Database/database Security

Introduction

A database is a collection of records or data that is stored in a computer system. For a database to be functional, it must not only store large amounts of records well, but be accessed easily. Moreover new information and changes should also be fairly easy to input. In order to have a highly efficient database system, you need to incorporate a program that manages the queries and information stored on the system. This is referred to as DBMS or a Database Management System. Besides these features, all databases that are created should be built with high data integrity and the ability to recover data if hardware fails.

Here are just a few of the actions that you can perform on a database that would be difficult if not impossible to perform on a spreadsheet.

Retrieve all records that match certain criteria

Update record in bulk

Cross-reference records in different tables

Perform complex aggregate calculations.
Types of Databases

There are several common types of databases; each type of database has its own data model or structure. They are

Flat Model: This is a two dimensional array of data

Hierarchical Model: The hierarchical model database resembles a tree like structure

Network Model: This is that a record is stored with a link to other records

Relational Model: The relational model is the most popular type of database and an extremely powerful tool, not only to store information, but to access it as well. Relational databases are organized as tables. The beauty of a table is that the information can be accessed or added without reorganizing the tables

Relational databases use a program interface called SQL or Standard Query Language.
Organizing / Storing a Database

Database normalization is the process of organizing data into distinct and unique sets.

The purposes of normalization are to:


* Reduce or eliminate storage of duplicate data

* Organize data into an efficient and logical structure


The process of normalization involves determining what data should be stored in each database table. The process of normalization involves working through well-defined steps, called normal forms.



Databases can be less than 1 MB or extremely large and complicated that can be terabytes, however all databases are usually stored and located on hard disk or other types of storage devices and are accessed via computer.
Accessing Information Using a Database

While storing data is a great feature of databases, for many database users the most important feature is quick and simple retrieval of information. In a relational database, it is extremely easy to pull up information regarding an employee, but relational databases also add the power of running queries. Queries are requests to pull specific types of information and either show them in their natural state or create a report using the data.
Securing a Database

Obviously, many databases store confidential and important information that should not be easily accessed by just anyone. Many databases require passwords and other security features in order to access the information. While some databases can be accessed via the Internet through a network, other databases are closed systems and can only be accessed on site. Securing the database has become simpler. A few straightforward steps can vastly improve security, usually by locking out all users except applications and DBAs.

But even that restriction doesn't completely protect your data. One of the primary security breaches organizations experience today takes place via applications that connect to databases. Applications don't use native database security. Instead, they access the database as a "super user" and, therefore, could represent a risk to data security.

Some of the most common examples of exploiting this risk is known as SQL injection Database Worms, Denial of Service, Buffer overflow.

SQL injection isn't a direct attack on the database. Instead, it takes advantage of the way many Web applications that access databases are developed. SQL Injection attempts to modify the parameters passed to a Web application via a Web form to change the resulting SQL statements that are passed to the database and compromise its security. If successful, an attacker can hijack the database server and be granted the same permissions to add, drop, and change users that the application has. From that point, the database is fully exposed.

Unfortunately, the practice of SQL injection is easy to learn. Fortunately, with a little forethought, you can prevent it. The simplest way to find out if you're vulnerable to an SQL-injection attack is to enter a single quote into each field on each form in your applications and verify the results. Some applications will return a message claiming a syntax error. Some applications will catch the error and not report anything. In both of these cases, your site has some protection from SQL injection, but don't assume it's secure. You can only validate your level of protection by going to the application's source code
The Future of Security

A new security trend is to provide multiple layers of security within a computing environment. These layers can include multiple firewalls between the Internet and the organization and even firewalls within an organization to protect high-value assets.
No Better Time

Security considerations go far beyond the database. But the database should be one of the most protected elements of any business environment; after all, it usually holds the most valuable and mission-critical knowledge. With a few simple tasks, you can reduce security risk to a reasonable level:


* Be aware of database security holes such as built-in stored procedures, predefined tables, and so on. The built-in stored procedures that come with the standard database can hold weaknesses known by infiltrators.

* Restrict access and authorization to "none" unless validated.

* Audit your applications for holes.

* Maximize the layers of protection to your database.

* Monitor your log files.

* Consider adopting risk-management and proactive vulnerability assessment tools.


Conclusion

Companies with more than 50 employees should also consider building a true security practice. A true security practice includes a security specialist certified through a reputable organization and at least a part-time security manager. Depending on the size of your organization, a full-time security manager and a Chief Security Officer may also be appropriate.