Every organization, whether large or small, imposes some security measures to protect its confidential data. Such data usually includes contract details, project planning reports, employee information, financial account details and more. More often than not, firewalls, anti-viruses, and other data security techniques are applied to keep unauthorized users or programs from accessing such sensitive company data. What most organizations probably fail to recognize is the threat that exists to such information from people within the circle of trust.
Data breach threats from authorized users
History and data breach reports across the globe clearly point out one fundamental loophole that is ignored by most organizations – people within the organization pose the biggest security threat to its data. Since they have authorized accounts and almost complete access to company databases, they actually don’t have to do much if they wish to steal information. Loyalties are easily sold in today’s cutthroat competitive market and news stories flashing each day are living proofs of this trend.
Even hackers realize this and hence the ways of stealing sensitive information have improved. More than focusing on creating programs that can break firewalls; hackers today create programs to log in with authorized credentials. Even they realize the lack of proper measures to secure data once a user has successfully logged in. Imagine losing this kind of sensitive data to callous people. Not only would a company lose money to the tune of millions, it would cause a serious blow to its reputation as well as put it well behind its competitors.
Extremely stringent measures to safeguard data not only from outside access but also from malicious insider access are thus the need of the hour.
Hence, in this guide we’ve attempted to jot-down some helpful tips to enlighten you on the ways to improve your internal data security cover. We hope some of these points can give you ideas on making your data security better.
Ways to improve data security
Clearly distinguish the most important data from the rest
This is the first step. A large organization may have more than one database as well as multiple employee accounts and financial reports. Trying to enforce a strict protective layer on each and everything would practically not be possible and not even necessary. You need to protect only the data that is of utmost priority and importance. So decide on layers and levels of protection and then separate the data into those levels. For example, organizations that are based in multiple locations may have continent wise, country wise, city wise and even office wise protective layers. Moreover, identify the fields within a database that only a selected few from the highest management can access and those fields that everyone can view. Follow the similar procedure to sift out the most crucial data that needs to be protected to the highest degree. This exercise has 2 benefits – firstly, you’ll find out exactly what you need to protect in order to keep everything good; secondly, if you have less stuff to protect, you can actually protect it better!
Now, do the same to the people within the organization
After you’ve made a data segregation plan, do the same to the people. Create levels of access to be granted to people and clearly identify the roles (managers, team leads etc.) that would be placed within those levels. Call them ‘levels of trust’ for better understanding. You could even identify people by name to be placed within these levels. And remember, if you need to be harsh here to some people, so be it. The rule of “segregation of duties” in the database world clearly states that only the people who absolutely require access to a portion of data should have it; everyone else should be blocked. This will also help you to isolate data access, meaning that no-one would be allowed to see anyone else’s work on a portion of data. Similarly, people from one department should not be allowed to access data from another department.
Apply Dynamic Data Masking
Dynamic data masking is a technology through which sensitive data is masked (or changed in some way) on its way out of the database so that the receiver cannot make anything out of it. Developers, DBAs, and other people might require frequent access to company databases and might require the data to communicate with other applications. But those applications might not necessarily need the exact numbers or details. So the solution – a program that sits between the databases and the applications to change or hide the sensitive data such that only what needs to be shown is shown. You could take the example of bank emails in this regard; they always mask the account numbers, credit / debit card numbers with asterisks (*) and only show the last 4 digits for identification. Plus, the algorithm behind the masking program should be random so that nobody can break its code.
Closely monitor user activity with sensitive data
Applying a reliable Database Activity Monitoring (DAM) system could be one of the best things to protect a database.
This system constantly monitors activity performed on the database including access details and generation of “before” and “after” reports. Such systems are even capable of monitoring both on-premise as well as cloud-hosted databases. So you can find out exactly who did what at any point of time. Plus, ensure the following points:
Audit the DAM logs regularly
Set alerts for suspicious activities
Make sure all users have unique login accounts
Inform all employees that you have such a system to monitor all database activity
Validate all input to the SQL engine
Also referred to as SQL injection attacks, a data input breach implies inserting malicious data within a database to steal other data. Basically, it tells you to never trust user input to the SQL engine blindly since insiders are well equipped and in the position to steal company data by making SQL application layer vulnerable. Hence, all input to the SQL engine must be validated before being passed on to the database. This approach might add time and cost to the data input process, but it is still worth it.
Impose 2-factor authentication
A two-factor authentication process requires employees to punch in login information twice and in 2 different formats. The first one is the standard username and password (this forms the “what you know” aspect of the authentication). The second is a single-use passcode sent for each login to the user’s mobile device or email (this forms the “what you have” aspect of the authentication). Since the single-use passcode is random, the chances of it being hacked by an unauthorized person become extremely low thus making the authentication process much more robust.
Employ strict policies and train employees
There should be a strict set of policies that every employee should mandatorily follow. Be it a new joining employee or one who is leaving the organization, everyone must adhere to the policies defined. From time to time, employees should be trained about the ways in which their user credentials can be compromised or stolen. Let them know of the legal implications of getting involved in data thefts. Make them aware of the ways to resist divulging confidential information to unauthorized people. Let them know that trust is a two-way thing and they have to earn it first to receive it back.
Wrapping it up
Though there are many other ways for SQL database protection including stringent password policies, limiting network access to database servers etc., the above-mentioned initial steps should prove to be enough to get you on the right path. Hope you can make the most of these pointers and save your data from malicious attacks.