Databases are quickly becoming the lifeblood of organizations. These applications hold critical data that, if compromised, could lead to devastating results. Data could be deleted, modified, or released to the public. The goal of database modeling is to therefore design an efficient and appropriate database. Some important criteria are performance, integrity, understandability, extensibility.
Under the performance criteria are database security and the ability to backup data, which is the focus of this paper.In this paper, the SQL server is used as the database example, and some of its features are discussed below. Database Security Most databases already include security features in the application, such as access permissions to control that can read, modify, and write to various tables and fields. Some also provide the ability to encrypt data.
Another method of securing the firm’s database is the use service names and aliases to hide the physical location of databases.When the database is designed to use aliases, the end user or application does not need to know any ‘real’ information about the database-it just needs to know the alias that then points the connection to the proper location. By knowing the physical name and location of the database, an attacker could launch exploits targeted at the database management software or server operating system directly, potentially leading to the compromise of your entire database structure. Isolating the production database is one of the best steps that organizations can further take to protect their data.If your network is compromised, additional layers of security should be in place for attackers to penetrate before they can find the database server. A further method of securing the database is that if possible, the organization should never have their database and Web server running on the same system.
If an attacker is able to compromise the system through a vulnerability in the firm’s Web server, he or she can easily gain complete control of the database. Web servers are public-facing systems, and should be expected to be attacked.The database’ security infrastructure must be designed with this in mind. Database servers, on the other hand, should not be public-facing systems. In fact, they should be buried deep in the network on their own subnet and protected by a firewall. Additionally, communications to the database should be encrypted.
Some databases allow the creation of Secure Sockets Layer (SSL) sessions, or SSH can be used to create an encrypted tunnel. Several third-party applications are also available to augment existing security features. Protegrity's Secure.Data adds a protective layer around the database, encrypting individual data items or objects and providing protection for both external and internal attackers (Thuraisingham 2005, p.
182). This tool provides a great mechanism to protect only that data that is truly critical, such as Social Security or credit card numbers. Internet Security Systems (ISS) has developed a database vulnerability scanner that scans and analyzes database systems for vulnerabilities. This is a good way to ensure that the organization is properly patched and protected because most commercial vulnerability scanners do not include database coverage.Database Backup Inevitably, something will happen to one of an organization’s systems that cause it to be reconfigured. The restore process is much less painful and time-consuming if the firm has a proper backup plan in position.
Data backup processes include the backup of specifications and configurations, policies and procedures, equipment and data centers through the use of backup media, Hierarchical Storage Management (HSM), windows shadow copy, online backup or data-vaulting and disk-to-disk technology and other physical file system backup processes.Specifically, the numerous backup solutions that exist today include PowerQuest's Drive Image and Drive Keeper (now part of Drive Image Pro) to tape drives, CDs, and Symantec's Ghost product (Preston 2007, p. 539). The organization can burn files to CDs, copy them to tape, or even copy them to a network-attached storage device (such as SnapServer) or a storage area network.
There are four more common frequencies of when a firm chooses to backup the databases that are in place. There is the full system backup, the incremental backup, the weekly backup and the monthly.The organization can decide when to backup to incorporate in the database design depending on the unique needs of the business. All these processes should be partnered with a business continuity/disaster recovery plan has been implemented to minimize application downtime in the event of a disaster or emergency.
Further, these procedures should be in place at all times to ensure that all data can be quickly restored if necessary.SQL Server provides static as well as dynamic backup. Andress (2003, p.71) relates that in contrast to some other DBMSs, which back up all databases together, SQL Server does the backup of each database separately. This method increases security when it comes time to restore each database, because a restoration of each database separately is more secure than restoring al databases at once.
Methods in which the SQL provides backup includes full database backup, differential database backup, transaction log backup and database file (or file group) backup. Conclusion Database security is highly critical in today's business environment.In addition to protecting hard assets such as servers, workstations, network components, and data, contemporary organizations need to protect their intangible assets, as security breaches can have a profound effect on a company's reputation, branding, and general corporate image. But, even though security is important and many technologies are being developed to help with the process of securing systems, security and its underlying technology should never overshadow the business reason for implementing security.
Firms would never want to spend more money on a security solution than the cost of what they are protecting.