Data is probably the most important asset in a company, so you should make sure your database is secured to avoid any possible data theft. It’s hard to create an environment that is 100% secure, but in this blog we’ll share a checklist to help you make your database as secure as possible.
Controlling Database Access
You should always restrict both physical and remote access.
- Physical access (on-prem): Restrict unauthorized physical access to the database server.
- Remote access: Limit the remote access to only the necessary people, and from the less amount of source possibles. Using a VPN to access it is definitely a must here.
Managing Database User Accounts
Depending on the technology, there are many ways to improve security for your user accounts.
- Remove inactive users.
- Grant only the necessary privileges.
- Restrict the source for each user connection.
- Define a secure password policy (or, depending on the technology, enable a plugin for this if there is one).
Secure Installations and Configurations
There are some changes to do to secure your database installation.
- Install only the necessary packages and services on the server.
- Change the default admin user password and restrict the usage from only the localhost.
- Change the default port and specify the interface to listen in.
- Enable password security policy plugin.
- Configure SSL certificates to encrypt data in-transit.
- Encrypt data at-rest (if it’s possible).
- Configure the local firewall to allow access to the database port only from the local network (if it’s possible).
Employ a WAF to Avoid SQL Injections or DoS attack (Denial of Service)
These are the most common attacks to a database, and the most secure way to avoid it is by using a WAF (Web Application Firewall) to catch this kind of SQL queries or a SQL Proxy to analyze the traffic.
Keep Your OS and Database Up-to-Date
There are several fixes and improvements that the database vendor or the operating system release in order to fix or avoid vulnerabilities. It’s important to keep your system as up-to-date as possible applying patches and security upgrades.
Check CVE (Common Vulnerabilities and Exposures) Frequently
Every day, new vulnerabilities are detected for your database server. You should check it frequently to know if you need to apply a patch or change something in your configuration. One way to know it is by reviewing the CVE website, where you can find a list of vulnerabilities with a description, and you can look for your database version and vendor, to confirm if there is something critical to fix ASAP.
Following the tips above, your server will be safer, but unfortunately, there is always a risk of being hacked.
To minimize this risk, you should have a good monitoring system like ClusterControl, and run periodically some security scan tool looking for vulnerabilities like Nessus.