Database Assessment is not just a security precaution, but an integral part of database operations management.
Databases form the backbone of every major application within the data center, which makes their stability and security both critically important to business operations.
This whitepaper provides the information necessary to understand the value of database assessments and properly evaluate products both individually and head-to-head so you can avoid common problems that occur in assessing databases.
Understanding and Selecting a Database Assessment Solution
Timely, accurate scans, in combination with uncovering problems with setup and maintenance, are essential for operations management — just as detection of vulnerabilities is essential to keeping data secure.
Few people understand the internal complexities of database systems. Historically, as long as databases ran without visible trouble, database administrators (DBAs) enjoyed implicit trust that the systems under their control were secure.
Unfortunately, many attackers have recently demonstrate how easy it is to exploit unpatched systems, gain access to accounts with default passwords, and leverage administrative components to steal data.
Database security cannot be assumed, but must instead be verified. Further, databases are leveraged across enterprises — such that a breach of a web application can cascade across financial systems, business intelligence, sales, and partner sites.
Those tasked with security and compliance of those systems — security teams and internal auditors — lack the technical skills to examine database internals in sufficient detail.
Database assessment tools bridge this gap by capturing DBA utilities for automation of complex tasks, analysis of obscure settings, and separation of duties between audit and administrative roles — in such a way that non-DBAs can use them.
When we started our research on database vulnerability assessments, several security professionals asked the simple question “Why”? “Why are you writing about database assessment? Why now? Don’t most people already know what assessment is and check their databases?”
IT and security professionals understand how general network and OS assessment products work,often assuming that databases are no different. While this is conceptually true, in practice general assessment techniques translate poorly to the database world.
Assessing databases is a very different challenge than OS and network level scans. This is due partially to the complexity of database management systems, and even more to where and how database configurations and operations are managed.
Database security and compliance requirements have been at issue for many years now, but only recently have assessment platforms matured sufficiently to deliver on their promise — they must do far more than simply check for missing patches.
The reasons to purchase a database assessment product have also changed. They used to be primarily for educating DBAs on configuration guidelines and finding vulnerabilities, but are now focused on operations management and compliance.
Yes, the tools still find which databases you forgot to patch, the places where the CEO was granted administrative access, and the default passwords that were never changed; they also help determine which patch fixed the problem you were worried about.
Assessment scanners are no longer funky little homegrown tools, but instead mature enterprise-class products. Assessment is not only an essential step for security, but also for meeting compliance requirements, discovering important assets, separating duties between operations personnel, and communicating results to both technical and non-technical stakeholders.
If you initiate a database security program, assessment is a likely starting point for the entire process. It enables discovery, verification of access control settings, configuration review, removal of dangerous or unwanted features, and prevention of common SQL injection and buffer overflows.
In the database security requirements we see included in enduser RFP/RFI submission requests, a full 60% of the technical requirements can be addressed through database assessment technology.
Even the vendors who provide these technologies are changing. If you reviewed database assessment products more than two years ago and were dissatisfied, it’s time for another look.