Five Points of database security

&http://www.aliyun.com/zixun/aggregation/37954.html ">nbsp;

For Telecom Enterprises, database security is very important. Just imagine the problem with the recharge system? What happens to the system when a mobile phone user checks the bill at the end of the month? The following is a telecom enterprise database operators in the database security aspects of some of the experience, as well as the star-Chen database security experts to give suggestions, hope to have some inspiration and reference.

Database version and Component selection

1. Use of a higher, more stable database version of the database to avoid some bugs triggered business impact, such as a ORA-04031, caused the settlement system Share_pool error, resulting in the application link failure.

2. When building a library, identify the Oracle components that are needed to produce the database, and select only the minimum set of components that satisfy the usage environment.

II. Table Management

1. backup table, temporary table, normalized mode management.

2. Separate business objects are stored using a stand-alone pattern.

3. DDL creation Backup or temporary object illustrates the risk of change management and requires enhanced change management.

4. A schema is stored in a table designed to complete a system or module and cannot be mixed with other uses of the data table.

5. Separate schema storage management of temporary tables, backup tables, separate backup tables and temporary tables, while avoiding space fragmentation and performance impact on business data storage, can effectively reduce the impact of data backup and cleanup operations on business operations.

Third, the security of user rights

1. Clean out the database for users who are absolutely unnecessary. If user Scott is a test user for Oracle, in a production environment, the user and its associated objects should be deleted or transferred to a test environment.

2. For Oracle built-in users who have been LOCKED, we need to evaluate whether they are used in a production environment and delete the relevant components and users if they are not needed.

3. Strict user role management, prevent permission to grant too high, Reclaim user's resource role, create custom roles with more restrictive permissions.

4. Reclaim unwanted roles in the user.

Iv. Access Security

1. Standardize the database management software, realize the standard and unify of the management software.

2. In order to prevent the application of the database into the back door, resulting in database security risks, check all connected database program security. Prevents direct manipulation of the database by using the portal to monitor the login database.

3. The IP network has been connected to a standardized, unified management, quarterly permission to review the operation of the system-owned IP, user authority to comb the work. Safety training for employees, enhance the concept of system safety, and do careful operation.

4. Verify that the host accessing the database is a known user, connect with the database using a host dedicated for maintenance, and prohibit direct manipulation of the database using public dblink. System maintenance personnel received a complaint one day, found that a table below the column, fortunately is a State column, first manually insert, and then find the reason, found because the application of the Dblink link to test the library, linked to the production library. This shows how important database security is.

5. Audit SYSDBA operation behavior.

6. All audits are performed on inquiries of important business forms.

V. Backup security

1. Establish a backup mechanism, for the key business of the system to build Nbu, DP, DSG and other backup management software, for the business situation, system pressure, with library resources, such as the creation of appropriate backup strategy, the unit is in Leisure weekly to do a full preparation, one day to prepare, And the operating system has a crontab or a tape backup of the primary directory.

2. For the key business system can use the current mainstream disaster-tolerant software technology Oracle Goldengate, DG, Quest Shareplex, etc., in the peak of business, such as our system account time Business is busy, CPU idle 1% or 0% per day. Then it is necessary to consider using synchronous replication to create a standby to migrate the account period business to a standby repository without affecting the business of the main library.

Expert comments on the database security of Venus Chen

The author's thinking about database security is very comprehensive, not only the database management such as version management, library table management, permission restriction, but also the security consideration of external access, including client program management, application system security check, client IP control, even DBA and important operation Audit and data backup. Of course, the scope of database security coverage is very wide, intrusion prevention, access authentication, data encryption and other security measures should also be considered, if a security manager from the beginning of the database construction to consider these factors, the risk of data leakage or tampering will be greatly reduced.

The database risk mainly comes from two aspects, one is the external attack, the other is the internal personnel (has the Authority personnel) the violation operation (intentionally or unintentionally), this article's case, is has the authority personnel the mistake operation. In order to eliminate the risk of such operations, in addition to strict access control, the operation of users with high privileges audit is also very important, and to do a good job of data backup, once the problem can have remedial measures.

It is noteworthy that the database security measures should take into account the performance impact and security effects two aspects. For example, many units purchase independent database audit products rather than simply open the database itself audit function, in addition to meeting the requirements of Third-party audit, but also in order to protect the database performance is not affected by the opening of its own audit module.