Four simple steps to a more secure database

Article

Four simple steps to a more secure database

Eileen Kennedy, News Writer
Although IT managers know they should do everything they can to maintain secure databases for their business and customers, experts say it's important to regularly review some simple but effective steps that sometimes get forgotten in the daily hubbub.

First, don't forget the patches. IT managers should keep current with the latest security patches for the network's operating system and databases, said Gerhard Eschelbeck, chief technological officer and senior vice president of engineering at Webroot Software Inc., a Boulder, Colo.-based developer of Internet security products.

    Requires Free Membership to View

    Login

    By submitting your registration information to SearchWinIT.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchWinIT.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

More on database security:
Protecting your database: Who's looking at your sensitive data?

Database-related security policies to think about

Enhance your SQL Server security skills with five quick steps

Meet compliance with improved database security practices

"Unpatched security vulnerabilities are frequently used by attackers to compromise systems and databases," he said.

And weak or default passwords should be weeded out, as should unused login accounts, Eschelbeck said. "Unsecured login accounts or permissions lead to unauthorized access of your data," Eschelbeck said.

Limiting physical and network access to the database system is another crucial security step, according to Serdar Yegulalp, an author and editor of Windows Power Users Newsletter.

"Treat a database like any other computer asset that you want to protect. Don't just let anyone get to it," he said.

Database contact should be limited to machines that have to talk to it while ensuring standard protections are in place, he said.

Also, if a company uses a Web application to access its database -- with such scripts in Active Server Page, or ASP.NET technology -- and the scripts crash, it can potentially reveal its source code when it makes an error report, Yegulalp said.

In a case like that, limiting database access to the correct users is essential. If through proper security measures the database access is already limited to the right users, any script crashes will not reveal database connection information to the wrong users, Yegulalp said.

"I've seen this happen more than a few times -- the database connection name and password for all the world to see," he said, adding that he recommends rotating the password for the database connection regularly, which adds just one more layer of security to the process.

Finally, sensitive data, such as credit card or social security numbers, should be encrypted when they are stored in a database, not just when the data is in transit, Eschelbeck said.


Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top