Databases & Technology: One key reason why computers are installed is for their ability to store, access, and modify data. The primary tool for data management is the database.
Databases have become increasingly sophisticated, and their capabilities have grown dramatically over the last 10 years.
This growth has created opportunities to view data in new ways; it has also created problems for both designers and users of these products.
This section briefly discusses database technologies and some of the most common issues associated with vulnerabilities in database system.
The relational database has become the most common approach to database implementation. This technology allows data to be viewed in dynamic ways based on the user’s or administrator’s needs.
The most common language used to speak to data is Structured Query Language (SQL). SQL allows queries to be configured in real time and passed to database server. This flexibility causes a major vulnerability when it isn’t implemented securely.
NOTE: Don’t confuse the acronym SQL with Microsoft’s database products SQL Server. SQL Server implements Structured Query Language, or SQL, as do most other database.
For example, you might want to get the phone numbers of the entire customer who live in a certain geographic area and have purchased products from you in the last two years.
In a manual system, you would first need to determine which customer live in the area you want. You would perform a manual search of customer records, and then you would identify which customers have made purchases. This type of process could be very involved and time consuming.
In a relational database environment, you could query the database to find all the records that meet your criteria and then print them.
The command to do this might be a single line of code, or it might require thousands of instructions. Obviously, the increase in productivity is a worthwhile investment.
Corporate or organization data is one of an organization’s most valuable assets. It usually resides either in desktop systems or in large centralized database servers.
This information makes the server tempting targets for industrial espionage and damage.
Database servers suffer from all of the vulnerabilities we have discussed to this point. Additionally, the database itself is a complex set of programs that work together to provide access to data.
Early database system connected the end user directly to the data through applications programs. These programs were intended to allow easy data access and to allow transactions to be performed against the database. In a private network, physical security was usually all that was needed to protect the data.
As the Internet has grown, businesses have allowed customer access to such data as tracking orders, reviewing purchase, wiring funds, and virtually any other capabilities they wanted.
This increased interoperability has added more coding, more software, and more complexity to database.
Software manufacturers work hard to keep up with customer demands. Unfortunately, they frequently release software that is prone to security problems.
The increase in demand for database-oriented systems and the security problems introduced by software developers and manufacturers have been the biggest areas of vulnerability for database server.
NOTE: Database need patching just like other applications. You should configure them to use access controls and provide their own levels of security.
To improve system performance, as well as to improve the security of database, companies have implemented the tiered system model. There different models are explained here:
One-Tier Model: In a one-tier model, or single-tier model environment, the database and the applications exist on a single system. This is common on desktop systems running a standalone database.
Early Unix implementations also worked in this manner; each user would sign on to a terminal and run a dedicated application that accessed the data.
Two-Tier Model: In a two-tier model, the client workstation or system runs an application that communications with the database that is running on a different server. This is a common implementation, and it works well for many applications.
Three-Tier Model: The three-tier model effectively isolates the end user form the database by introducing a middle-tier server.
This server accepts requests from clients, evaluates them, and then sends them on to the database server for processing.
The database server sends the data back to the middle-tier server, which then sends the dat to the client system.
This approach is becoming common in business today. The middle server can also control access to the database and provide additional security.
These three models provide increasing capabilities and complexity. You must manage each system and keep it current in order for it to provide security.