There is a lot of considerations that need to be taken into account when implementing databases. Many organizations do not take the security of the database as an important thing to be considered. The most important security concerns that companies experience today are the management of assets like data and the general security of the information systems that are there in place today. Even though it is hard to get the value of the data that we store, it is clear that they are very important to the security and to the well-being of the organization. Any compromise to these issues will compromise the reputation of the company and will also cause a lot of damage to the business. This paper will discuss the strategies and the features that need to be taken into consideration in the design of the database for the new enterprise that has been described.
Database security features
In the new enterprise that is being developed, it is important to define the key areas that will need to be addressed in the design of the security. There are key issues that need to be addressed in the design of the new database which are:
- Design of access controls
- Encryption issues
- Separation of environments
- Configuration of the database in a secure way
Design of access controls
Separation of environments
Configuration of the database in a secure way
This is not to say that these are the only issues that should be considered. There are other areas that should be keenly taken into consideration. These other areas include physical security, making the users be aware, making regular backups, and coming up with policies that should be followed while handling the database. This paper will not address these issues but it will only mention that they are important considerations that should be looked into.
There is a need to have access controls that will not only protect the data from internal and external attackers but also from errors that users will make. These errors can equally have a big impact on the data just like the external and internal attackers. The issues of control will be used to manage this. An example of an error is that of a user deleting an important database object like a table assuming that they are not that important. The organization will lose most information and will have a great impact on the organization. The example organization that is being developed should allow only the CIO to have the administrative privileges. The managers should have privileges like altering the records of the employees but not those of deleting the records or tables. This will help to secure the data. The various users in the database should be given access to the items that they are interested in. all the other issues are not that important. The use of access controls can also help to reduce and minimize the other types of risks that have a direct effect on the database on the backend.
The use of access controls should be applied using the principle of least privilege. There are two categories of access controls that can be applied which are access controls for the administrators and the access controls for the end-users. The people that are mentioned in the case should be assigned the privileges that they need. Even if the organization will reach a point when it does not have many administrators, the privileges assigned to the administrator should be as limited as possible.
Another important security feature that should be considered is encryption. This feature is growing as it is a regulatory requirement for many organizations and also auditor requirements. It is a strong security measure if its implementation is taken seriously. While it is true that it is strong, it is not a magical solution that will solve all the security issues of an organization. It is also true that no security strategy would be deemed to be complete without the use of encryption. It is important to realize that there are two instances when encryption should be applied which are when data is in transit and when data is at rest. In our case, there will be the need to have data encryption for the data at rest as they are the data that is found in the database. The organization will have to consider encrypting the data that is at rest in the database.
There is a need to have access controls that have been talked about in the previous section. This will enable the users to do their job. This will then require that privileges be assigned to the users so that they are able to do their work. It is here that the problem lies. There is a need to have an audit to know who used the database wrongly. If one is found using the database wrongly, they will be accused of abusing their privileges. There will be the need to have a proper trail of the audit so that the user activity will be tracked which will also include administrator activity.
Separation of environments
Another issue that will need to be considered is that of the separation of environments. The best information security practice has been that of separating production, test, QA, or similar environments. This practice has been integrated into many audit programs for a long time and it has been effective.
With the database, there will be the need to have a secure configuration. This will help to have the right issues in place. The will be the need to have tools to have a secure database configuration process. The issues that will be considered include database discovery, configuration lockdown, and automatic remediation. When securing a database, the key issues will include having efficient users and their associated roles, having good passwords, having default accounts, and setting the right parameters, and patching among others.
Policies and rules
The database system will have to have rules that will be followed in the implementation of the database. The following section will discuss these rules.
Rules limit operations based on stated requirements and needs. It is met by the use of domain-specific decision factors such as database machine; IP addresses authentication modes and time of day. An example is the prevention of administrators from altering database systems outside the organization’s intranet or working outside normal office hours. Such rules are becoming vital as employees increasingly need remote access to organizations’ information. Organizations are not able to control the security standards of networks outside, so the best solution is to limit select information traffic across pre-approved IP addresses.
Human resource managers
The human resource managers will not allow any new employee to start working before they are trained on the database access rules. They should have awareness training. They are not allowed to access the database and alter the data of the employees like deleting without writing a notice to the CIO. This will help to reduce the likely cases of data corruption in the system. Human resource managers should keep their passwords safe, they should track changes daily, they should make frequent backups and also their passwords should contain a mixture of characters.
System administrators are not allowed to have passwords for every user. They are required to be as discrete as possible. System administrators passwords should not be predictable and should be changed at least on weekly basis, their password should not be less than eight characters, their systems should not remain on while they are away and they should track all changes in the database every day to ensure no illegalities have been made.
Payroll managers should not alter the payment account or delete any of these accounts without informing the CIO. Payroll managers should never disclose their passwords to anyone, the passwords used should not be predictable, at no time should their systems be on without their presence, and they should make backups frequently just in case of a security failure.
Employees and end users
Employees should adhere to the following security rule always log off the system before going out of the office, never share a password with anyone, never bring software from home to install on your machine at work. The purpose of securing computer systems is well understood hence securing data should be part of an overall computer security plan. Increasing amounts of vital data are being kept in databases and a lot of these databases are being exposed to vulnerability via networks. As more data is disclosed electronically, it can be presumed that threats and vulnerabilities to the data integrity would rise as well. Database security is hence becoming a critical topic and database developers ought to have core understandings in this part. The major goals of database security are to curb unauthorized access to data, prevent unauthorized alteration of data, and make sure that data remains available when asked for.