Good idea. It is high time people started focusing on core database security. However, lots of solutions are still half baked. Database Monitoring is slowly gaining ground and respect. It still has some maturing to do. It mostly covers after the fact tracking.
In the increasingly regulated and globally supported/outsourced IT Infrastructure, it is critically important to also look at proper centralized access control, and encryption.
Encryption offerings from various large Database vendors have been disappointing to say the least. Besides, encryption at rest, at the core alone doesn’t work when database contents migrate from platform to platform, from wire to client machine etc. Symatric key management and encrypted content management is a challenge that very few companies have been able to get their hands around.
Format Preserving Encryption with separate key management is something that I have seen work across multiple platforms, across the wire and provides very good key management abilities via a secure appliance. I think this is the right way to approach encryption.
So, the cost obviously depends on the size of deployment as well as toolset availability, but the proper way to secure databases, is the good old fashioned layered approach:
1. Centralized Access control (via a Directory service if possible).
2. Activity monitoring (both network as well as local bequeath access)
3. Encryption (not at file level but granular content/data element level, the FPE kind).
Hope this helps.
Umesh K. Tiwari, CISM, CISSP, PMP
By Umesh K. Tiwari
Might make sense to move the old patch management stuff to an archive folder so as not to distract.
@Sharon - Quite the contrary, we encourage you to participate. We hope the paper is helpful to the industry as a whole.
By Adrian Lane
Sounds like a good idea. Obviously I will not be able not to participate…
By Sharon Besser
If you like to leave comments, and aren’t a spammer, register for the site and email us at firstname.lastname@example.org and we’ll turn off moderation for your account.