IT Security News and Opinion
Wednesday February 8th 2012
Protect Your Private Data

Don’t Overlook Database Security

Over the years I’ve been amazed by some of the questionable security practices that I’ve witnessed in some very large organizations. One big concern is casual attitudes that often prevail with respect to the critical database applications that keep the organizations running.

We’ve repeatedly seen these bad behaviors:

  • Common, never-changing DBA accounts shared by multiple administrators – with no ability to audit the actions performed by any individual and no process to change logins even after changes in personnel.
  • Unchanged application-to-database account credentials.  Essentially the credentials originally used to deploy the application are still in effect years later.
  • Databases with auditing disabled.
  • Inadequate auditor understanding of credential usage in databases and in applications that use database credentials.

After organizations suffer repeat audit failures their management (primarily CSOs and CISOs) often ask us how to remediate the findings. The good news is that technology exists that can quickly bring real accountability to DBA accounts while adding automation that can make administrators’ lives easier.

However, we still find DBAs who fight to retain unlimited, unaudited and shared access to the databases that they manage. This means that in many organizations this new automation can only get implemented if the CSO is involved deeply enough in database security to see the project through.

The Application Angle

We also still find the use of embedded clear text credentials in the applications accessing corporate databases, instead of pass-through authentication or other more secure mechanisms. This is an especially pervasive problem in the non-Microsoft world, since on Microsoft platforms there is a greater utilization of credential encryption of connection strings and the use of the proxy accounts that are provided by service-based applications.

For non-Microsoft platforms our privileged identity management software provides a retrofit to secure your database connection string credentials, though the preferred approach is to re-architect the application using more secure credential storage.

Changes in Attitude

I believe that an important motivation for improved database security has been the improved efforts by auditors to discover and alert more companies to these practices. A second important factor has been the adoption of continuous security compliance practices that require auditors to regularly revisit any pervasive, poor security practices. This keeps critical weaknesses “top of mind” for CIOs and CSOs.

As a result we are seeing some improved customer awareness about database security and an increase in inquiries about managing these powerful database accounts – rather than pushing the problem off indefinitely.

  • Facebook
  • Twitter
  • LinkedIn
  • Delicious
  • Google Buzz
  • Technorati Favorites
  • Yahoo Buzz
  • Digg
  • Windows Live Favorites
  • Blogger Post
  • Google Reader
  • MSDN
  • Share/Bookmark
Post Published: 23 July 2010
Author: Philip Lieberman
Found in section: Regulatory Compliance, Security Best Practices, Technology News

Tags: , , , , , , ,

Previous Topic:
Next Topic:

Leave a Reply

Follow Us

    Follow us on Twitter            Follow us on LinkedIn

  Visit our YouTube Page              Identity Week RSS Feed

Archives

Recent Comments

Tags

Administrator Password Android Application-to-Application Credentials Application Security ArcSight Casino security Cloud Computing Cloud Security CSO cyber-attacks Cyber Security data breach Data Breaches Datacenter Security Data Security Department of Defense enterprise security Governance Risk and Compliance Identity Management Insider Threats Internet security IT IT Audit IT Auditing Compliance Reports IT Marketplace IT Outsourcing IT security IT Security Threats Password Security PCI-DSS Compliance Ponemon Institute privacy privileged accounts Privileged Identities privileged identity management RSA Sarbanes Oxley Compliance Securing Legacy Applications Security Management SIEM smart card Sony SOX Compliance Windows 7 Windows XP
Visit the Lieberman Software Website