What Is Database Security Hygiene?
Basically, database security hygiene refers to the day-to-day steps your team has to take to fix minor errors and correct problems and vulnerabilities in your database. These problems could be totally innocuous – but without proper “hygiene” they could get much worse, particularly if a hacker manages to gain access to the account of a DBA or other privileged user.
Just like we take day-to-day steps to preserve our own health and hygiene – by doing things like brushing our teeth, washing our hands, cleaning our bodies, and so on – we must also take steps to do the same with our Oracle databases. Let’s take a look at 5 of these best practices now.
1. Focus On Separation of Duties (SOD)
Separation of Duties is a key part of database security hygiene. Rather than having a single, all-powerful user responsible for things like operations, administration and security, these administration tasks should be divvied up between multiple users.
For example, you could spread out privileges like SYSBACKUP for system backups and SYSDG for Data Guard administration between two users, rather than having one user with the SYSDBA privilege take responsibility for both duties.
2. Create Individual, Named Users (With No Account Sharing)
This is key for tracking the activities of users, recognizing suspicious behavior, and increasing accountability. Never use shared accounts. Each user of your database must have a distinct, unique, named account that spells out their name – and is tied to the unique set of privileges they need, based on their job role. This makes it easier to audit the activities of individual users.
3. Proper SYSDBA Account Management
SYSDBA is, essentially, a ROOT account for the administration of your database. This means SYSDBA privileges should be restricted whenever possible, and the SYSDBA account and its activity should be closely monitored.
In fact, we recommend a two-person rule for the use of the SYSDBA account. Anyone attempting to use it – even if they are allowed to do so – should have to get secondary approval from another qualified SYSDBA account user.
4. Enforce The Principle Of Least Privilege (POLP)
POLP states that each individual user should only have the least amount of privileges that they need in order to accomplish their tasks. A database administrator may need the ability to access, edit, and manage your database – but a non-technical user like someone from marketing or operations may only need edit privileges.By using this granular approach to granting database privileges, you can minimize the risks of serious data loss if a user’s account is hacked or otherwise compromised.
5. Build Audit Protection Controls Into Your Database
You need to build an audit system that identifies the actions taken by every user, so that you can check the logs for breaches or suspicious activity. A few of the actions you should include in your logs include:
- CREATE USER
- CREATE ANY TABLE
- ALTER SYSTEM
- ALTER SESSION
The exact logs you’ll need to keep depend on your database and your security policies. Enable and disable the audit policies you need, and make sure that your audit logs are irrefutable and cannot be modified by any users.
Keep Your Database Healthy And Secure With These Best Practices
By following these simple tips, you can keep your database healthy and avoid risks related to compromised user accounts. So think about how you can start improving your database security hygiene – and get started today!