5 basic practices of database security

translate October 18, 2017 17:31:05

The original:5 Essential Practices for Database Security
Author:Shane Johnson
Translation: Diwei

Translators: it is now in the big data age, so the security of data and database is more precious than ever. How to ensure the security and reliability of organization and user data is a skill that everyone has to grasp. The following is the translation.

Once the data is leaked, the cost will be very painful. Due to data leakage, business interruption, customer confidence loss, legal cost, regulatory penalty, or direct losses similar to worm attacks, these consequences may cost millions. As the saying goes, the best defense is to launch an attack, so let's learn the following five key practices to ensure the safety of database: protection, audit, management, update and encryption.

1. use proxy to protect database from attack

Database agent (or gateway agent) is located between application and database, accepting connection requests from applications, and then connecting them to database on behalf of these applications. Intelligent database agent (as we use it by ourselves)MaxScale) provides a filter and a load module to provide security, reliability, scalability, and performance advantages.

MaxScale database firewall filterThrough filter analysis of the query initiated, if the transmitted query does not match the white list that has been set up in advance, the filter will automatically block. For example, a given connection can only perform updates and inserts, while the other must match some regular expressions, and so on.

Agents like MaxScale can also protect databases from DDoS attacks: it overloads when too many connections are directly into the database server. But the agent absorbs some loads to limit the impact of this attack.

2. establish audit and robust log records

Audit and log records are closely linked, but audit logs are much more complicated than general logs. Audit logs provide users with all the information they need to investigate suspicious activities. If they do violate rules, they can also do root analysis based on audit logs. In addition, the audit log helps to ensure compliance with rules such as GDPR, PCI, HIPPA, and SOX. (learn more about using MariaDB TXProcessing GDPRInformation)

MariaDB audit plug-inA large amount of information can be recorded: all incoming connections, all executed queries, and even access records of all individual tables. The user can see who has accessed a table at a given time, and who performs the operation of inserting or deleting data. Audit plug-ins can be recorded to files or syslog, so if there are already syslog dependent workflows, they can be directly bound to these files.

3. implement strict user account management

It is very important to manage database user accounts strictly. This is a correct rule for all aspects of the IT ecosystem, so we will not elaborate here. Instead, we will simply remind you of several key aspects of user account management:

  • Only the super administrator can be accessed from the local client.
  • Insist on using strong passwords.
  • Each application has a separate database user.
  • Limit the number of IP addresses that can be accessed by the database server.

4. guarantee that the database software and the operating system are the latest

We all know why software is in the latest version, but there are still a lot of people going to run the legacy operating system and the old version of the database server. We have to keep in mind that it is only the latest version of the version.Protection of data is not subject to the latest threatsThe only way to do it.

This is not only applicable to server software, but also to operating system. After all,The application of the Windows operating system security patch is not very goodThis also indirectly leads to the possibility of a worm attack.

5. encrypt sensitive data, whether in applications, in data transmission, or even in idle time

Many organizations have a short treatment of encryption, but it is valuable to do this. After all, if they can find that the password will be ed in their usual work, this will reduce the probability of hacking.

The first phase of encryption is in the application, when the data has not reached the database yet. If data is encrypted in the application program, the hacker who destroys the database can't see what the data is.

The next is the data encryption in the transmission process. This means that the data is encrypted on the network when the data is moved from the client to the database server (or on the proxy server). This is basically the same as using HTTPS in web browsers. Obviously, the server can see this information, because it needs to read forms filled by users, users can also read information, because they fill in the form, but no one can read it between users and servers.

Finally, let's talk about it.Data encryption when the database is idle. You can use it to encrypt the InnoDB table space, the InnoDB redo log, and the binary log. This means that you can encrypt almost all the things that are written to the CD on the MariaDB server.

Relevant articles recommend

ButterCMS architecture: the key task of completing millions of calls, API

Original: ButterCMS Architecture: A Mission-Critical API Serving Millions Of Requests Per Month Author: Jake...
  • Dev_csdn
  • Dev_csdn
  • 16:40 in October 25, 2017
  • Six thousand six hundred and twenty-one

Something about machines that everyone should know.

Original: What Everyone Should Know About Machine Learning Author: Gero Presser The wild goose and the cold Abstract: This article is popular in the knowledge of machine learning, Jane...
  • Dev_csdn
  • Dev_csdn
  • 17:28 in October 18, 2017
  • Eleven thousand eight hundred and sixty-nine

Oracle database security practice

  • 14:54 in December 19, 2012
  • 248KB
  • download

Database security best practice: database audit tool tuning

The database administrator is ordered to create audit records to meet the requirements of safety audit and compliance audit, but if they only read the standard operation manual that describes how to conduct database audit, I will be disappointed. The database auditing tools have some special use skills, if it does not take time to be reasonable.
  • Yanzhibo
  • Yanzhibo
  • 2014, 25 01, 2014, 11:53
  • Four hundred and seventy-seven

SQL basic syntax -- (view, database security and role)

视图  一、定义视图       语法:            CREATE  VIEW 视图名>  [(列名>  [,列名>]…)] AS  子查询>[WITH CHECK ...
  • Hh12211221
  • Hh12211221
  • 19:19 in December 19, 2016
  • Two hundred and sixty-seven

Android database security solution, using SQLCipher for encryption and decryption

As we all know, the Android system has a built-in SQLite database and provides a whole set of API for adding and deletions to the database. Database storage is a way of storage that we often use, and I believe most friends are familiar with it.
  • Sinyu890807
  • Sinyu890807
  • October 21, 2013 08:34
  • Thirty-nine thousand and seventy-nine

Is your Oracle database safe?

Reproduced in: http://www.cngr.cn/article/57/111/2006/200604065560.shtml   With the popularity of computers and the development of the network, the database is no longer only the proprietary of the programmers.
  • Zgmzyr
  • Zgmzyr
  • 12:49 in November 22, 2011
  • Three hundred and eighty-eight

How to protect MySQL and MariaDB database security in Linux VPS

Provide: ZStack cloud computing content introduces a large number of SQL database language implementations on top of Linux and Unix systems. MySQL and MariaDB are the two most popular options. However, like most software, these tools are not properly matched.
  • Zstack_org
  • Zstack_org
  • 2017, 19 04, 2017, 17:06
  • Two thousand one hundred and fifty-eight

PHP manual twenty-eighth chapter database security

Today, the database system has become an important part of web applications on every dynamic web site. Because very sensitive and confidential data may be stored in the database, it is particularly important to protect the database. To extract or deposit data from the database, it is necessary to...

Android database security solution, using SQLCipher for encryption and decryption

Reprint please indicate the source: http://prog3.com/sbdm/blog/guolin_blog/article/details/11952409 As we all know, the Android system has a built-in SQLite database and provides...
  • Kooeasy
  • Kooeasy
  • 15:37 in November 20, 2013
  • Seven hundred and twenty-three
Content Report
Back to the top
Collector assistant
Bad information report
You report the article:5 basic practices of database security
Reporting reasons:
Reasons for the following:

(at most only 30 words are allowed)