Database and web server security
A database is used to collect and organize all information in one place and when used along with a website. A database server used with a website is usually used to store not only content as in a content management system but also user information and other confidential information. Hence, security of database is of paramount importance due to increasing attacks on website especially the new SQL injection attack.
Database Server Security Risks
Database security refers to the security controls applied at technical, administrative and physical levels to protect database being accessed by website serving over internet. Security risks usually includes unauthorized activity or misuse by authorized database users, data leakage , deletion or damage to the data , denial of authorized access , database overloads and physical damage.
Database Server Security Measures
Database security measures are applied on various aspect of database which includes
- Access control
- Integrity controls
- Application security
Few basic measures that should be undertaken for database security are
- Encrypt the session especially when using web applications to access the database.
- Move default port numbers used by the database to a random or a non-default value to slow down automated attacks.
- Create a test environment to test all database patches prior to installing them on the database used by website.
- Do not allow database administrators to directly download and install the patches until they have been tested in the test environment.
- Use logging and review logs on a regular basis.
- Create a plan to respond to a data breach or loss as well as a disaster recovery plan.
- Encrypt database. The two main types of encryption are transparent encryption which encrypts the entire database and user encryption that covers specific objects in the database.
- Do not delegate database administrative functions to users.
- Do not use a single database account for all database users.
- Examine and review permissions, roles and groups to make sure all users have just enough authorization to do their jobs.