Michael Sentonas, Vice President & Chief Technology Officer, Asia Pacific, McAfee, talked to Harshal Kallyanpur about the vendor’s approach to database security
In the past, there has been so much focus on protecting data in general, that databases unfortunately got left behind in the race for data security. Some of the most important information that resides within any organization is stored in a database—business, sales, financial or even customer information. In most cases, the database is a sacred entity and organizations do not want to install security features on them and this had led to a lack of focus on database security.
However, there have been many publicly known cases wherein databases have been compromised and information was extracted. It is only now that organizations have started looking at implementing some level of database security.
Can’t current security mechanisms handle database security?
SQL injections are a classic example of an attack that extracts data from a database and still continues to be the number one attack vector affecting databases. Each month, there are new vulnerabilities that are discovered, which target common databases such as SQL Server and Oracle. Each time that a vulnerability is discovered, a new patch is rolled out looking to plug the security hole for that particular database offering.
Typically, a database solution would have multiple patches that resolve various issues including security vulnerabilities. Applying these patches would require stopping access to the database. Therefore, database administrators usually plan the patching process during non-production hours.
Why is database security a better value proposition?
Often there are many different types of databases, small or large in size, that the IT team may not know about. There could be someone in some department who rolled out an application that required a certain brand or type of database solution. The first step to database security is to conduct a vulnerability assessment.
Database security, depending on the product offering, gives you the ability to roll out, what we call in McAfee terms, a virtual patch. What this means is that it gives you the ability to provide protection against the vulnerability without rolling out the patch. The database security solution will offer the functionality that blocks all avenues of attacks on a database exploiting that vulnerability before the patch is applied.
The DBA now need not be worried about the vulnerability being exploited while he tests the patch. He can roll out the patch after testing it, once he is sure that it is working as it should.
How does this solution help in the Cloud computing scheme of things?
The traditional network is disappearing rapidly and building a firewall around your information is an approach that is no longer effective in many cases. A lot of infrastructure today is managed by third parties, which effectively means that the databases are also managed by these external entities. These databases reside on virtualized infrastructure. While this makes the situation more complex, it makes security all the more important. Today we need security that follows the database rather than the network.
IT used to put an appliance in front of a database to provide security. However, architecturally, it makes more sense to implement security on the database itself as, while an appliance can protect the database against external attacks, it does not stand guard against internal threats. To protect against internal attacks, you would need another appliance. In the Cloud context, you would need access to the security appliance that provides protection for the database or just trust the service provider with the security of the database.
Implementing security on the database ensures that it is protected not only from external attacks but internal ones too. Moreover, as the security mechanism for the database moves with the database, IT doesn’t need to worry about database security from a location perspective anymore. With the database security mechanism being software-based, the database can be located in a virtualized environment, on a laptop, or even in the Cloud and still have the same level of protection.
Tell us about how your solution takes care of database security.
The first piece of our solution is the database vulnerability assessment capability. This discovers and analyzes the vulnerabilities that exist in databases. The second piece is around database activity monitoring, creating an audit trail of all the activities happening on the database. The final piece is creating and rolling out the virtual patch.
We have taken a software driven approach where the security mechanism is installed directly on the database itself. It has minimal impact in terms of database overhead and the organization has far fewer architectural changes to make to its network. The software can be deployed and managed from a central management console and all of the databases with the software implemented can be managed from this single console. It is the same management console that we offer for managing all of our other end-point security offerings, which therefore eliminates the need to deploy another product with its own management software and the associated architectural changes and support requirements.