COMPUTER SECURITY AND CRYPTOGRAPHY

Database security concerns the use of a broad range of information security controls to protect
databases (potentially including the data, the database applications or stored functions, the
database systems, the database servers and the associated network links) against compromises of
their confidentiality, integrity and availability. It involves various types or categories of controls,
such as technical, procedural/administrative and physical.

1. SEPARATE THE DATABASE AND WEB SERVERS

Always keep the database server separate from the web server.
Most vendors try to make things easier by having the database created on the same server that
the application is installed. This also makes it easier for an attacker to access the data because
they only need to crack the administrator account for one server to have access to everything.
Recommendation: Install the database on a separate database server located behind a firewall,
not in the DMZ with the web server. While this makes for a more complicated setup, the security
benefits outweigh the additional technical efforts required.
2. ENCRYPT STORED FILES AND BACKUPS
The stored files of a web application often contain information about the databases that the
software needs to connect to. This information, if stored in plain text like many default
installations do, provide the keys an attacker needs to access sensitive data.
Not all data theft or destructions happen as a result of an outside attack. Sometimes employees
who were once trusted can be compelled to steal or destroy data as well. In addition, data that
contains regulated information must be encrypted if the storage media is ever out of your
security authority.
Recommendation: Encrypt any files that have value to the organization and are stored on the
application or database server. If they have value to your organization, they are of value to an
attacker.
3. USE A WEB APPLICATION FIREWALL (WAF)
Many people are under the misconception that protecting the web server has nothing to do with
the database. This is not true. In addition to protecting a site against cross-site scripting
vulnerabilities and website vandalism, a good application firewall can thwart SQL injection
attacks as well. By preventing the injection of SQL queries by an attacker, the firewall can help
keep sensitive information stored in the database away from attackers.
Recommendation: Employ web application firewalls.
All web applications are available to customers/constituents—as well as attackers . For this
reason, traditional IT security systems, such as firewalls or IDS/IPS, may be unable to guard
against these attacks or do not offer comprehensive protection.
4. KEEP PATCHES CURRENT
Websites that utilize third-party applications, components, and various other plug-ins and add-
ons are more susceptible to an exploit than those that have been patched.
Recommendation: Keep patches current to the most recent release.
5. ENABLE SECURITY CONTROLS
Though most databases enable security controls by default, administrators should always check
the security controls to ensure that this is the case. It is important to remember that though most
organizations may rely on a web developer to create a secure system, the DBA is ultimately
responsible for ensuring that security is maintained once development and the implementation
are complete.
Recommendation: Enable security controls on all databases and do not assume that this is the
default. Ensure that there are corresponding business processes in place.
6.ENSURE PHYSICAL DATABASE SECURITY
This means keeping your database server in a secure,locked environment with access controls in
place to keep unauthorized people out but it also mean sto put the database on a separate physical
machine ,removed from the machines running application or web servers.