Since nobody would dispute that database security is a very important issue it must be safe to assume that all databases are very secure, right? OK, so you've spotted the logical flaw there already. Whilst we all know how important database security is, the reality is that we also know that it is often very poorly implemented in practice. A good question at this point is "why?" What is wrong, not with the theory, but the practice? The answer is, of course, the people.
Firstly, database security is often set up inefficiently by database administrators. It shouldn't happen but in practice DBAs (DataBase Administrators) frequently focus on tasks that are seen as truly database related - index maintenance, partitioning etc. - and regard security as tangential to the real job.
Secondly, the skills required to set up a secure system are non-transferable between database engines, unlike those more core skills.
A third problem is that not only are security skills non-transferable between engines, they're often non-transferable between different versions of the same engine.
Fourthly: the expression "Oh, security in is simple" is on that list of sentences you never actually hear; along with "Actually, I always thought that Cherie Blair had fantastic hair." Yes, it's physically possibly to string the words together, but no-one ever would.
The bottom line is that security is complex to implement. It can frequently be applied at many different levels (user, object, etc); security rights can be explicit, implicit and/or inherited or - well, the list goes on and on.
So the options are to put in the work necessary to understand and deliver this level of security or to hire an expensive database security consultant and hope that he or she has put in the work necessary. Or you could invest in a tool to do the job and this is where DBProtect comes in.
One huge advantage of a tool is that only one single group needs to stay current with all the vagaries of security, that being the members of the group that builds and maintains the tool. If they do their job well, the tool stays 'aware' of the most recent vulnerabilities in each engine.
A tool can also address the elements of security that DBAs can't control directly. For instance, not all versions of all engines enforce strong passwords. A DBA can issue edicts and reminders to users about using strong passwords, but software can test all passwords and uncover weak ones.
DbProtect
DbProtect from Application Security has its headquarters in New York and a European office in Crewe.
Appsec describes DbProtect as a database security suite that will assist an organisation in reducing risk and improve auditing compliance. As part of the suite come two tools, AppDetective and AppRadar. The first will assess a database for vulnerabilities and the second will monitor activity on a database.
DbProtect approaches security from four angles, by monitoring activity, by supporting auditing requirements, by managing the patches that keep security current, and by giving insight into potential vulnerabilities in the IT infrastructure.
[pb/]
Activity monitoring
This task is undertaken by AppRadar, which detects intrusions into the database by means of sensors placed on database server and/or on the network. These return data which is collated into a dashboard display of current activity and threats to which only authorised administrators have access. Notification of any attack or breach of policy are sent out immediately via various methods, including the dashboard display, email, SNMP or SYSLOG (a client-server protocol for sending log messages to an IP network). This makes it possible to respond quickly and minimise any loss or damage.
Auditing
AppRadar can also implement an auditing scheme. Given the increasing regulatory requirements facing businesses, having software to shoulder some of the burden is becoming more of a necessity. Auditing is highly configurable, with granularity at the object, user or column level, and the ability to monitor changes including those to system tables, objects, configurations and permissions. The activity of DBA, SA and other logins can be captured, with the exception of access through a web application.
Patching
The Patch Gap Management feature is designed to help secure the system proactively against the latest database hole and threats. Using ASAP (Application Security Automatic Protection) updates you can prioritise the implementation of security patches and other defences against threats and receive reports on patching progress.
Insight
AppDetective is a vulnerability assessment scanner that inspects database applications and assesses their level of security. It can find, inspect, report on and even fix security holes and 'mis-configurations', working with Oracle, Microsoft SQL Server and MSDE, Sybase, IBM DB2, MySQL and Lotus Notes/Domino databases. AppDetective will build a complete inventory of such applications and can then perform a complete security audit by logging in to each and analysing patch levels, configuration settings and password strength. Sadly, a serious threat is that of internal attack and AppDetective's detailed analysis can tell an organisation how susceptible it is to this type of abuse.
Resources
Application Security also runs a research arm specialising in application vulnerability assessment and prevention. Team SHATTER (a welcome abbreviation of Security Heuristics of Application Testing Technology for Enterprise Research) researches anything that could compromise security and you can join its R&D mailing list from the AppSec web site.
The company also runs an on-line test area called the Hosted Evaluation Lab where you can try out DbProtect. You can run evaluations at your own pace in a secure virtual enterprise deployment where you can simulate various database audits, attack scenarios and security exploits.
What is it like to drive?
It is worth bearing in mind that DbProtect is a tool for the technically competent. If you are expecting a wizard driven, cuddly, GUI from which you can select well understood options and have your security magically checked and fixed, then you will be disappointed. In order to drive it, you are expected to know and type in a reasonable amount of configurational data about your servers and network. We're not for a minute suggesting that this is beyond our readership, just that the development team at Application Security has focused more on the functionality than on making the product cute and easy to drive. So don't give it to a student on the first day of their placement.
Conclusion
Do I like DbProtect? I think it is fabulous. For all of the reasons outlined above, I am delighted with the idea that I can 'employ' a security expert to watch my databases enabling me more time to focus on the data and the data structure. That alone is going win DbProtect more than a few fans.
Author: Mark Whitehorn
IT Pro Online