Database Primer - Authorization and Privileges
Let's dive back into our database primer series! Today, I want to discuss the concepts of authorization and privileges and their role within database design.
Authorization is the concept of what authority a user holds to validate their actions (Fortinet, 2024). Privileges are the roles that can be assigned to those users which help clarify the actions the user can take. Think of it like driving: a person with a valid driver's license is authorized to drive a car. The state grants them the privilege to drive their motor vehicle when they register and insure said vehicle. However, only trained professionals are given the access and rights to drive an ambulance. Likewise, that ambulance driver does not have the privilege to drive another person’s car.
When granting permissions to users for accessing or performing actions within a database, the key guiding theory should be the principle of least privilege. The principle of least privilege is a security concept that involves sectioning off roles, abilities, and areas of a database or network. The principle of least privilege holds that a user should be given the absolute bare minimum access rights to accomplish their intended role (National Institute of Standards and Technology, 2023). This prevents users from accessing, altering, or exfiltrating data that is outside the scope of their intended role. For example, a user does not need the ability to create and destroy database tables. The user just needs to be able to view data from said tables. Granular control of account permissions also helps guard against the threat of compromised accounts being used to escalate privileges within an organization to accomplish their target objectives.
Database normalization is the process of reducing redundancy of data within a database (Microsoft, 2023). This includes data that may be duplicated in multiple areas, outdated data, or errors within the database stemming from data inaccuracies. When data is normalized it is easier to track data location, privileges, and updates to said data. As such, routine auditing can be accomplished on the user permissions to ensure that only authorized users are able to access the data intended for them. It also helps identify if information is updated or accessed outside of the normal scope of the project, which could indicate a threat actor has infiltrated the network.
A user may be explicitly denied user access or ability to perform certain actions within a database in a few scenarios. Firstly, if the user is being off-boarded from the company they will no longer have the authorization that they did when they held their job role. Secondly, if a user account is compromised that account needs to be immediately stripped down to prevent further tampering in the database. Lastly, if a user is moved to a different project that necessitates a different set of privileges and a detachment from the prior project.
When a person leaves an organization, their user account should be removed from the group accounts it was associated with prior. For example, if a user was in accounting, they were in the Accounting group. They would be removed from that group, and then their account would be unable to access or act upon any database objects they previously had. In my organization, a user has their privileges revoked immediately prior to notification that their job role is being terminated. A master list should be maintained and audited frequently to ensure that those individuals onboarded, transferred, or offboarded hold the proper rights and privileges. Database administrators should work closely with the Human Resources departments to ensure that an up-to-date roster of user accounts is provided and maintained. Communication should be given promptly from Human Resources when a user is being terminated, so that their user account privileges are revoked immediately prior to their dismissal notification.
References
Fortinet. (2024, February 15). AAA Security. Retrieved from Fortinet: https://www.fortinet.com/resources/cyberglossary/aaa-security
Microsoft. (2023, July 13). Description of the database normalization basics. Retrieved from Microsoft Learn: https://learn.microsoft.com/en-us/office/troubleshoot/access/database-normalization-description
National Institute of Standards and Technology. (2023, 11 25). Least Privilege. Retrieved from NIST: https://csrc.nist.gov/glossary/term/least_privilege
Authorization is the concept of what authority a user holds to validate their actions (Fortinet, 2024). Privileges are the roles that can be assigned to those users which help clarify the actions the user can take. Think of it like driving: a person with a valid driver's license is authorized to drive a car. The state grants them the privilege to drive their motor vehicle when they register and insure said vehicle. However, only trained professionals are given the access and rights to drive an ambulance. Likewise, that ambulance driver does not have the privilege to drive another person’s car.
When granting permissions to users for accessing or performing actions within a database, the key guiding theory should be the principle of least privilege. The principle of least privilege is a security concept that involves sectioning off roles, abilities, and areas of a database or network. The principle of least privilege holds that a user should be given the absolute bare minimum access rights to accomplish their intended role (National Institute of Standards and Technology, 2023). This prevents users from accessing, altering, or exfiltrating data that is outside the scope of their intended role. For example, a user does not need the ability to create and destroy database tables. The user just needs to be able to view data from said tables. Granular control of account permissions also helps guard against the threat of compromised accounts being used to escalate privileges within an organization to accomplish their target objectives.
Database normalization is the process of reducing redundancy of data within a database (Microsoft, 2023). This includes data that may be duplicated in multiple areas, outdated data, or errors within the database stemming from data inaccuracies. When data is normalized it is easier to track data location, privileges, and updates to said data. As such, routine auditing can be accomplished on the user permissions to ensure that only authorized users are able to access the data intended for them. It also helps identify if information is updated or accessed outside of the normal scope of the project, which could indicate a threat actor has infiltrated the network.
A user may be explicitly denied user access or ability to perform certain actions within a database in a few scenarios. Firstly, if the user is being off-boarded from the company they will no longer have the authorization that they did when they held their job role. Secondly, if a user account is compromised that account needs to be immediately stripped down to prevent further tampering in the database. Lastly, if a user is moved to a different project that necessitates a different set of privileges and a detachment from the prior project.
When a person leaves an organization, their user account should be removed from the group accounts it was associated with prior. For example, if a user was in accounting, they were in the Accounting group. They would be removed from that group, and then their account would be unable to access or act upon any database objects they previously had. In my organization, a user has their privileges revoked immediately prior to notification that their job role is being terminated. A master list should be maintained and audited frequently to ensure that those individuals onboarded, transferred, or offboarded hold the proper rights and privileges. Database administrators should work closely with the Human Resources departments to ensure that an up-to-date roster of user accounts is provided and maintained. Communication should be given promptly from Human Resources when a user is being terminated, so that their user account privileges are revoked immediately prior to their dismissal notification.
References
Fortinet. (2024, February 15). AAA Security. Retrieved from Fortinet: https://www.fortinet.com/resources/cyberglossary/aaa-security
Microsoft. (2023, July 13). Description of the database normalization basics. Retrieved from Microsoft Learn: https://learn.microsoft.com/en-us/office/troubleshoot/access/database-normalization-description
National Institute of Standards and Technology. (2023, 11 25). Least Privilege. Retrieved from NIST: https://csrc.nist.gov/glossary/term/least_privilege
Comments
Post a Comment