March 23, 2021

Configuring your database systems for security is also known as database hardening.  Doing this can significantly limit the vulnerability of your sensitive data.  Designing for security means understanding the best practices for database configuration and applying them to your database environments efficiently.  Specific database configuration settings are unique to each database system based on the network architecture, hardware and software, and applications used.  In this article. we will examine some general principles of data security that can be implemented across a variety of scenarios.

1.  Secure the Physical Space

Designing a secure database environment begins with the physical space.  If you have any on-premise servers, make sure they are in a locked and monitored environment to limit unnecessary access. The location should have security protocols for physical emergencies such as fire or natural disasters.  Ensure your data is safe by implementing and maintaining database backups according to your technology’s best practices.

2.  Isolate to Insulate Data

Use the principle of isolation as a best practice to insulate your data in the case of a breach.  This will limit the impact by minimizing the access of any bad actors.  The best way to isolate your database servers will depend on your unique system and network architecture.  Application and web servers are more vulnerable than database servers. Isolating these components can be done by hosting these servers on different machines.  You can further isolate the transaction logs from the main database files by storing them on a separate disk.  Encrypt as much data as possible, this may include stored data, data in transit, backup files, and more.  Keeping all decryption keys isolated from their counterpart files is also largely recommended.

3.  Use Principle of Least Privilege

Many data leaks can be prevented by maintaining the principle of least privilege (PoLP).  This is where an account is granted only the privileges it requires to perform its task with no superfluous abilities.  This way, if an account is compromised, bad actors are more limited in their level of access.  If an account needs to perform a specific task that requires a higher access level, that access should be granted on a temporary basis.  Additionally, make sure your environments are routinely audited for outdated accounts and then removed promptly.  While configuring your database environments takes a bit of time and ongoing management, however well worth the effort.

4.  Routinely Update and Patch

It is important to keep in mind that security threats are constantly evolving.  Technology companies work hard to stay one step ahead of these threats by identifying and patching new vulnerabilities.  Make sure any updates and patches are applied in a timely manner to combat any known issues.  Updates and patches can mean strategic downtime.  If your company is concerned about maintaining business continuity, consider a database management partner that can help you implement an optimized management strategy.

5.  Harden the Whole Environment

Database hardening procedures should not stop at just the database systems. These practices should involve the entirety of the data management system, including the underlying operating system, the database application, and any additional hardware and software. Refer to best practices for your technologies in use to harden all available levels of your system. A consulting group can help unify your security configurations to make sure each level of your system is working in conjunction with the next.

Protecting your company from the effects of a data breach is an ongoing effort that can save significant costs. Database hardening is a practice that can help both reduce your risk of a breach and minimize the impact of any leaks. Make sure your company stays protected by following best practices to keep your database environments secure. Work with your internal IT team, your technology providers, and your third-party database services provider to develop a configuration strategy that hardens your database and protects your sensitive data.