Welcome » IT Booklets » Information Security » II Information Security Program Management » II.C Risk Mitigation » II.C.18 Database Security
Management should implement
effective controls for databases and restrict access
Databases are collections of information organized to be easily
accessed, managed, and updated. Databases can be developed in-house
or purchased from third parties and have their own controls and
protective mechanisms configured to provide varying levels of
protection. Along with many other security features, encryption
helps to protect the stored information from theft or unauthorized
viewing. Management should implement or enable controls
commensurate with the sensitivity of the data stored in or accessed
by the database.
Database users may be people (e.g., employees, customers, and
contractors) or other applications. Users have different levels of
access and authorization. Some users may have extensive privileges,
including the ability to change the database configuration and
access controls. Other users may have restrictions in what they can
view, manipulate, or store. When a person is the database user,
authorizations can be tailored to that person, greatly limiting the
amount of information that could be exposed in a security incident.
When an application is the database user, the access granted to the
application can be more extensive than a person would require.
Accordingly, an attack on a database through an application could
expose a larger and more damaging collection of data. For
application accounts, management should strengthen authentication
and monitoring requirements to minimize the potential for
Management should appropriately control user access and apply
the principle of least privilege in assigning authorizations. The
use and overall configuration of a database's security features
should be part of a well-designed, layered security program.