The Database Security Cheatsheet

# The Database Security Cheatsheet ###### tags: `database security`, `cybersecurity` In this article, we take a look at Database Security controls that should be implemented to enhance the security in the case that you have a web app that uses a database. The measures further apply to databases utilized by other services in various architectures as well. We shall cover 10 controls that can get you upto speed if implemented correctly. ## Database Security Controls - Deploy a Database Activity Monitoring (DAM) tool to continuously monitor database activities and detect abnormal behavior or unauthorized access attempts in real-time. - Enforce secure configuration by following vendor best practices and guidelines. Minimize One Acre Fund’s attack surface by disabling unnecessary features and services. - Enable Audit features in the database to track and log user activities and changes to data. - Implement Data Masking and Obfuscation techniques to protect sensitive data in non-production environments thus ensuring sensitive information remains protected during development and testing. - Implement Privilege Access Management (PAM) to manage and monitor privileged access to databases. Enforce MFA for privileged accounts and carefully control administrative privileges. - Enforce segmentation by placing the database server in a separate DMZ isolated from the application server. - Enforce encryption by configuring the database to only allow encrypted connections, installing a trusted digital certificate on the server, and configuring the client app to verify that the digital certificate is correct. - Enforce proper credential storage by ensuring credentials are never stored in application source code and are instead stored in a configuration file that is outside the web root and has appropriate permissions. - Enforce database configuration and hardening. - The underlying database server should be hardened based on CIS benchmark standards, install any required patches, and configure the database services to run under a low-privileged user account. - Store transaction logs on a separate disk to the main database files. - Configure regular backups of the database and ensure they are protected with appropriate permissions and preferably encrypted. - Enforce proper Authentication and Authorization practices: - Regular reviews of accounts to ensure they are still required. - Regular reviews of permissions. - Removing user accounts when an app is decommissioned. - Change passwords when staff leave or there is reason to believe that they may have been compromised. ## Conclusion These steps serve as a general guide and are a good starting point when defining the security architecture of your database systems.