Introduction
A database refers to a collection of organized information. The purpose of this configuration is to enable the easy access, management and updating of data. Databases can be grouped according to the content types they hold. They can be full-text, bibliographic databases and images. In the field of computing, databases get classified according to their approach in terms of organization. The relational database is the most common approach. It is a tabular database whereby data gets refined so as to be organized and accessed in multiple ways. Object-oriented programming databases are congruent with data defined in object subclasses and classes. Because databases carry sensitive information, it is important that they get properly secured. Database security mainly involves the use of a wide range of information security controls to secure databases against any compromises of their integrity, confidentiality, and availability.
Risks facing database systems
Infections from malware. These cause incidents such as disclosure or leakage of sensitive personal data, unauthorized access to databases, and damage or deletion of data.
Misuse of information by authorized database users. Such individuals include systems managers and database administrators. A malicious technician might use the information in an illegal manner
Performance constraints and overloads might hamper the ability of technicians to access the database.
Physical damages to servers as a result of server-room fires, lightning, overheating and accidental spills of liquids. Once equipment gets damaged, it becomes very difficult to access the data in the hard drives.
Programming issues and design flaws create security vulnerabilities. These loopholes can be exploited by hackers and other malware.
Invalid data and commands have the ability to corrupt data. In such an instance, though the data is not lost, it becomes unusable.
Policies, standards and procedures in database security
Policies are long-term, top-level management rules on how to run the organization. They are mainly driven by legal concerns and vary from organization to organization. Policies normally reflect the goals of an organization, its objectives, and culture. Within the organization, policies apply to anyone, including the boss. The philosophy of security policies involves many aspects. Major considerations include making the keeping of backups mandatory (Astrahan et al., 19767, pp. 97-137). It also includes the prevention of unauthorized aces to data. Most security policies target the following areas
System security policy- This policy is mainly concerned with database user management, user authentication, and operation system security. Each database has one or a number of administrators charged with the responsibility of maintaining all attributes of the security policy. After deciding on who to manage the system security, a security policy needs to include sub-policies.
Data security policy- The security of data involves the mechanisms which control access and use of the database. A company’s data security policy determines which people have access to specific data and can take specific actions. This policy gets mainly determined by the security level the organization desires to establish for the data within its database. The overall security of data, however, needs to get based on the data sensitivity. Highly sensitive data needs to be more secured than non-sensitive data.
User security policy- this policy mainly deals with aspects relating to users. It mainly deals with end-user security, general user security, administrator security, application developer security and application administrator security. Under the policy technicians focus on password security and privilege management. Administrators must divide users into groups. After this clustering, they can grant the necessary privileges and roles to different users.
Password management policy- Systems highly dependent on passwords require high secrecy to the passwords.it is important for companies to have security officers who regulate the system through user profiles. Such patterns enhance greater control over the safety of the database.
Auditing Policy- Administrators should always create a system for auditing procedures for each data bank. In the event of suspected questionable activities, the database should be immediately disabled. When the company requires auditing, the security administrator needs to decide the level of detail in which to audit the database. General system auditing typically gets followed by more specialized types of auditing after finding the origin of suspicious activity.
Standards, on the other hand, define the processes or rules to be used to support the policy. They include system-design models, specific software or methodologies. Standards are mandatory and require special approval to be overruled. Use of standards ensures that consistency and effectiveness of database environment gets enhanced. Database models require the naming of objects (Condit, Lao, Singh, Esufali, and Dolins 2014, pp. 21-31). While several factors of naming objects need consideration, the most important action is to define a convention and stick to it. A naming convention is a crucial part of a well-constructed data model. These conventions help to create order in a database when all files and folder names get called in a replicable manner.
They also establish a sustainable structure. It makes it easier to scale operations and maintain sanity in the organization. Furthermore, naming conventions make work quicker and easier, especially through shorthand naming conventions. Lastly, they ensure that the process of sorting and searching is simplified.
Procedures are specifically ordered tasks required to perform some action or function. However, they tend to work for a short period.In databases, we have stored procedures. These are groups of Transact-SQL statements or references to a .NET Framework common runtime language. These procedures resemble constructs used in other programming languages because of the following: They accept input parameters and give multiple values in the form of output parameters to the calling program. Also, they have programming statements that conduct operations in the database. The benefits of using stored procedures are a reduced server network traffic, stronger security, reuse of code, easier maintenance, and improved performance.
