In today’s world where technology and technology advancements constitute a fundamental component of a company’s operations, businesses continue to harness this to expand both their online presence and global footprint. With access to information becoming increasingly easier, the risks associated with ensuring that data is adequately secured is a growing concern. After all, having data leaked or ending up in the wrong hands could pose a major security concern, have devastating implications and result in quite an embarrassment for the company.
With real estate applications being primarily web driven and harnessing database platforms such as Microsoft SQL Server, MySQL, DB2, etc., with being publically accessible, it is imperative that applications be properly secured, but most importantly that access to the database and in turn data be adequately restricted should the application or environment endure an attack.
When securing your data, the safety thereof is only as secure as your weakest link. There are various aspects that need consideration, with security not simply being a matter of which user accounts have what access to the database. Whilst each of these areas are a topic for discussion in their own right, a brief overview of the aspects that one should consider include:
- Physical Security – careful consideration should be taken regarding how accessible the physical server is. Physical breaches from unauthorized persons can take on various forms, such as individuals gaining access to the data centre where the server resides; access being gained via the office, thereby using an open network point or vulnerable wireless network through which to connect their own device; or lastly an unattended employee workstation being used to gain access to whatever the employee’s login grants them access to.
- Network Security – how your database server is configured within the network topology is vital. Understand whether your server is directly accessible publically; for external facing web applications do these servers reside within a DMZ network, isolated from the database server; is communications to/from the database server using SSL for data exchange and lastly is a firewall used to restrict communications be it inbound or outbound to/from the database server on an IP, port or application basis.
- Server Configuration – surrounding the server configuration itself, is the SQL instance discoverable on the network; are the SQL services configured to run on a non-standard port; are unnecessary features and services disabled; is the SQL administrator account (sa) disabled or possibly even renamed and which types of authentication methods are being used for connectivity, Windows, SQL or both.
- Passwords – the use of weak passwords can severely compromise your data. Ensure password complexity is configured appropriately; ensure password complexity is enforced through password policies and where passwords are referenced by applications, these are stored in an encrypted format and not plain text.
- SQL Injection – is a commonplace concern, with SQL injection attacks being known to bring systems to their knees. To mitigate the effects thereof, ensure absolute minimum privileges are granted to application accounts used for database connectivity; where applications share a database server, ensure inter-application access is restricted; store sensitive data in an encrypted format and where possible, code applications such that input values are parameterized, with injection attacks being intercepted at an application tier.
- Database Backups – securing of database backups is often overlooked, but is critical in ensuring data security. Ensure that local and remote backup locations are adequately secured; make use of encryption when performing backups and be sure to restrict access to certificates or keys used by the encryption processes.
- Patching – known vulnerabilities, if left unresolved can be exploited thereby compromising your data. Stay current by ensuring critical operating system updates are reviewed and regularly applied; ensure database server software is also regularly updated independently and where feasible enable automatic updates.
Securing your data requires one to think beyond just the immediate scope of the database server in order to ensure data security continuity. The number of times I have encountered database servers that have been configured and then left untouched or where elevated privileges have been assigned for application accounts where it’s not required, are plentiful to name but a few.
The management of data security is a process requiring continual review. After all, can you afford not to ensure the safety of your data?
Cherry, Denny. (2012) Securing SQL Server: Protecting your Database from Attackers, 2nd edition.