Keeping Data Safe: A Guide to Database Security for DBAs

Introduction

Database security and protection have become increasingly important as we continue to use more data in nearly every aspect of our lives. The best practices for database security are constantly evolving, and it can be tough to keep up with the latest features and recommendations. Let’s take a little refresher course and look at a few key aspects of database security that every DBA should be familiar with.

Safety by Encryption

Encryption is hardly a new concept, but it’s taken center stage in recent years as a way to keep sensitive data safe. When you encrypt data, you’re basically using an algorithm to change it into a form that would be incomprehensible to anyone that doesn’t have the exact key that was used to encrypt the data. While there’s a slim chance that a hacker could theoretically decrypt and access the data, it would be a difficult task that would take an inordinate amount of time.

You can encrypt data “at rest”, which refers to data stored in a database; in this situation, the encryption protects data from malicious snooping. You can also encrypt data “in transit”, which refers to data that’s being sent over a network. When you encrypt data in transit, you’re usually safeguarding it against packet sniffing.

LBAC

Another common security measure is known as LBAC, or label-based access control. LBAC offers more granular control over access to specific data in the database. While user access is usually granted at the database or table level, LBAC takes that access control to the next level, allowing you to limit a user’s access to specific columns or rows in a given table. Obviously, this level of complexity in a security approach isn’t the right choice for all applications, but LBAC can be incredibly valuable for organizations dealing with classified and confidential data, such as government institutions.

LBAC works by creating security “labels”, which represent the criteria used to decide which users have access to which data. When a user attempts to access data that’s protected by a LBAC system, the security label for the user is checked to determine if it matches the security label for the data in question. If the credentials don’t match, the system acts as though those protected rows or columns simply don’t exist. This behavior adds an extra level of security because, in many situations, even the knowledge that certain confidential data exists needs to be protected.

Masking

Yet another popular approach to data security is masking. Data masking refers to the process of safeguarding sensitive data by obfuscating it. The data may be replaced with complete gibberish or with realistic-looking, though not real, data. If you’ve ever received a receipt that only shows the last four digits of your credit card number, with the rest of the digits replaced by asterisks, you’ve seen an example of data masking in action.

Data masking is often used in test environments to avoid exposing production data. In these situations, production data is obfuscated to protect any sensitive contents, yet it retains enough of a realistic form to be useful for testing. Some data masking techniques are relatively straightforward, such as redaction– an approach seen in our example where the digits of a credit card number are simply replaced by asterisks. Other masking techniques, however, can be more complex. The “lookup substitution” method, for example, requires the creation of a special lookup table. The table would provide an alias for every value that needs to be masked. This type of masking would be helpful for testing environments that require realistic-looking data but shouldn’t expose any sensitive information.

Conclusion

We’ve looked at some key security measures in this article, but our brief overview doesn’t cover all of the latest developments and best practices in the world of database security. For DBAs, the most important thing you can do to protect your organization’s data is to stay up to date. Take a look at what security tactics you’re currently using, and think about how you can augment your current approach with some of the tools we covered in this article. When it comes to data security, that proverbial ounce of prevention might be worth way more than a pound of cure.