Security

Securing Your Database -- Top 10 Tips for Government Organizations

Data volumes keep growing and government organizations have no choice but to find a way of managing it all, while also ensuring data is safe and secure.

by / January 5, 2009 0

Photo: Emma McGrattan, SVP of Engineering at Ingres

Government organizations are facing information and data growth like never before. All this data must be continuously tracked, managed and protected properly for the success of various agencies.

To do this, organizations turn to databases. Analysts predict that the worldwide relational database management systems market will continue growth through 2010 as data management and integration become more strategically important in organizations across all industries.

Emma McGrattan, senior vice president of engineering at Ingres and a leading authority in database management, knows it can be difficult, especially for government bodies that don't employ database administrators in-house. But data volumes keep growing and government organizations have no choice but to find a way of managing it all, while also ensuring data is safe and secure. To shed some light on how to better manage the database environment, Emma shares with us her top ten tips:

1. Secure Your Data Against Internal and External Threats

When securing the data in your database it's important to think about internal as well as external threats. To prevent external intrusion you must safeguard database accounts, ensure that you have applied the latest security patches to your IT environment and make sure that the database is secured inside a firewall. You should also think about the internal threats posed by employees who may be considering moving to another line of work, setting up their own companies, or otherwise considering leveraging your information to their benefit and your detriment. Ensure that you restrict access to the most sensitive data on an as-needed basis, and consider auditing all data access.

2. Audit Data Access

What would be the impact on government if information fell into the wrong hands? How many of your employees have their own personal copy of your data? Do you trust them with that data? Consider restricting access to the most valuable information that you store on an as-needed basis. Audit attempts to access this information whether those attempts are successful or not. You can set alarms within the database that can be triggered if an employee attempts to access information in the database that is not pertinent to their role or position so that you can question their motives.

3. Benefits of Encryption

Consider password protecting and encrypting all database backups so that if the backup media is lost or stolen it is impossible to access the data within it. In more sophisticated IT environments you also may want to consider encrypting all database traffic to protect it from prying eyes.

4. Protecting Off-line Copies of your Data

In environments where users need access to data while on the road, they'll often store local copies of the data in spreadsheets on their laptops. The security of this data needs the same level of consideration as the data that is stored in the database, so at a minimum consider implementing a policy that mandates password protecting all files containing sensitive data. It may surprise you to learn that 12,000 laptops are lost each week in US airports, so the chances of government employee laptop being lost or stolen is higher than you may think

5. Maintain One Version of the Truth

Assume that all off-line copies of the data are stale as soon as they are written to your laptop and always make important decisions using the data in the database. Discourage the practice of storing the data locally as there should only be one version of the truth. Also consider the security implications associated with having versions of your data in unsecured environments and the cost to the government should this data fall into the wrong hands.

6. Secure the Database Administrator

A database administrator typically has access to all of the data in a database. This could include sensitive information such as salaries and bonuses. Select a database administrator that you can trust, and consider separating out the roles of the database administrator and the security administrator so that no one individual has access to all of the information in your environment.

7. Safeguarding Database Accounts

Ensure that all database accounts have passwords set on them. Consider implementing a strict password policy that requires the use of a combination of upper- and lowercase characters as well as numbers, as these are harder to crack. Ensure that unused accounts are removed immediately, for example, when an employee leaves, and remove system accounts such as "guest" and "test" accounts before the system goes live.

8. Backing Up Isn't Hard to Do

We all know that if you have up-to-the minute backups of your data that you'll never need them, and that it's always the information that you haven't backed up that will be accidentally deleted or otherwise lost. Databases should be backed up on a daily basis and database journaling should be used so that in the event of failure the environment can be restored to exactly how it was before disaster struck. We read horror stories in the press every day about database tapes containing sensitive information being lost or stolen. Database backup tapes or disks should be stored, tracked and accounted for like any other valuable asset in your business. Given that your database environment can be recreated using the backup media, it is important that all database backup media should be securely erased or physically destroyed at the end of its useful life.

9. Disaster Planning

It's always best to use Murphy's Law when planning for a disaster in your environment. Prioritize your database applications and determine how long your business could afford to be without any one of them, what process would be put in place to replace them temporarily, and how much you would be willing to spend to ensure their continued operation. Database technologies are very sophisticated and include the ability to configure a standby machine that will automatically kick in when your primary machine fails, or to keep an exact copy of your database in another location that can be used in the case of a wider disaster such as power failure or communications failure. There are costs associated with putting these failsafe measures in place but these often pale in insignificance when compared to the losses that could result from a failure in the environment.

10. Open Source Databases

Open source databases have matured to the point where they're used no longer solely used by hobbyists, but also by big business, governments and academic institutions. Open source databases like Ingres and MySQL have proven themselves in large scale environments such as Lufthansa Airlines and Google, along with government environments such as the National Center for Missing & Exploited Children (NCMEC), German Federal Institute for Geosciences and Natural Resources (BGR) in Germany, and the Pacific States Marine Fisheries Commission. They provide the same level of performance, scalability, security and usability as their prohibitively expensive closed source counterparts such as SQL Server or Oracle. Open source software is less expensive to deploy as it has no license fees associated with it, but users can purchase 24x7 support subscriptions if they choose.

Emma McGrattan Senior Vice President, Ingres Corporation
Emma is SVP of Engineering at open source database company Ingres Corporation. A leading authority in DBMS technologies, Emma is a popular speaker at technology conferences around the world appearing at events such as Linux World, OSBC, OSCON, CA World, HP Technology Forum, Red Hat Summit and Comdex. Emma joined Ingres as senior vice president of Engineering from CA where she held a similar position responsible for the Ingres family of relational database management products.