches were based on the firewall paradigm where products tried to protect the database from the network. Most customers quickly realized that the approach doesn't work and there is no point in protecting the database in a way that can be easily bypassed by DBAs and other internal users. The improved approach, (championed by Sentrigo, the company I founded) is protecting the database from the database host's OS. Although such attempts were done in the past and were ineffective because of their performance impact, we developed the technology that allows us to protect the database from within the host without the performance penalty.
What elements pose the biggest threat to database security? What dangers do they pose to enterprises?
I can summarize three of them.
First, poor database configurations and default installations. For example, weak passwords are still the Number One problem of databases (and most other applications). The problem is worsened in databases because often applications access them with hardcoded passwords that never change and just about all internal IT folks know these passwords.
The second biggest problem comes from database vulnerabilities. Many of the databases suffer severe vulnerabilities (such as allowing regular users to escalate privileges and gain full control of the database or steal data). Even though the database vendors encourage customers to apply security patches, most customers are unable to apply the patches in a timely manner, leaving most databases in the world vulnerable. Attacks that exploit these vulnerabilities are readily available for download from many Web sites on the Internet so that even laymen can attack databases successfully.
The last big problem I'd like to mention is "zero visibility." Unlike other applications that are good at showing what's going on within the application and keeping a history of actions, most databases provide very primitive services, and the services (such as auditing which many DBMSs don't even provide) suffer from serious limitations. For example, they slow down the database performance (which means that most customers choose not to turn them on).
In addition, they are in full control of the DBA so that even if they are turned on, the DBA can turn them off when engaging in data theft or other rogue activity. The end result is that in 99 percent of the cases, attacks and other activity (such as stealing sensitive data) are done without leaving any trace.
Which is of greater security concern: internal or external threats?
There is no real boundary to speak of between internal and external threats. Sophisticated external threats often use internal resources (be they human insiders or Trojan horses, key loggers, and other technological means that are embedded inside the organization to enable attacks by an outsider).
Also, many organizations use outsourcing/offshore developers who have access to the internal resources. Are they an internal threat? External? Does it really matter? The logical outcome is that you must protect your assets from both threats, and since protecting the assets from internal users is the biggest challenge, this is the challenge you must meet to truly protect your assets. You must assume the worst (that your most privileged user is a would-be attacker) and design your security measures accordingly. The days of saying "internal threat is a residual risk" are over.
How can enterprises safeguard their databases against internal threats?
I believe that the first step is to cope with the visibility problem. Enterprises need to be able to know, in real time, what is going on in the database, especially if a breach of the security policy occurs. After solving this problem it is much easier to solve the other problems I've already mentioned as well as most other database security problems.
For example, to solve the issues of weak passwords, in case you cannot change the passwords (which is always the best option), you can monitor all access to the database by users that have weak passwords, as well as application users that come from abnormal places (e.g., the SAP user name is used by another application).
How can an enterprise safeguard databases from external attacks?
Once you protect the database from internal attacks, you are already protected from external attacks. You can augment your internal protection by ensuring that external attacks cannot pass your firewall/IPS by applying the right policy on your perimeter protection. This can be achieved by the firewall/IPS that you already have and you do not need a specialized appliance to achieve that.
What is driving enterprises to take proactive measures to safeguard their databases?
To date, many enterprises have been primarily motivated by regulatory compliance (mostly after having failed an audit). Today we see that more enterprises are coming to us because of a genuine realization that they have a huge hole when it comes to protecting their most sensitive data -- the data that resides on the database.
In some cases it is a result of a breach that occurred to them or that they have heard about. In other cases, it comes with the realization that today's technology can solve a severe problem that they had no way of solving in the past
What are the common mistakes enterprises make in trying to protect their databases?
I'd say there are two major mistakes.
First, enterprises try to solve their security problem with tools that were not designed for it, such as turning native audit on, using database triggers to track users, or using debugging tools (e.g., the trace function in Microsoft SQL) to beef up the database logs. These solutions do not provide security but rather some additional traces that can be used after a security event is discovered. They are reactive, not proactive, and they have many other limitations.
Second, enterprises try to protect the database from the network. This approach has severe limitations and can be easily bypassed by knowledgeable users. Most of the vendors that have been promoting this approach for years with limited success are now readjusting their products and moving away from the network appliance approach.
What best practices can you recommend to help IT avoid such mistakes?
That's easy -- they should avoid both of the approaches I've mentioned. In addition, even before they turn to check the solutions available in the market, they need to think about the security policy they would like to deploy. Examples:
- Most customers are looking to deploy a policy that alerts them whenever sensitive tables are accessed by applications that they did not approve.
- Most customers would like to know when their application (e.g., SAP) user name is used by another application.
- Most customers would like to have protection that mitigates the risk from not being able to apply security patches on time.
Once customers figure out their wish list, they should take a look at what vendors are offering and choose the approach that works best for them.
Do you think regulations such as PCI DSS and SOX have been successful in safeguarding sensitive customer information? If not, what improvements should be made to these regulations, or do we need a new set of regulations?
PCI-DSS did a lot to bring the issue to the forefront. This regulation has a clear focus on database security and did a lot to increase awareness of the problems associated with database security, and as a result helps many organizations better safeguard their databases. I also believe that the majority of organizations have very limited to no security at all, and this will have to change.
Other regulations and laws, including SOX and HIPAA, have very little to say about the database and more regulations and laws will use the advances done in technology to be more prescriptive about database security.
What are the biggest challenges facing the database security market?
The biggest challenge is still the lack of knowledge. It is still a very early market; most customers do not realize the risk involved with leaving sensitive databases without protection. Once organizations realize that credit card numbers, intellectual property, financial data, and other sensitive data in their databases are not only easily accessible by people who should never see it but also data that can be stolen without leaving any trace, more customers will start database security projects.
With many more RFIs and RFPs than last year, more organizations accessing our Web site and downloading our trial software, we see that more organizations are getting serious about this. Even so, we are still talking about a small portion of the market.
What products or services does your company offer to protect enterprise databases?
Sentrigo provides the Hedgehog family of products that monitor and protect databases. Using advanced technology, we monitor the databases from the host's OS in a non-intrusive way, without impacting database performance. Unlike older solutions based on network appliances, we monitor all transactions no matter where they originate and how hard the perpetrator is trying to evade security (e.g. by encrypting or encoding communications, by accessing sensitive tables indirectly using stored procedures, views, etc.).
The product includes (among other features) the ability to easily apply the enterprise security policy to the database, completely solving the visibility issue. Another major component is virtual patches -- allowing customers to protect their databases from exploits of vulnerabilities without the need to bring down the database, test the application, etc. This is especially useful for customers who need to mitigate the risk caused by their inability to patch the databases on time.