Problem solve Get help with specific problems with your technologies, process and projects.

Steps for and where to find information on database security

What are the steps one should take for Database security? Where can I find material on database security for RDBMS in general?

Database security is a complex issue. There are so many "give and take" items that make it practically impossible to come up with a "cookbook" approach to database security.

First and foremost, you need to limit access to the smallest group of people that includes everyone that you want to use your database. If you can limit access to just yourself, security becomes fairly simple! If you need to make the data available to one department, one office, one company, or so on, limit the access to just that group. One simple way to achieve this limitation is to control which workstations can physically connect to your database. You can set up a firewall to limit access to just certain groups of destination TCP/IP addresses, which will allow you to limit the number of possible places that someone can access your data.

Don't set up your application to remember passwords for people. Make sure that the user must always enter a password.

Don't allow users to share login ids. Make sure that each user has their own login id.

Force password expiration. Every 30-180 days, make the password expire so they need to pick a new password. Prevent them from reusing their last N passwords, where N is somewhere between 8 and 100.

Limit the user's ability to only the tasks that they need. One excellent way to do this is to grant the users only SELECT permissions, then create stored procedures or middleware that will do all of the data modifications (INSERT, UPDATE, DELETE, etc).

There are quite literally hundreds of books and white papers on database security. Most of them do a good job on some aspect of database security, but I've never found one that covers everything. Pick one (ten, fifty, more?) and read them. Pick the one that works best for your implementation, and re-read it often.

Because data security is a process, not a deliverable, it is inherently a never-ending battle. Because data security is as much a human issue as a technical one, the 100% buy-in of management is an absolute requirement. These problems nearly guarantee that data security will never be complete, and will never be easy, but it will always be interesting!

For More Information

Dig Deeper on CRM strategy and implementation

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.