What is database security and what the major techniques to secure databases?
Database security is one of the most crucial components of information security and there exists many challenges to compromise security of databases. It focuses on protecting the database from unauthorized access or disclosure, alteration, or destruction. Furthermore, securing databases is not any different from securing and protecting other information and information systems.
The objectives of information security are to ensure confidentiality, integrity and availability (CIA) of information systems and so is the objective of database security. The confidentiality objective ensures that only authorized users have access to data using encryption, identification, authentication and authorization techniques. Whereas the Integrity objective focuses on ensuring that only authorized users are allowed to modify data and thereby maintaining data consistency and trustworthiness. Availability objective on the other hand focuses on ensuring the accessibility of information by authorized parties when needed.
Database security, like other information security components, can be achieved by one or more of the following security controls:
- Identification: refers to the approach in which the users are identified through attributes such as user ID, smart cards, biometrics and so on techniques.
- Authentication: focuses on verifying and checking the claimed identity of users.
- Authorization: focuses on defining and ensuring who has access to what system resources such as data.
- Accountability: focuses on capturing and maintaining log files so that users actions can be traced and hold accountable for their actions.
- Access Controls: Ensures that data or other system resources are accessed only through authorized ways. This is mostly complemented by access control matrix that specifies objects in the column and the subjects in the row of the matrix.
- Database Encryption: focuses on scrambling specific cells or columns using strong encryption algorithms and render it unreadable. This will help to avoid direct access and disclosure of sensitive database objects even if it falls at the wrong hands.
- Parameterized Queries and Stored Procedures: focuses on preparing and compiling parameterized SQL statements and thereby protects applications and databases against code and SQL injection attacks
- Views: used for implementing access controls in databases through restrictive SELECT statements
- Security logs and audit trails: security logs are journals that keep recording all attempted security violations in the database. And audit trails can be used to further investigate security logs
- Backups: The last resort to secure database systems is establishment of robust backup systems
There are different security controls that can be used to safeguard database systems. Organizations should employ security measures to protect their data.