Every organization, whether large or small, imposes some security measures to protect its confidential data. Such data usually includes contract details, project planning reports, employee information, financial account details and more. More often than not, firewalls, anti-viruses, and other data security techniques are applied to keep unauthorized users or programs from accessing such sensitive company data. What most organizations probably fail to recognize is the threat that exists to such information from people within the circle of trust.
每个组织,无论大小,都将采取一些安全措施来保护其机密数据。 这些数据通常包括合同详细信息,项目计划报告,员工信息,财务帐户详细信息等等。 防火墙,防病毒和其他数据安全技术通常用于防止未经授权的用户或程序访问此类敏感的公司数据。 大多数组织可能没有意识到的是信任圈内的人对该信息所构成的威胁。
授权用户的数据泄露威胁 ( Data breach threats from authorized users )
History and data breach reports across the globe clearly point out one fundamental loophole that is ignored by most organizations – people within the organization pose the biggest security threat to its data. Since they have authorized accounts and almost complete access to company databases, they actually don’t have to do much if they wish to steal information. Loyalties are easily sold in today’s cutthroat competitive market and news stories flashing each day are living proofs of this trend.
全球历史和数据泄露报告清楚地指出了大多数组织所忽略的一个基本漏洞–组织内的人员对其数据构成最大的安全威胁。 由于他们拥有授权帐户,几乎可以完全访问公司数据库,因此,如果他们想窃取信息,实际上并不需要做很多事情。 在当今残酷的竞争市场中,忠诚度很容易售出,每天闪现的新闻报道就是这一趋势的有力证明。
Even hackers realize this and hence the ways of stealing sensitive information have improved. More than focusing on creating programs that can break firewalls; hackers today create programs to log in with authorized credentials. Even they realize the lack of proper measures to secure data once a user has successfully logged in. Imagine losing this kind of sensitive data to callous people. Not only would a company lose money to the tune of millions, it would cause a serious blow to its reputation as well as put it well behind its competitors.
甚至黑客也意识到了这一点,因此窃取敏感信息的方式也得到了改善。 不仅仅是专注于创建可以打破防火墙的程序; 如今,黑客创建了使用授权凭据登录的程序。 即使他们意识到用户成功登录后也缺乏适当的措施来保护数据。想象一下,这种敏感数据会丢失给老兄。 公司不仅会损失数百万美元的资金,还会严重打击其声誉并使其远远落后于竞争对手。
Extremely stringent measures to safeguard data not only from outside access but also from malicious insider access are thus the need of the hour.
因此,需要非常严格的措施来保护数据,这些数据不仅需要外部访问,而且还可以防止恶意内部访问。
Hence, in this guide we’ve attempted to jot-down some helpful tips to enlighten you on the ways to improve your internal data security cover. We hope some of these points can give you ideas on making your data security better.
因此,在本指南中,我们试图记下一些有用的提示,以启发您提高内部数据安全性的方法。 我们希望其中一些观点可以为您提供一些有关改善数据安全性的想法。
改善数据安全性的方法 ( Ways to improve data security )
Clearly distinguish the most important data from the rest
清楚地区分最重要的数据
This is the first step. A large organization may have more than one database as well as multiple employee accounts and financial reports. Trying to enforce a strict protective layer on each and everything would practically not be possible and not even necessary. You need to protect only the data that is of utmost priority and importance. So decide on layers and levels of protection and then separate the data into those levels. For example, organizations that are based in multiple locations may have continent wise, country wise, city wise and even office wise protective layers. Moreover, identify the fields within a database that only a selected few from the highest management can access and those fields that everyone can view. Follow the similar procedure to sift out the most crucial data that needs to be protected to the highest degree. This exercise has 2 benefits – firstly, you’ll find out exactly what you need to protect in order to keep everything good; secondly, if you have less stuff to protect, you can actually protect it better!
