Login  |  Register  |  Contact

DB Quant: Secure Metrics, Part 3, Restrict Access

This portion of the Secure phase is reconfiguration of access control and authorization settings. Its conceptual simplicity belies the hard work involved, as is it one of the most tedious and time-consuming of all database security tasks. Merely reviewing the permissions assigned to groups and roles is hard enough, but verifying that just the right users are assigned to each and every role and group can take days or even weeks. Additionally, many DBAs do not fully appreciate the seriousness of misconfigured database authentication: subtle errors can serve as a wide-open avenue for hackers to assume DBA credentials – tricking the database into trusting them.

Automation is extremely useful in the discovery and analysis process, but when it comes down to it, a great deal of manual analysis and verification is required to complete these tasks.

Our process is:

  1. Review Access/Authentication
  2. Determine Changes
  3. Implement
  4. Document

Review Access/Authentication

Variable Notes
Time to review users and access control settings May have been completed in review phase
Time to identify authentication method
Time to compare authentication method with policy e.g., Domain, database, mixed mode, etc.

Determine Changes

Variable Notes
Time to identify user permission changes
Time to identify group and role membership adjustments
Time to identify changes to password policy settings
Time to identify dormant or obsolete accounts

Implement

Variable Notes
Time to alter authentication settings/methods
Time to reconfigure and remove user accounts
Time to implement new groups and roles, and adjust memberships
Time to reconfigure service accounts e.g., generic application and DBA accounts

Document

Variable Notes
Time to document changes
Time to document accepted configuration variances

Other Posts in Project Quant for Database Security

  1. An Open Metrics Model for Database Security: Project Quant for Databases
  2. Database Security: Process Framework
  3. Database Security: Planning
  4. Database Security: Planning, Part 2
  5. Database Security: Discover and Assess Databases, Apps, Data
  6. Database Security: Patch
  7. Database Security: Configure
  8. Database Security: Restrict Access
  9. Database Security: Shield
  10. Database Security: Database Activity Monitoring
  11. Database Security: Audit
  12. Database Security: Database Activity Blocking
  13. Database Security: Encryption
  14. Database Security: Data Masking
  15. Database Security: Web App Firewalls
  16. Database Security: Configuration Management
  17. Database Security: Patch Management
  18. Database Security: Change Management
  19. DB Quant: Planning Metrics, Part 1
  20. DB Quant: Planning Metrics, Part 2
  21. DB Quant: Planning Metrics, Part 3
  22. DB Quant: Planning Metrics, Part 4
  23. DB Quant: Discovery Metrics, Part 1, Enumerate Databases
  24. DB Quant: Discovery Metrics, Part 2, Identify Apps
  25. DB Quant: Discovery Metrics, Part 3, Config and Vulnerability Assessment
  26. DB Quant: Discovery Metrics, Part 4, Access and Authorization.
  27. DB Quant: Secure Metrics, Part 1, Patch.
  28. DB Quant: Secure Metrics, Part 2, Configure.

—Adrian Lane

Previous entry: DB Quant: Secure Metrics, Part 2, Configure | | Next entry: DB Quant: Secure Metrics, Part 4, Shield

Comments:

Name:

Email:

Location:

URL:

Remember my personal information

Notify me of follow-up comments?