Trustwave Blog

The 10 Principles of Database Security

Written by | Aug 25, 2021

Best Practices to Stay Ahead of Hackers and Secure Your Critical Data 

In today’s digital economy, data is the lifeblood of business. Protecting sensitive data has become more challenging for organizations in recent years. It’s not simply the increase in the volume of data or the increase in threats – it’s also the fact that as organizations have become more digital, they are moving more of their data and IT infrastructure to a mix of private and public clouds. Today’s enterprise is often a multi-cloud or hybrid environment, with remote workers using numerous cloud-based applications and services to collaborate.  

In other words, there are no longer firm perimeters, and legacy approaches to cybersecurity that focus on network and perimeter security are no longer sufficient. Organizations must adopt a new, data-centric approach to security that focuses on protecting sensitive data no matter where it is.  

We sat down with Mark Trinidad, Senior Product Manager at Trustwave, to discuss how database security has changed and what organizations must do to develop a better approach to securing sensitive data.   

How has database security changed in recent years? 

The focus is now on securing the data itself – no matter where it resides – rather than securing databases on a network. This trend began with the introduction of data privacy and security regulations like GDPR and CCPA several years ago, which spurred people to start thinking differently about data and keeping it secure as it's used throughout an organization and shared with partners. At the time, organizations became very compliance focused. More recently, with the global pandemic accelerating organizations’ shift to the cloud, the focus has moved beyond mere regulatory compliance to become “How do we make sure our data itself is secure, no matter where our databases live or how they’re being accessed.”  

It’s important to realize that even today, the vast majority of an organization’s sensitive data or customer PII resides in databases of some type, whether they’re on-premises or in the cloud; whether it’s a structured SQL database or a no SQL database, or even a data lake. And, as more organizations move their databases to the cloud, perimeter security is no longer enough. They must take a more data-centric approach focused on keeping data secure no matter where it resides. As a result, database security has become an important part of the discussion when organizations are embarking on their cloud migrations. They must consider the optimal and most secure time to move their data from their traditional, on-premises databases to the cloud. In short, there is much more planning and many more conversations taking place in organizations today surrounding database security and how it pertains to other cybersecurity and infrastructure policies and strategies.   

What are the greatest risks organizations face when it comes to database security today? 

All one needs to do is look at the nearly daily headlines of massive data breaches and the damage they cause to organizations and individuals to understand the risks. It’s important to recognize that no matter how the adversary got their hands on the data in those breaches, it all begins with a database somewhere. Even if the data breach was the result of a leaked spreadsheet or email, that sensitive data still resides in a database somewhere in that organization’s environment. 

As more organizations migrate to the cloud, many are lulled into a false sense of security. Too often they believe that because public cloud providers like AWS, Microsoft Azure and Google provide some security features, their data must be safe there. But people must realize that, ultimately, you are the stewards of your data. Security and IT professionals must ensure that wherever their organization’s data resides – whether on-premises or in the cloud – all security features must be not only turned on but also properly configured. There are adversaries out there that use botnets to exclusively search for misconfigured public cloud databases they can exploit. Numerous headlines have shown how easily a simple misconfiguration in the cloud can leave a gaping hole through which an attacker can enter. It can be a very costly mistake.  

What should organizations do to create a strong database security program amid today’s threat landscape?

First, the database security program cannot live in a vacuum by itself. It must involve the relevant people from IT and infrastructure teams in addition to the security team. That’s because a strong database security program impacts not just security but also personnel, IT infrastructure, business operations, application integrity, risk and compliance, database administration and more. All functions must be in agreement that database security needs to be a priority.  

Beyond that, the steps for creating a strong database security program include the following:  

  1. Describe the ideal program in detail, with actionable processes  
  2. Clarify a scope baseline through database discovery and inventory 
  3. Define standards, security and compliance policies  
  4. Conduct vulnerability and configuration assessments 
  5. Identify excessively privileged user accounts 
  6. Implement risk mitigation and compensating controls 
  7. Establish acceptable user and activity policies 
  8. Audit privileged user behavior in real-time 
  9. Deploy policy-based activity monitoring 
  10. Detect, alert and respond to policy violations in real time 

Technology alone will not reduce your risk of database compromise. I like to recommend that organizations aim to create a comprehensive database security program that incorporates people, processes and technology in an interconnected system with continuous assessment, as shown in this graphic:    

The threat and business landscapes are constantly shifting. Adversaries are attacking from every direction and perimeters are fading away. At its core, a security program needs to be about protecting an organization’s data, no matter where it lives or what method an attacker uses to penetrate that organization. When it comes to cybersecurity today, a data-centric approach must be at the very top of the list of priorities. Legacy, network-based perimeter security is a thing of the past.   

WHITE PAPER

10 Principles of Database Security Program Design

To read the full whitepaper on “10 Principles of Database Security Design,” along with step-by-step checklists to follow and detailed best practices for creating a comprehensive database security program.