这是第一步。 大型组织可能具有多个数据库以及多个员工帐户和财务报告。 试图在每个事物上都施加严格的保护层实际上是不可能的,甚至是没有必要的。 您只需要保护具有最高优先级和重要性的数据。 因此,请确定保护的层和级别,然后将数据分为这些级别。 例如,位于多个位置的组织可以具有按地区,按国家,按城市甚至甚至按办公室的保护层。 此外,确定数据库中只有最高管理层中只有少数人可以访问的字段以及每个人都可以查看的字段。 按照类似的步骤筛选出需要最大程度保护的最关键数据。 此练习有两个好处-首先,您将确切地了解需要保护的东西,以保持一切正常。 其次,如果您要保护的东西较少,那么实际上可以更好地保护它!
Now, do the same to the people within the organization
现在,对组织内的人员执行相同操作
After you’ve made a data segregation plan, do the same to the people. Create levels of access to be granted to people and clearly identify the roles (managers, team leads etc.) that would be placed within those levels. Call them ‘levels of trust’ for better understanding. You could even identify people by name to be placed within these levels. And remember, if you need to be harsh here to some people, so be it. The rule of “segregation of duties” in the database world clearly states that only the people who absolutely require access to a portion of data should have it; everyone else should be blocked. This will also help you to isolate data access, meaning that no-one would be allowed to see anyone else’s work on a portion of data. Similarly, people from one department should not be allowed to access data from another department.
制定数据隔离计划后,对人们执行相同的操作。 创建要授予人员的访问级别,并明确标识将放置在这些级别中的角色(经理,团队负责人等)。 称他们为“信任级别”以更好地理解。 您甚至可以通过姓名识别要放置在这些级别中的人员。 请记住,如果您需要对某些人苛刻,那就这样吧。 数据库世界中的“职责分离”规则明确规定,只有绝对需要访问部分数据的人员才可以拥有它; 其他所有人都应该被封锁。 这也将帮助您隔离数据访问,这意味着将不允许任何人看到其他人对部分数据的工作。 同样,不应允许一个部门的人员访问另一部门的数据。
Apply Dynamic Data Masking
应用动态数据屏蔽
Dynamic data masking is a technology through which sensitive data is masked (or changed in some way) on its way out of the database so that the receiver cannot make anything out of it. Developers, DBAs, and other people might require frequent access to company databases and might require the data to communicate with other applications. But those applications might not necessarily need the exact numbers or details. So the solution – a program that sits between the databases and the applications to change or hide the sensitive data such that only what needs to be shown is shown. You could take the example of bank emails in this regard; they always mask the account numbers, credit / debit card numbers with asterisks (*) and only show the last 4 digits for identification. Plus, the algorithm behind the masking program should be random so that nobody can break its code.
动态数据屏蔽是一种技术,通过该技术可以在敏感数据离开数据库时对其进行屏蔽(或以某种方式进行更改),以便接收器无法从中提取任何信息。 开发人员,DBA和其他人员可能需要经常访问公司数据库,并且可能需要数据与其他应用程序进行通信。 但是这些应用程序不一定需要确切的数字或详细信息。 因此,解决方案–位于数据库和应用程序之间的程序,用于更改或隐藏敏感数据,从而仅显示需要显示的内容。 您可以在这方面以银行电子邮件为例; 它们始终用星号(*)掩盖帐号,信用卡/借记卡号,并且仅显示最后4位数字以供识别。 另外,屏蔽程序背后的算法应该是随机的,这样任何人都无法破坏其代码。
Closely monitor user activity with sensitive data
使用敏感数据密切监视用户活动
Applying a reliable Database Activity Monitoring (DAM) system could be one of the best things to protect a database.
