A fairytale: perfect database security

Paul Raine
Paul Raine
Perfect database security is just a fairytale
Perfect database security is just a fairytale

The impossibility of total security and the vulnerability of systems to unique attacks are well-known, and as in the fairy-tale of ‘Rapunzel’, many hinge on the unexpected.

“Rapunzel, Rapunzel let down your hair, so I may climb without a stair,” goes the Grimm fairy tale. Upon hearing the password, the heroine Rapunzel releases her five-storey plaited hair-do so the handsome prince can scramble up the prison tower.

She is not alone: we have the spoof bony-finger in ‘Hansel and Gretel’ that puts the blind witch off the scent, the wolf-grandma identity confusion in ‘Little Red Riding Hood’, and the Trojan apple in ‘Snow White’. Never mind that these stories were written for children, they show how imagination and security vie for supremacy like bulls and matadors. And as in fairy tales, it is the unexpected that does the most damage to systems, business and reputation.

And when the job of an application is to provide flexible connectivity and open service to other applications, and even the vendor cannot be sure what ‘correct’ usage will look like, it is clear that gaping holes in security are inevitable. After all, one person’s useful feature is another’s security risk.

The system in question is of course the database. Its purpose is to serve data to other applications through accessible conduits, and to integrate invisibly into business processes. An inflexible database that closes off all the access points is neither desirable nor possible, and organizations should realise that their databases can never be made impregnable. From accidental administrator deletions to malicious SQL injection attacks, databases will, at some level, always be vulnerable.

Dangerous connections

Mike Small, director of security management strategy at the consultancy division of IT group CA, points out one fundamental problem - databases are usually used via other applications. “If you are going to be able to control who is doing what, then you need to know who the people are, what the data is, and who should be able to access what. That’s a very simple requirement but the trouble is that most organizations find themselves with a plethora of entitlement models. In many cases, the applications were written in a hurry for some competitive advantage and the last thing that the developers asked at the time was ‘how do we control access?’”

Usually, because it was quick and easy for developers, applications had one mechanism for database access, explains Steve Moyle, chief technology officer of database security vendor Secerno. “Part of the reason why we have this lack of controls issue is that the application is the thing that does the authentication and then it has the conversation with the database. And typically, the application only logs into the database once as system user.”

“If you can get round the application’s authentication processes, then you’re into the database with full privileges,” he adds.

"If you can get round the application’s authentication processes, then you’re into the database with full privileges"
Steve Moyle, Secerno

Any comprehensive solution to database security must involve both application and database, probably at the same time, which is why analyst Gartner’s Hype Cycle report covers both database and application security: “Many of the technologies in this Hype Cycle can be applied in multiple domains, while others begin to include features further blurring the application and data security lines. For example, two database activity monitoring vendors this year expanded into application activity monitoring on the same product platform.”

For the enterprise, there are many choices to be made regarding the trade-off between database and application. They can choose between encrypting a piece of data in an application as it’s collected, or in a database as it’s stored. Some attacks, such as Structured Query Language (SQL) injection, are carried out against both databases and applications.

Because of this commonality, activity monitoring is becoming the solution du jour for database security, particularly where, in Gartner’s words, “there is a need to detect unusual database activity and issue an alert. Database activity monitors enforce the segregation of duties on database administrators without affecting database and application performance”.

Key to monitoring, and then control, is that companies only legitimately use a small subset of database capabilities. Actions outside normal operations can be blocked, and permitted actions can be tuned to policy.

Risky assumptions

Paul Raine, operations director at UK managed service provider ExpressHR, knows how this works. He admits the company’s customers put security low on the list of priorities: “Customers just assume you are secure,” he says. However, a new chief executive has turned the firm’s security work into a marketing advantage, and Raine has implemented Secerno’s activity monitoring tool for more than 100 000 users.

“We secure our perimeter and audit that we’ve secured the perimeter. Clearly you may get leakers coming inside, or you may get people who have got accounts logging in and doing strange things, and that’s why we have Secerno sitting on the inside.”

Steve Moyle says the product highlights problems companies don’t know they have: “If you don’t look, you won’t find.” The product must be tuned to a company’s operations by building a library of normal behaviour. Raine is going through this process at the moment: “You get your report, and you fine-tune the policy,” he says.

“What I’m worried about are the things I don’t know about,” jokes Raine, but he admits that amending business processes to take account of the numerous alerts is causing some difficulty. “We’ve got it running in passive mode at the moment. I can stop transactions tomorrow, the problem is, how can I error handle those for the user?”

Dealing with unexpected events has been an intractable problem for developers and operations since the 1960s. In a bedding-in period, alerts are likely to be very common.

“How do we present a good user experience?” asks Raine. If suspicious behaviour is detected: “Do we shut the user down? Do we log them out? Do we say, ‘please try again’? We need to think through those kind of issues in detail because you don’t want users logging in and getting kicked out again.”
But of course there is a balance to be made between smooth running and investigating anomalies. With technologies such as those used by ExpressHR, at least the balance can be identified by knowing for certain how the database is operating.

Use some intelligence

Senior analyst for security at Butler Group, Andy Kellet, believes intelligent monitoring is set to increase. “You need the maximum amount of intelligence over what’s going on. It does two things: it gives more flexibility and control if it is managed properly, but also it gives you the ability to step back and think about the risk profile of the organization. The basic principle is that if something new comes along, it’s treated as suspicious until proven otherwise.”

Kellet says Secerno is relatively new to the activity-monitoring market, joining other players such as Guardium, Imperva and Symantec. All are riding the legislation and compliance wave that is forcing companies to look more carefully at what the database is doing in real time. “It is no longer good enough to protect systems, you have got to be able to prove it, get the right level of reporting in place, and receive the appropriate warnings,” he says, pointing out that you cannot step back from such a position after you start: “Once you define that something has to be done properly, and you start to look at what the benefits are, you never loosen the strings.”

ExpressHR are beginning to encounter this reality from their customers, explains Raine: “Customers are asking for your software to be independently audited, and to prove that by producing an audit report. The reports we’ve got, we’ve given to customers because they’ve requested them.

"Customers are asking for your software to be independently audited, and to prove that by producing an audit report"
Paul Raine, ExpressHR

“While we are looking to mitigate the risks for our board, we are also telling our customers that the work we are doing is helping them better risk-manage their exposure,” he adds. Just because a company outsources its data management, it does not mean it has abdicated ultimate responsibility for its information security.

But all can share the benefits of increased database security and better intelligence, which can apply across all applications and processes that use the database. Even previously unknowable legacy systems, many written in a hurry during the dot com boom, can be analysed and forced to conform to policy. “There’s more of a reluctance to rip and replace these days, because businesses have been burnt by the latest technology too many times,” says Kellet.

CA’s Mike Small paints a depressing picture of many companies’ database security arrangements. “In many cases there isn’t even a clear inventory of data assets, never mind how they are stored or how you can control access,” he says. “Auditors find themselves asking, ‘How can I prove that this is the case for this application on this database?’ and have to rely on systems analysts to interpret the obscure reports.”

Such a situation might cause you to tear your hair out, but discovering exactly what the database is doing will uncover a path to sanity. And even if your new intelligence reveals unexpected and uncomfortable details, being fully aware might finally allow you to let your hair down. Rather like Rapunzel, in fact.

What’s hot on Infosecurity Magazine?