Database Security Best Practices Aug 27,2013

Over the past few years, a number of online tools have made it practically easy for anyone to quickly set up data-driven websites. The ease in accessibility, however, does not translate to security.


Databases are often times the prime targets of cybercriminals because they hold valuable information (such as credit card information) that can be converted to easy money.


Database security is definitely an extremely in-depth topic that could never be covered in the course of one article; however there are a number of best practices that can help even the smallest of businesses secure their databases enough to prevent data theft, intellectual property breach and misuse of confidential and sensitive company information.


Best Practice #1: Separate the Database and Web Servers


While most databases are embedded in most web software, this makes access to data all too easy for an attacker to access. As soon as they crack the administrator account for the web server, the data is readily available to them. As such, databases must be extra protected and should reside on a separate database server located behind a firewall. While this makes for a more complicated setup, the security benefits are well worth the effort.


Best Practice #2: Encrypt Stored Files


The stored files of a web application often contain information about the databases the software needs to connect to. This information, if stored in plain text like many default installations do, provide the keys an attacker needs to access sensitive data. There is definitely great benefit in encrypting stored files. In so doing, you prevent attackers from tracking the ultimate source of data.


Best Practice #3: Encrypt Your Backups


Not all data theft happens as a result of an outside attack. While this assumes mistrust among the organization’s employees, companies who have this basic presumption are always better safe than sorry.


Best Practice #4: Use Web Application Firewalls


In addition to protecting your web site against cross-site scripting vulnerabilities and vandalism, a good application firewall is helpful in thwarting SQL injection attacks as well. By preventing the injection of SQL queries by an attacker, the firewall can help keep sensitive information stored in the database away from prying eyes.


Best Practice #5: Keep Patches Current


Web sites that are rich with third-party applications, widgets, components and various other plug-ins and add-ons automatically become easy targets of vandalism and data theft. As such, it always helps to keep patches current.


Best Practice #6: Don't Use a Shared Server

If your database holds sensitive information, it always helps to have a separate server. While it may be easier, and cheaper, to host your site with a hosting provider, this is generally unsafe as you are placing the security of your information in the hands of a third-party provider.


Best Practice #7: Enable Security Controls


While most databases nowadays will enable security controls by default, it is always a good pre-emptive measure to enable security controls yourself. It also helps to have back-up security controls installed.