Data security is the hottest topic of discussion in the database administration circle. Based on the structure of the organization and whether you are managing a live production DB, you should ensure close monitoring of it for any unauthorized access. This monitoring should be done for the underlying host server too. In this article, we will discuss the security considerations for open-source databases.
Once after setting up the database software, it is essential to run some pre-checks in order to avoid some common mistakes in terms of security. Let us explore these primary guidelines as follows:
The general guidelines are as follows:
- Do not give the root/admin access to anyone. This is a critical consideration to be kept in mind always.
- Have a clear understanding of how the privileges in the database access system work. Never grant any additional privileges than the bare minimum necessity. Also, do not grant privileges to all the hosts.
- Never store passwords at the database itself. It is advisable to use a SHA2() or other one-way hashing options to store hash values.
- Do not ever use the default ports and ensure that the chosen port is not accessible from any untrusted host.
- In the case of open-source DB, put it behind the firewall. This will protect you from any chances of exploitation through the software.
Access management and access control
The primary security function of a database includes authentication of a user or application trying to connect to the DB from a given host and instantly associate the user or user group privileges. In order t to control which users can connect to the DB, each account must be assigned with some authentication credentials like a password.
Various user roles
The database user role is a set of privileges that are assigned to a particular user or a set of users coming under a user group. In the latest featured open-source DBs, the majority of the users come under certain predefined roles with a custom set of privileges for each role.
Proper password administration
As a primary security measure, users accessing the database need to authenticate themselves by providing a user ID and password. The database also applied the same hash function to the password which the user entries and compares it with the authenticated hash stored in the DB. If these matches, then the entry is granted. Password expiration is also needed for all the DB users to change their passwords from time to time.
It is important to have a random password generation option for the administrator-specified passwords while creating a password. An important consideration should be given to monitoring the wrong authentication/password failure tracking too. For this, it is recommended to have temporary account locking features too after a particular number of incorrect password login attempts. For setting up the security best practices for open-source databases, you can approach remote providers like RemoteDBA.com.
You need to restrict the database server use of resources to the bare minimum. It is also important to limit the number of connections simultaneously by a user account. For example, we may try to restrict the number of queries a given user can execute per hour or the number of times the user can connect to the server each hour.
Encrypted DB connections
Most of the open-source DBs support encrypted connections between the server and the users by following some specific security protocols. With SSL security usage, the connections between server and clients will be encrypted and thereby turns the data into a secretly coded format over the network. Once the SSL is enabled on the database, it will start to support encrypted connections and not let unencrypted connections establish.
Plugins and security components
You can easily integrate security plugins and add-on components with the database. For example, For example. MySQL includes various plugins and components which implement some strong security features as below:
- Authentication plugins are used for authenticating attempts by the clients to connect to MySQL Server. We can also easily integrate it with the database server.
- Password Plugin – It is a plugin that checks whether the current password is solid enough and may reject all weaker passwords.
- Keyring plugin – This can encrypt the tablespaces. The encryption modality works on a rotating key files basis.
- Audit log – You can audit by recording and monitoring all the activities on the given DB server. These also will be logged as what is happening on the DB from time to time. You can track the database usage and operations by users, failed login attempts, connections, etc. If you use a load balancer to access the DB, one may need to closely monitor this. By default, the audit log files get directly stored into MySQL DB.
- Log monitoring – This feature offers greater visibility to the DB for the operations team. It composes or all the database instances and load balancers. Log monitoring will help to determine any anomalies and the frequency at which these occur.
- Password validation – This plug will help in password validation. You can custom set the validation criteria as the password may contain alphabets, numbers, and strings of characters. On both database and server-side, username and password may be needed for access. Say, for example, if the password is given as cleartext value, then the validate_password plugin will check this password against the password policy and either accept or reject it. Usually, validate_password_policy may have three different categorizations as LOW, MEDIUM, or STRONG. LOW only for the length of the password, whereas MEDIUM considers some add-on conditions too. STRONG checks all the conditions of the password with substrings.
- LDAP Plugin – This will let the database server accept connections from multiple users defined in the LDAP directories. In this authentication model, server-side and client-side plugins may communicate the cleartext and password. A secure connection is recommended between the client and the server to prevent the chances of password exposure. If the client username and the hostname are not matching, then the DB will reject this connection. LDAP is a very straightforward configuration.
The system administrators should consider the strictness of these policies to implement them in their server environment and ensure that there are strictly adhered to.