Computerworld - "Asset-centric security" seems to be becoming a familiar phrase in the security world. However, identifying assets can be complicated. For many organizations, assets are pieces of information stored in numerous places: on local hard drives, on file servers, within databases, in various physical and geographical locations, as well as in transit. The information could include customer or client data, protected health data, proprietary information or financial data, among other things.
Thinking through the layers of security in our environment, I realized that the weakest link in the chain is at the application layer, which is where I see database security fitting in. Much attention has been given to auditing firewall rules, turning off unneeded services on servers and patching operating systems, internetwork operating systems and various applications, such as Internet Explorer. But it seems that not much attention has been given to database security and auditing. I know for a fact that no attention has been paid to it here, and I need to do something about that, though I don't have much experience in the subject.
I'm responsible for numerous databases, including DB2, Access, SQL and MySQL. I've focused on making sure that they reside on the internal network and that the firewall rules are explicit for traffic to and from the Web servers in the DMZ. I've made sure that servers are patched routinely, and I've audited Active Directory users and account permissions, but I've done nothing related to the databases.
Now our agency is developing a major new application using DB2, and I need to come up with security requirements. I have to educate myself on this, but where to begin?
Well, it so happens that Elsevier Digital Press recently sent me the book Implementing Database Security and Auditing, by Ron Ben Natan. It has examples for Oracle, SQL, DB2 and Sybase. (I think everyone agrees that using Microsoft Access databases for mission-critical applications is a mistake. Access is used in the agency for small projects that are initiated and managed by individuals who have specific needs for manipulating data downloaded from various mainframes.)
The first step in securing DB2 is to harden the environment. The book provides a to-do list that includes items like these:
• Do not run DB2 as root (or as LocalSystem on Windows).
• Verify that all DB2 files have restrictive permissions.
• Remove default accounts.
• Remove sample databases.
• Check for default passwords and check password strengths.
• Close unnecessary ports and services.
• Remove all permissions granted to "public."
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
