member sign-in
Forgot password? Create new account Close

Database Vulnerability Assessment

Definition

Database vulnerability assessments solutions transparently scan the databases for known vulnerabilities and against security standards and compliance. They operate independently of the database management system (DBMS) audit functionality of the database itself. On the other hand, the database vulnerability assessment can be regarded to as a complementary control to it.

The database vulnerability assessment solutions represent also a very important tool for IT-GRC.

User Benefits

The user benefits can be cuantified as:

1. Asset management tools

  • Database inventory and user accounts – DBAs, root, system admins – which have access to the database and alter data either via the application either by logging in at the system OS or local console.
  • Data Classification – identify and classify data - Financial Data, SOX, Personal Identifiable Information (PII), Credentials, as well as custom-defined data

2. Risk and Compliance – the risk and security teams are seeking to implement tight controls around the data stores in order ensure data confidentiality and integrity while limiting access to

privileged users and subsequently identifying fraudulent activities. The preventive security solutions and controls such as encryption and access management, are not effective for authorized / legitimate user access.  Thus, the DVA solution can be successfully deployed in order to fulfill the security controls required by:

  • Data Governance
  • Risk Management
  • Audit
  • Regulatory Compliance.

The benefits provided by the DVA solution, via a tight integration with Database Activity Monitoring (DAM) and SIEM solutions respectively, allow the extension of the network controls and the security framework also to the databases and data stores.  

Business Impact

The DVA solutions are are deployed non-intrusively, since they only scan and discover data. Consequently there is virtually no impact on the monitored network segments. 

However, there are business considerations that are to be taken into account when selecting and deploying a DVA solution:

  • The DVA findings have to be very carefully implemented in the active security solutions for the databases – mis-configuration of these solutions might result in business processes disruption
  • The DVA solution should always offer assessments against security and compliance standards
  • The DVA solution should have embedded user accounts discovery functionality
  • The solution should have also OS and application vulnerability capabilities, in order to cover also the vulnerabilities induced by these.  

Products supporting this technology

Application Security Imperva

In order to adequately protect sensitive data, one needs to answer  a basic question:

  • Where is my data?

This obvious question should not be skipped . Imagine the consequences if some customer confidential data would be exposed wide open, just because someone assumed he knows where his data is. Is this a risk someone is willing to take?  The process of discovery and “labeling” the data according to the business requirements is called data discovery and data classification.  

Having perfomed the data discovery , one needs to do a complete inventory of database servers configrations and vulnerabilities. The risk assement should be based on business priorities and it should answer questions like :   

  • What is the business impact if I have a database breach and the data contained within is being compromised?
  • What is the risk associated to the (un)intentional loss of such data?

Once the analysis of vulnerabilities and mis-configurations is completed and the data has been discovered and classified, the data has to be protected by putting in place a set of complex policies on database firewall or database monitoring solutions.

This process presented above in a nutshell constitutes the data discovery and assessment service but Database Vulnerabilities Assessment still needs a second vital component which involves the management of users and roles which play a crucial part in any database system.

When properly assessing  the users and their roles, one should answer to questions such as these :

  • What users accounts are active? Do I have any dormant accounts?
  • What if a user account has access to areas where normally he should not have?
  • What would be the business impact if the data can be accessed and modified by also other users than the intended ones?
  • How do I  ensure that the users accounts are mapped according to their roles so that the security policies are efficiently enforced?

Here comes in game the user monitoring part – a database assessment solution should include also user rights and accounts assessment. 

Once the report resulted from this assessment is generated, one can proceed to define and apply  security policies for the respective data in the databases within scope.

After successfully implementing the policies, another assessment is to be done, with 2 generic purposes:

  • Check if the implementation has been done according to the security policies
  • Continuously monitor the databases configuration in order to detect changes. Once detected, if the changes have been authorized, update the data model and security policy, else send an alarm notification.

Hence you can see a periodic iteration of these 2 main actions – assessment and security policies adjustment.

That is why the Database Firewalls enclose  such database and user assessment functionalities.

From a hardware point of view, the database vulnerability solutions can be delivered  as:

  • Hardware appliance supplied by the vendor os specialized  3rd party application hardware
  • Virtual appliances  running in virtualized infrastructure
  • Software Agents – installed directly on the target database servers.
  • manufacturer