A phrase often used in military circles, situational awareness refers to the ability to understand what is happening at any time, all the time. It’s a comprehensive understanding of where the good guys are, where the bad guys are, who is doing what, and why they are doing it.
The same concept proves valuable within the IT community. You should know all the interrelationships among your networks, servers, applications, and databases. Furthermore, within the database, you should know what schemas, applications, and users exist and what privileges they each should and should not have. Also important is understanding what applications are being accessed by what community of users for what data.
A simple snapshot of the baseline configuration combined with ongoing and vigilant monitoring is practice you will find very valuable. The resulting snapshot should be documented. The document does not have to be fancy; SQL output may prove sufficient. This snapshot will allow you to more easily identify anomalies and react to them. Often, a security compromise will occur over long periods of time. How can they go on for so long without anyone noticing? It’s because there was no awareness of what was going on when it was going on. For example, if someone were robbing you one penny at a time, you might never realize it was even happening if you never balanced your checkbooks.
Another benefit of snapshots is that they help you understand what damage has occurred if something does happen. If a schema is compromised, ask yourself simple questions like, “What privileges did the schema have? What data was there? What procedures were in place? What data did those procedures act on?” You can extend this concept into one of threat assessments (actually part of risk analysis) to predict the results of bad things that might happen.
This overall awareness of the system is important to understanding how to design a secure system and how to respond logically, quickly, and accurately to security incidents.
The concept of security transcends database security, and even computer security. Overall, an organization is concerned with all facets of security. There is, in a sense, a security ecosystem. One area of security complements and relates to other areas. A challenge to implementing computer security is in understanding the complex inter-relationships. Here is a list of some of the other security areas that should be considered when addressing security:
Physical security Protect the assets from physical abuse, including theft. As mentioned previously, theft of a server is not only theft of the hardware but also theft of the data. Booting a server to a “startup” level, changing the super-user password, and exploiting the rest of the system is easy to do if the physical access to the server is compromised.
Personnel security Ensure people are honest and ethical. This one may be the hardest, because you have to trust people. Generally, you should marry the access a person is given with the amount of trust you have for that person. For people who actually run the systems, some background checks may be necessary and desirable. Keep track of personnel status. A disgruntled employee can cause an enormous amount of IT damage.
Training Teach people the good behavior required to provide a secure environment. A simple course or document that explains the company policies and describes good security behavior is invaluable to an organization. Include instructions such as
Lock the door to your office
Don’t leave confidential material laying around
Use “strong” passwords
Lock unattended computers
Contingency plans Plan for power failures, security compromises, and disasters. If you don’t have a plan, make one. It will provide a framework for you and guidance to those who are involved in the disaster. Your plan may indicate that there is no contingency for a certain event, but that is okay. It shows you have thought about it and decided to do nothing. It can be a “placeholder” for when you do have a strategy.
Information access management Access to IT systems should be diligently governed in accordance with the least-privilege principle. This means that application owners, DBAs, and security officers should agree on who has access to what kind of data. This agreement should be documented and audited for compliance.
Information security Provide confidentiality, privacy, and integrity of your data. Information may take various forms; digital is only one. Digital security will not prevent someone from stealing a confidential printout from an unsecured printer or overhearing a phone conversation about confidential information. Note that theft of a printout is not the same as physical security, which could be used to prevent a person from getting access to the printer altogether. Instructing employees on proper behaviors is critical to ensuring the security ecosystem is functioning well.
To implement security effectively, you need a heterogeneous collection of mandatory controls that cannot be bypassed, such as encryption for confidentiality. You also need discretionary controls that you must hope are not misused by users. All of the areas are equally important to providing a secure ecosystem.