Three aspects of database security

I work in a data center of a financial institution with a size of about a thousand people. Two or three people are responsible for information security.

Based on my work experience, we can start with the following aspects:

I. System Level

At the system level, you need to pay attention to the following aspects:

1. User management. Different users have different permissions. You can set only the read and write permissions as needed. Special users (similar to root users in Linux) can start and stop the system, read/write users are mainly used for routine maintenance.

2. file management. Some important files require special protection, which must be implemented with users.

3. Password Management. The password must be modified regularly and cannot be tried too much. Otherwise, the password will be frozen.

4. system logs. The importance of system logs to the system is self-evident, and many problems can be solved through logs.

2. Database Layer

Each DBRM system has security control functions. The principle of permission allocation is role-based permission control: grant different permissions to different roles, assign different users to different groups, and assign different role to different groups, this should be a common practice.

Iii. Third-party database Audit Products

The database itself has the audit function. We chose a third-party product because its performance has a great impact on the system. Database Audit products can audit database behaviors such as select and update. If any abnormal database behavior is found, you can use this product to find relevant information.

In fact, the problems facing database security are not external factors, but some users see or modify data beyond their permissions, that is, user information leakage. This is worth noting. The methods we adopt are clearly defined in rights and responsibilities: the permissions of application personnel and O & M personnel are separated, and permissions are controlled from the system and application dimensions, and further refined from the above three levels.

As a whole, database security is not much new. I have not found any serious security problems for two years. Despite this, we still have a contingency plan. The idea is to start with the system logs, locate the user, and locate the behavior of the user to locate the real problem.

Expert comment:

The author has a comprehensive understanding of database security, lists basic security measures, and emphasizes two important aspects of database security: Permission control and audit. Its Thinking and Security suggestions are worth learning from. If you can go deep into the system, the results will be better.