5 basic practices of database security
The original:5 Essential Practices for Database Security
Author:Shane Johnson
Translation: Diwei
Translators: it is now in the big data age, so the security of data and database is more precious than ever. How to ensure the security and reliability of organization and user data is a skill that everyone has to grasp. The following is the translation.
Once the data is leaked, the cost will be very painful. Due to data leakage, business interruption, customer confidence loss, legal cost, regulatory penalty, or direct losses similar to worm attacks, these consequences may cost millions. As the saying goes, the best defense is to launch an attack, so let's learn the following five key practices to ensure the safety of database: protection, audit, management, update and encryption.
1. use proxy to protect database from attack
Database agent (or gateway agent) is located between application and database, accepting connection requests from applications, and then connecting them to database on behalf of these applications. Intelligent database agent (as we use it by ourselves)MaxScale) provides a filter and a load module to provide security, reliability, scalability, and performance advantages.
MaxScale database firewall filterThrough filter analysis of the query initiated, if the transmitted query does not match the white list that has been set up in advance, the filter will automatically block. For example, a given connection can only perform updates and inserts, while the other must match some regular expressions, and so on.
Agents like MaxScale can also protect databases from DDoS attacks: it overloads when too many connections are directly into the database server. But the agent absorbs some loads to limit the impact of this attack.
2. establish audit and robust log records
Audit and log records are closely linked, but audit logs are much more complicated than general logs. Audit logs provide users with all the information they need to investigate suspicious activities. If they do violate rules, they can also do root analysis based on audit logs. In addition, the audit log helps to ensure compliance with rules such as GDPR, PCI, HIPPA, and SOX. (learn more about using MariaDB TXProcessing GDPRInformation)
MariaDB audit plug-inA large amount of information can be recorded: all incoming connections, all executed queries, and even access records of all individual tables. The user can see who has accessed a table at a given time, and who performs the operation of inserting or deleting data. Audit plug-ins can be recorded to files or syslog, so if there are already syslog dependent workflows, they can be directly bound to these files.
3. implement strict user account management
It is very important to manage database user accounts strictly. This is a correct rule for all aspects of the IT ecosystem, so we will not elaborate here. Instead, we will simply remind you of several key aspects of user account management:
- Only the super administrator can be accessed from the local client.
- Insist on using strong passwords.
- Each application has a separate database user.
- Limit the number of IP addresses that can be accessed by the database server.
4. guarantee that the database software and the operating system are the latest
We all know why software is in the latest version, but there are still a lot of people going to run the legacy operating system and the old version of the database server. We have to keep in mind that it is only the latest version of the version.Protection of data is not subject to the latest threatsThe only way to do it.
This is not only applicable to server software, but also to operating system. After all,The application of the Windows operating system security patch is not very goodThis also indirectly leads to the possibility of a worm attack.
5. encrypt sensitive data, whether in applications, in data transmission, or even in idle time
Many organizations have a short treatment of encryption, but it is valuable to do this. After all, if they can find that the password will be ed in their usual work, this will reduce the probability of hacking.
The first phase of encryption is in the application, when the data has not reached the database yet. If data is encrypted in the application program, the hacker who destroys the database can't see what the data is.
The next is the data encryption in the transmission process. This means that the data is encrypted on the network when the data is moved from the client to the database server (or on the proxy server). This is basically the same as using HTTPS in web browsers. Obviously, the server can see this information, because it needs to read forms filled by users, users can also read information, because they fill in the form, but no one can read it between users and servers.
Finally, let's talk about it.Data encryption when the database is idle. You can use it to encrypt the InnoDB table space, the InnoDB redo log, and the binary log. This means that you can encrypt almost all the things that are written to the CD on the MariaDB server.