DATABASES AND

DATA SECURITY
It’s your data – are you sure it’s
safe?
Team Mag 5
Valerie Buitron
Jaime Calahorrano
Derek Chow
Julia Marsh
Mark Zogbaum
DATABASE OVERVIEW
 Every company needs places to store
institutional knowledge and data.

 Frequently that data contains

 The security and confidentiality of this

 There are four key issues in the security

 Availability
 Authenticity
 Integrity
 Confidentiality
AVAILABILITY
 Data needs to be available at all
necessary times
 Data needs to be available to only the
appropriate users
 Need to be able to track who has access
to and who has accessed what data
AUTHENTICITY
 Need to ensure that the data has been
edited by an authorized source
 Need to confirm that users accessing
the system are who they say they are
 Need to verify that all report requests
are from authorized users
 Need to verify that any outbound data is
going to the expected receiver
INTEGRITY
 Need to verify that any external data
has the correct formatting and other
metadata
 Need to verify that all input data is
accurate and verifiable
 Need to ensure that data is following the
correct work flow rules for your
institution/corporation
 Need to be able to report on all data
changes and who authored them to
ensure compliance with corporate rules
and privacy laws.
CONFIDENTIALITY
 Need to ensure that confidential data is
only available to correct people
 Need to ensure that entire database is
security from external and internal
system breaches
 Need to provide for reporting on who
has accessed what data and what they
have done with it
 Mission critical and Legal sensitive data
must be highly security at the potential
risk of lost business and litigation
KEEPING YOUR DATA
CONFIDENTIAL
 Although the 4 pillars are of equal
importance we are focusing on
Confidentiality due to the prevalence of
data loss in financial and personal areas
 We are going to review solutions for
 Internaldata loss
 External hacking
 Securing data if hardware stolen
 Unapproved Administrator Access
MIDDLEWARE SECURITY
CONCERNS
 Another set of security issues come
from middleware that sits between the
user and the data
 Single sign on authentication
 Allows users to just have one password to
access all systems but also means that the
theft of one password endangers all
systems
3RD PARTY SECURITY
OPTIONS
 Most companies have several types of
databases so to ensure total security
across databases they hire 3rd party
Database Security Vendors such as
Guardium,Inc. and Imperva, Inc.
 Those companies have solutions for
Database Activity Monitoring (DAM)
 Prices range from $20K to $1 Million
 Another option is data masking – buying
a fake data set for development and
testing.
PROS AND CONS OF 3RD
PARTY SOLUTIONS
Solution Pros Cons
Description
Data Obfuscation Fake or Scrambled Can be very
(Masking, data set for use by expensive – good
Scrambling) design and fake data can range
implementation in cost from
teams $200,000 to $1
Million
Encryption of Data Allows personally Adds overhead and
identifiable data to possible performance
be scrambled if issues.
intrusion takes place.
Database Looks for SQL Can eat into over
Intrusion/Extrusion Injections, Bad head and cause
Prevention access commands performance issues –
and odd outbound also expensive.
data Needs very specific
criteria to set up.
Data Leak Prevention Catches any data Does not protect data
that is being sent out in the actual data
BUILT IN DATABASE
PROTECTION
 Vendors such as Oracle, Microsoft and
IBM know that security is a big concern
for data systems.
 They create built in solutions such as:
 Password Controls
 Data access based on roles and profiles
 IP restrictions for off site access
 Auditing capabilities of who has run what
reports
 Security logging
PROS AND CONS OF BUILT
IN SOLUTIONS
Solution Pros Cons
Description
Complex Passwords Makes passwords Users write them
(require numbers and harder to guess and down and keep them
symbols) as well as harder to crack next to computer or
frequent password forget and need
changes multiple resets
Keep Internal and Makes it very hard to Reduces functionality
External facing hack one and then of databases and
databases separate get through to the restricts flow of
other internal data
Restrict Downloading Keeps data in the Restricts reporting
database and not capabilities and off
loose in excel, etc line functionality
Restrict Unwanted Again makes it Makes integration
Connections harder to worm from more difficult and can
one system to reduce user
another acceptance
SAML (Security SAML is the standard If not in use blocks
Assertion Markup that is used for Single the usage of single
RECOMMENDATIONS?
 Will we be able to keep the data secure
while keeping the users happy?
 Tune in Week 10 to find out!
 Same Bat Time
 Same Bat Channel