The Year 2005 was distinguished by 50 security incidents compromising approximately 50 million pieces of sensitive information. Already it is the worst year in history for database hacks. High-profile data theft incidents, such as those experienced by ChoicePoint and CardSystems, exemplify what industry veterans already know: traditional security measures, such as firewalls, do not provide in-depth security at the application level, leaving database applications vulnerable to intruders. If the stakes weren't high enough, regulatory compliance requirements have further upped the ante. After all, whether it's significant transactions (relative to Sarbanes-Oxley) or personal information (relative to California Senate Bill 1386, the Health Insurance Portability and Accountability Act, and so on) - most data spends 99% of its life in the database. Protecting databases - an organization's "crown jewels" - requires a more comprehensive, layered approach.

At its core, security is about risk reduction. One of the most effective database security practices, defense-in-depth, involves multiple layers of protection to reduce the risk of intrusion. This layered approach is analogous to the defensive layers surrounding a medieval castle: drawbridge, moat, the outer wall, the inner keep, archers manning the wall, soldiers stationed outside the wall, etc. No single level of defense is infallible, and all these layers cannot ensure the castle will be 100% impenetrable. However, together, these combined layers of protection can make the castle - and its crown jewels - significantly less vulnerable to invaders.

Database security is similar. Protecting the database encompasses more than setting permissions. There are many layers of protection to consider when safeguarding your databases.

Most large organizations have antivirus software, firewalls, and sometimes even intrusion detection systems (IDSs) to protect their networks and host operating systems. Though these defense tools serve a purpose in protecting servers and networks, they are not designed to detect application-level attacks, nor are they capable of stopping such threats before damage is done.

Firewalls provide protection only at the network level - examining packets and determining whether an incoming request should be granted access to a given port. Firewalls do not understand database vulnerabilities or protocols (such as SQL) that may be used by attackers. Firewalls are also typically located on the edge of the network, where they are ideally situated to watch for attacks from outside the enterprise, but not threats from insiders.

In addition, by their nature, firewalls simply admit too much traffic to provide foolproof application protection. In today's world of virtual organizations and electronic commerce, an enterprise cannot afford to lock out customers, suppliers, distributors, remote employees, or contractors.

Similarly, though many enterprises have deployed IDSs to improve network security, these tools do little to protect core databases and applications. These systems scan the network and compare traffic and usage patterns to either historic trends or against the "signatures" of known network attacks. However, most IDSs are passive, scanning for suspicious traffic and alerting the network administrator, but not taking any action to stop the attack. They are also designed as forensic tools, gathering evidence to analyze an attack after the fact, as opposed to thwarting it in real time.

Firewalls and IDSs certainly have a place in a multi-layered security system. But they are not enough to protect organizations from internal and external threats, while still allowing appropriate access to applications and databases. A modern enterprise needs application-intelligent equivalents of its existing network- and host-based security platforms, which can discover, assess, and dynamically protect applications and databases against rapidly-changing security threats.

Many organizations have already employed an effective life-cycle management methodology at the network and host operating system levels. Enterprises should apply these same principles to the application layer as well.

The vulnerability life-cycle management process includes four main components as shown in Figure 1.

1. Establish a baseline: Through intelligent and complete discovery. It's 9:00 p.m., do you know where all your database applications are? Given today's easily deployed databases and the pace of change in an organization, simply knowing where the database applications are is non-trivial, yet crucial to implementing security. Only with a detailed understanding of what database applications are deployed, where they are, what releases they are running, etc., can true application security begin.
2. Prioritize: Assess risk based on asset classification and vulnerability. Proactively assessing the vulnerability of application components helps organizations minimize risk and evaluate compliance with their security policies. With this prioritization in hand, firms can inform the implementation of the next steps in the life cycle, or direct the roll-out of this process across their infrastructure, based on the importance of the systems at hand to their business and the severity of the present vulnerabilities.
3. Shield and Mitigate: Via vulnerability assessment and encryption. Having identified which systems are most critical to the business and quantified the number and severity of vulnerabilities on these systems, a firm should then conduct vulnerability assessment tests and proactively "harden" these components by removing the present. The system should ensure the installation of all current patches, that passwords have been changed from their default settings, and that required security configurations are set. Also, the system should produce meaningful security audit reports - prior to and after application deployment; they ensure new components get deployed securely and stay that way. With this step complete, organizations take a major step toward improved security. By regularly eliminating the known weaknesses an attacker might try to leverage, organizations significantly reduce the risk of a breach.

   Encrypting the most sensitive data further bolsters protective efforts. This "last line of defense" ensures that even if your database is breached, its most critical information remains protected . This step is crucial not only to thwart an attacker that manages to gain access to the database despite other protections, but also to defend against unauthorized access to data by legitimate users.

4. Monitor: Utilize your established baseline to monitor for vulnerabilities and your threat environment. The ability to detect and block attacks as they happen is essential. After all, zero-day threats (new vulnerabilities) and insider abuse are a simple fact of life for which threat signatures are either unavailable or do not apply (respectively). Thus, to complement proactive hardening efforts, organizations require real-time protection from both rapidly spreading new security threats and rogue employees who don't need to break-in to the databases - they already have access. Real-time protection also helps guard unpatched systems during the sensitive gap between when a new vulnerability is published and when patches are universally applied.

When considering the use of database monitoring and security auditing solutions, make sure you select a tool compatible with other database security products. You can achieve an effective and holistic approach to security when you incorporate and integrate the solution at the different layers. As a result, you can fortify your castle (database) and crown jewels (sensitive data) from modern-day barbarians.