What are the steps one should take for Database security? Where can I find material on database security for RDBMS in general?
Database security is a complex issue. There are so many "give and take" items that make it practically impossible to come up with a "cookbook" approach to database security.
First and foremost, you need to limit access to the smallest group of people that includes everyone that you want to use your database. If you can limit access to just yourself, security becomes fairly simple! If you need to make the data available to one department, one office, one company, or so on, limit the access to just that group. One simple way to achieve this limitation is to control which workstations can physically connect to your database. You can set up a firewall to limit access to just certain groups of destination TCP/IP addresses, which will allow you to limit the number of possible places that someone can access your data.
Don't set up your application to remember passwords for people. Make sure that the user must always enter a password.
Don't allow users to share login ids. Make sure that each user has their own login id.
Force password expiration. Every 30-180 days, make the password expire so they need to pick a new password. Prevent them from reusing their last N passwords, where N is somewhere between 8 and 100.
Limit the user's ability to only the tasks that they need. One excellent way to do this is to grant the users only SELECT permissions, then create stored procedures or middleware that will do all of the data modifications (INSERT, UPDATE, DELETE, etc).
There are quite literally hundreds of books and white papers on database security. Most of them do a good job on some aspect of database security, but I've never found one that covers everything. Pick one (ten, fifty, more?) and read them. Pick the one that works best for your implementation, and re-read it often.
Because data security is a process, not a deliverable, it is inherently a never-ending battle. Because data security is as much a human issue as a technical one, the 100% buy-in of management is an absolute requirement. These problems nearly guarantee that data security will never be complete, and will never be easy, but it will always be interesting!
For More Information
- What do you think about this answer? E-mail us at editor@searchDatabase.com with your feedback.
- The Best Database Design Web Links: tips, tutorials, scripts, and more.
- Have a Database Design tip to offer your fellow DBA's and developers? The best tips submitted will receive a cool prize--submit your tip today!
- Ask your technical Database Design questions--or help out your peers by answering them--in our live discussion forums.
- Ask the Experts yourself: Our Database Design guru is waiting to answer your toughest questions.
Dig Deeper on CRM strategy and implementation
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.