Security vulnerabilities in configuration management
IT environments have become more complex, supporting distributed and virtual platforms. Companies must ensure that they maintain control of their information and management of their systems. They need to manage multiple point-based technologies, which increase complexity and cost. Such solutions need to manage endpoint configurations. When end users have the ability to download and install software, application conflict is bound to occur. These disconnections eventually reduce the productivity of users and increase operation costs because of security incidents. Without the entire visibility and standardization of endpoint configurations, database administrators cannot know or manage all the applications in the environment.
Data encryption
Encryption is the transform of data into a secret code. Encrypting details the most effective method of achieving data security. For someone to read encrypted files, they must have a key or password that decrypts the data. There are two main types of encryption namely symmetric and asymmetric encryption. Symmetric encryption is the oldest and best-known form of encryption. In this method a secret key gets applied to the content of a message to change it in a particular manner. The process could be as simple as moving each letter in the alphabet provided that both the Sender and the Receiver have the secret key to enable them encrypt and decrypt the message.
Asymmetric encryption is a system whereby there are two related keys, or a key-pair. A public key gets availed to everyone who desires to send a message. A second private-key remains hidden and only available to the original sender. Any information encrypted using the public key can only get decrypted by the same algorithm, but through using the matching private key. This method eliminates the worry of passing your public key over the internet. However, the downside to this system is that it is much slower than symmetric encryption. It requires much more processing power to both encrypt and decrypt the contents in the message. Digital certificates get used to discover other public keys (Davida, Wells and Kam 1981, pp. 321-328)
Access control
This is the process whereby access to the database is limited based on set criteria. The top level management have a greater access to the data. The technical staff also access and control various aspects of data storage. Centralization of organizations creates a situation whereby there is one dataset on which all users work and all applications within the organization get stored. Some low-level users only get access to basic databases that are not sensitive or highly secretive. Access control is important in any given database because it enhances security. It detects, prevents and deterred improper disclosure of data. Restricted access also ensures integrity by preventing and detecting improper change of information. Proper function of organizations depends on proper operations and proper data (Fabio 1994).
Database monitoring
Monitoring of the database involves constantly checking and evaluating the performance of the system. Through monitoring, any changes in the system can be quickly detected. Breaches in the system can cause serious loss and damage to a company’s data. When sensitive user data leaks into the public domain, the credibility of the company gets thrown into disarray. The major reason why database monitoring is important is as follows. Monitoring ensures the performance and security of the database. Normally, security and performance get handled by separate teams. When technicians can receive real-time alerts prove to be very efficient in detecting problems (Kaneko 2014, pp. 160-169).
Backups
When new databases get creat3ed, new applications go online. Everything is fresh and clean. However, this environment changes over time. New software and hardware get manufactured along with more data, more users and more requirements. Many daily hazards can cause failures in the system. There are three types of database failures. Instance failures get caused by internal exceptions within the operating system. It can also cause corruption of data that requires recovery. Application failures happen when programs or scripts get run at the wrong time using the wrong input or the wrong order. Media failure includes damage to disk storage, tape degradation and file system failures. Modern disk technologies such as RAID can help mitigate outages due to media failures (Kern et al., 2001).
Bibliography
Astrahan, M.M., Blasgen, M.W., Chamberlin, D.D., Eswaran, K.P., Gray, J.N., Griffiths, P.P., King, W.F., Lorie, R.A., McJones, P.R., Mehl, J.W. and Putzolu, G.R., 1976. System R: relational approach to database management. ACM Transactions on Database Systems (TODS), 1(2), pp.97-137.
Condit, R., Lao, S., Singh, A., Esufali, S. and Dolins, S., 2014. Data and database standards for permanent forest plots in a global network. Forest Ecology and Management, 316, pp.21-31.
Davida, G.I., Wells, D.L., and Kam, J.B., 1981. A database encryption system with subkeys. ACM Transactions on Database Systems (TODS),6(2), pp.312-328.
Fabbio, R.A., International Business Machines Corporation, 1994. Access control policies for an object oriented database, including access control lists which span across object boundaries. U.S. Patent 5,335,346.
Kaneko, H., and Funatsu, K., 2014. Database monitoring index for adaptive soft sensors and the application to industrial process. AIChE Journal, 60(1), pp.160-169.
Kern, R.F., Micka, W.F., Nick, J.M., Perry, L.R., Petersen, D.B., Slone, H.G., Spear, G.A. and Yudenfriend, H.M., International Business Machines Corporation, 2001. Database backup system ensuring consistency between primary and mirrored backup database copies despite backup interruption. U.S. Patent 6,199,074.
