Database Primer - MySQL and Oracle
The biggest difference from a business perspective between MySQL and Oracle database software is that MySQL is open-source. Open-source means that it is updated and maintained transparently with the community, and also free of charge. Oracle is a paid software offering that is maintained in-house from Oracle’s development team. Beyond the bottom line expenditure of spending money, it also means that the security updates are less transparent and identifiable if the patch notes are not detailed exactingly. This can lead to uncertainty in how secure the software is, unlike with Open Source where you have a much better idea of the status of the software’s build. On the other hand, the nature of open source means that you are relying on the community to police itself to prevent nefarious code from being injected into a build.
"Oracle-vs-SQL-Server", by Priya Pedamkar, licensed under CC BY 2.0
To secure MySQL and Oracle databases you first must rely on AAA: Authentication, Authorization, and Accounting (Fortinet, 2024). The database should require authentication, proving the user is who they say they are. Authorization comes next, which would assign each user group with a set of privileges that determines how much access each user can have based on their job. Accounting captures log data of what users successfully logged in, unsuccessfully logged in, and what their activity was within the database. This way you can find out if an unauthorized user attempted to access, alter, or exfil data from the database. Lastly, to prevent data from being intercepted during transfer or at rest, the database contents should rely on encryption standards such as Oracle’s Transparent Data Encryption (Oracle, 2024). Oracle’s Transparent Data Encryption assists by encrypting data at rest.
Security in depth methods should focus on segmentation and security throughout the network. Firewall solutions, both hardware and software, should be placed at the exterior of the network, and within the network segments. A DMZ should be utilized if customers are accessing the database, to prevent unauthorized access to the rest of the network. To identify threat actors that have successfully breached the network, Intrusion Detection Systems and Intrusion Prevention Systems should be installed and configured. Additionally, user account privileges should be kept within the principle of least-privilege. Lastly, physical security of the servers should be maintained, well documented, and audited regularly.
Firewalls are essential when isolating a database from the rest of the network. Network policies can be enforced by the firewall, preventing unauthorized access to and from the isolated segment (Cybersecurity & Infrastructure Security Agency, 2024). Placing the database within isolated environments such as separate VLANs further prevents an attacker from gaining all of the access to your network if they happen to gain partial access to a specific area of it.
Database administrators should follow industry best practices by implementing and enforcing the principle of least privilege. In other words, not every user requires access to the entirety of the database. User groups can assist with this, by creating tailored user access rights that are dependent upon the user group they are held within. For example, the accounting department would not need access to the database information maintained by the Human Relations department. In that scenario, the accounting department would have a user group that allowed access to the accounting area of the database and nowhere else. Users that are onboarded to that department would be added to that user group. That way if an account is compromised, the attacker is limited in the areas they can access based on the group policy assigned to that account.
References
Cybersecurity & Infrastructure Security Agency. (2024, February 8). Securing Network Infrastructure Devices. Retrieved from Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/news-events/news/securing-network-infrastructure-devices
Fortinet. (2024, February 8). AAA Security. Retrieved from Fortinet: https://www.fortinet.com/resources/cyberglossary/aaa-security
Oracle. (2024, February 8). Database Advanced Security Guide. Retrieved from Oracle: https://docs.oracle.com/database/121/ASOAG/introduction-to-transparent-data-encryption.htm#ASOAG10270
To secure MySQL and Oracle databases you first must rely on AAA: Authentication, Authorization, and Accounting (Fortinet, 2024). The database should require authentication, proving the user is who they say they are. Authorization comes next, which would assign each user group with a set of privileges that determines how much access each user can have based on their job. Accounting captures log data of what users successfully logged in, unsuccessfully logged in, and what their activity was within the database. This way you can find out if an unauthorized user attempted to access, alter, or exfil data from the database. Lastly, to prevent data from being intercepted during transfer or at rest, the database contents should rely on encryption standards such as Oracle’s Transparent Data Encryption (Oracle, 2024). Oracle’s Transparent Data Encryption assists by encrypting data at rest.
Security in depth methods should focus on segmentation and security throughout the network. Firewall solutions, both hardware and software, should be placed at the exterior of the network, and within the network segments. A DMZ should be utilized if customers are accessing the database, to prevent unauthorized access to the rest of the network. To identify threat actors that have successfully breached the network, Intrusion Detection Systems and Intrusion Prevention Systems should be installed and configured. Additionally, user account privileges should be kept within the principle of least-privilege. Lastly, physical security of the servers should be maintained, well documented, and audited regularly.
Firewalls are essential when isolating a database from the rest of the network. Network policies can be enforced by the firewall, preventing unauthorized access to and from the isolated segment (Cybersecurity & Infrastructure Security Agency, 2024). Placing the database within isolated environments such as separate VLANs further prevents an attacker from gaining all of the access to your network if they happen to gain partial access to a specific area of it.
Database administrators should follow industry best practices by implementing and enforcing the principle of least privilege. In other words, not every user requires access to the entirety of the database. User groups can assist with this, by creating tailored user access rights that are dependent upon the user group they are held within. For example, the accounting department would not need access to the database information maintained by the Human Relations department. In that scenario, the accounting department would have a user group that allowed access to the accounting area of the database and nowhere else. Users that are onboarded to that department would be added to that user group. That way if an account is compromised, the attacker is limited in the areas they can access based on the group policy assigned to that account.
References
Cybersecurity & Infrastructure Security Agency. (2024, February 8). Securing Network Infrastructure Devices. Retrieved from Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/news-events/news/securing-network-infrastructure-devices
Fortinet. (2024, February 8). AAA Security. Retrieved from Fortinet: https://www.fortinet.com/resources/cyberglossary/aaa-security
Oracle. (2024, February 8). Database Advanced Security Guide. Retrieved from Oracle: https://docs.oracle.com/database/121/ASOAG/introduction-to-transparent-data-encryption.htm#ASOAG10270
Comments
Post a Comment