应用可靠的数据库活动监视(DAM)系统可能是保护数据库的最佳方法之一。
This system constantly monitors activity performed on the database including access details and generation of “before” and “after” reports. Such systems are even capable of monitoring both on-premise as well as cloud-hosted databases. So you can find out exactly who did what at any point of time. Plus, ensure the following points:
该系统不断监视在数据库上执行的活动,包括访问详细信息以及“之前”和“之后”报告的生成。 这样的系统甚至能够监视本地和云托管数据库。 因此,您可以准确地找出谁在任何时间都做了什么。 另外,请确保以下几点:
Audit the DAM logs regularly
定期审核DAM日志
Set alerts for suspicious activities
设置可疑活动的警报
Make sure all users have unique login accounts
确保所有用户都有唯一的登录帐户
Inform all employees that you have such a system to monitor all database activity
通知所有员工您具有这样的系统来监视所有数据库活动
Validate all input to the SQL engine
验证对SQL引擎的所有输入
Also referred to as SQL injection attacks, a data input breach implies inserting malicious data within a database to steal other data. Basically, it tells you to never trust user input to the SQL engine blindly since insiders are well equipped and in the position to steal company data by making SQL application layer vulnerable. Hence, all input to the SQL engine must be validated before being passed on to the database. This approach might add time and cost to the data input process, but it is still worth it.
数据输入泄露也称为SQL注入攻击,它意味着在数据库中插入恶意数据以窃取其他数据。 基本上,它告诉您永远不要盲目地信任用户对SQL引擎的输入,因为内部人员装备精良,可以通过使SQL应用程序层易受攻击来窃取公司数据。 因此,在传递给数据库之前,必须验证对SQL引擎的所有输入。 这种方法可能会增加数据输入过程的时间和成本,但还是值得的。
Impose 2-factor authentication
实施两 因素验证
A two-factor authentication process requires employees to punch in login information twice and in 2 different formats. The first one is the standard username and password (this forms the “what you know” aspect of the authentication). The second is a single-use passcode sent for each login to the user’s mobile device or email (this forms the “what you have” aspect of the authentication). Since the single-use passcode is random, the chances of it being hacked by an unauthorized person become extremely low thus making the authentication process much more robust.
两要素身份验证过程要求员工以两种不同的格式输入两次登录信息。 第一个是标准的用户名和密码(这构成了身份验证的“您所知道的”方面)。 第二个是针对每次登录发送到用户的移动设备或电子邮件的一次性密码(这构成身份验证的“您所拥有”的一面)。 由于一次性密码是随机的,因此未经授权的人对其进行破解的机会极低,从而使身份验证过程更加健壮。
Employ strict policies and train employees
实行严格的政策并培训员工
There should be a strict set of policies that every employee should mandatorily follow. Be it a new joining employee or one who is leaving the organization, everyone must adhere to the policies defined. From time to time, employees should be trained about the ways in which their user credentials can be compromised or stolen. Let them know of the legal implications of getting involved in data thefts. Make them aware of the ways to resist divulging confidential information to unauthorized people. Let them know that trust is a two-way thing and they have to earn it first to receive it back.
应该有一套严格的政策,每个员工都应强制执行。 无论是新加入的员工还是要离开组织的员工,每个人都必须遵守所定义的政策。 员工应不时接受有关如何破坏或窃取其用户凭据的培训。 让他们知道参与数据盗窃的法律含义。 让他们知道如何阻止将机密信息泄露给未经授权的人。 让他们知道信任是双向的,他们必须先赢得信任才能获得信任。
结语 ( Wrapping it up )
Though there are many other ways for SQL database protection including stringent password policies, limiting network access to database servers etc., the above-mentioned initial steps should prove to be enough to get you on the right path. Hope you can make the most of these pointers and save your data from malicious attacks.
尽管还有许多其他方法可以保护SQL数据库,包括严格的密码策略,限制对数据库服务器的网络访问等,但是上述初始步骤应足以使您走上正确的道路。 希望您能充分利用这些指针,并保存数据免受恶意攻击。
翻译自: https://www.sqlshack.com/7-neat-tricks-to-better-safeguard-sql-database/
2006
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
