Database Security: More Than DAM

Database Activity Monitoring (DAM) should be one of many controls

Sensitive data is stored in lots of places like email systems, endpoint devices, and file servers, but most organizations store the majority of their confidential information in databases. This situation places database security at a premium. Unfortunately, database security isn't easy as it involves multiple processes and security controls as well as strong coordination and collaboration between DBAs and the security team. Little wonder then that according to ESG Research, 15% of enterprise (i.e. more than 1,000 employees) consider database security their "most significant information security challenge," while another 57% consider database security one of their, "top 5 information security challenges." Given this situation, I find it somewhat ironic that over the past several years, database security has really become equated with one particular technology -- Database Activity Monitoring (DAM). Wikipedia defines DAM as follows: 'Database activity monitoring (DAM) is a database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs. DAM is typically performed continuously and in real-time.' Why has DAM become the database security default? Probably because of market and media attention. Former Check Point Software founder Shlomo Kramer got a lot of publicity when he founded Imperva, a DAM vendor, in the mid-2000s. Adding to DAM visibility, Guardium was acquired by IBM in 2009. DAM is also used for compliance purposes with regulations like PCI DSS, HIPAA, SOX, and FISMA. Between regulatory compliance and the PR generated by these two companies, DAM has come to equal database security. I give Guardium and Imperva a lot of credit for this, but end users should not base critical security on marketing messages and Venture Capitalists. Database security, like all other areas of strong security, must be based upon a multitude of policies, processes, and controls. DAM is one layer of defense-in-depth, but database security should also include: 1. Database inventory. Large organizations should know everything there is to know about every database on the network like its location, what type of server and OS it resides on, what version it is, which patches have been installed, which employees have privileged user accounts, etc. Sounds logical but you'd be surprised by how many organizations have poor asset and configuration practices. 2. Hardened database configurations. This means abandoning default configurations and locking down server operating systems and databases. For good guidelines in these areas, go to the NIST website ( and peruse the NIST-800 series documents. 3. Separation of duties. DBAs and security professionals should have defined roles in the security process. DBAs should manage database operations to ensure that security controls are up-to-date and don't interfere with database performance. Security professionals own policies, procedures, and oversight. 4. Privileged user controls. DBAs should have real passwords (as opposed to default administrator passwords) controlled by strong password management. Privileged users should not have access to the actual sensitive data. Privileged user behavior should be monitored at all times. 5. Database scanning and patch management. It is imperative to keep up-to-date with any configuration changes to databases (who made the change and why, who approved it, etc.). It is also important to stay on top of software patches -- especially for databases where sensitive data is stored. 6. Database encryption. This can be done at the storage system, file system, or database column level. CISOs tend to base their database encryption technology decision on their technical skills an system performance requirements. 7. DAM. DAM is used to monitor behavior and in some cases enforce rules. Most organizations tightly integrate DAM with SIEM for more comprehensive situational awareness. My 7-point database best practices scratch the surface at best but there are plenty of good guidelines available from database vendors, security organizations like NIST and the SANS Institute, and database security vendors like Application Security, Inc. Before implementing DAM and calling it a day, I strongly suggest that CISOs take my advice to heart, do further research, and create the right security policies, processes, and layered defenses to adequately protect their organizations' crown jewels.

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.