Database Security – Security Checklist

With increased regulatory compliance, heightened concerns around privacy and growing risk from hackers and organized crime, the need to secure access to data has never been more urgent. Following this check list to make sure your company’s data is safe. This is a generic list that applies to most popular open source and commercially supported databases.

  • Enable Access Control and Enforce Authentication

    Enable access control and specify the authentication mechanism. You can use the database’s default authentication mechanism or an existing external framework. Authentication requires that all clients and servers provide valid credentials before they can connect to the system. In clustered deployments, enable authentication for each database server.

  • Configure Role-Based Access Control

    Create a user administrator first, then create additional users. Create a unique database user for each person and application that accesses the system.

    Create roles that define the exact access a set of users needs. Follow a principle of least privilege. Then create users and assign them only the roles they need to perform their operations. A user can be a person or a client application.

  • Encrypt Communication

    Configure database to use TLS/SSL for all incoming and outgoing connections. Use TLS/SSL to encrypt communication between database clients as well as between all applications and other instances.

  • Limit Network Exposure

    Ensure that database runs in a trusted network environment and limit the interfaces on which database instances listen for incoming connections. Allow only trusted clients to access the network interfaces and ports on which database instances are available.

  • Audit System Activity

    Track access and changes to database configurations and data. Most databases includes a system auditing facility that can record system events (e.g. user operations, connection events) on a server instance. These audit records permit forensic analysis and allow administrators to verify proper controls.

  • Encrypt and Protect Data

    Encrypt database data on each host using file-system, device, or physical encryption. Protect database data using file-system permissions. Most databases includes data files, configuration files, auditing logs, and key files.

  • Run MongoDB with a Dedicated User

    Run database processes with a dedicated operating system user account. Ensure that the account has permissions to access data but no unnecessary permissions.

  • Run MongoDB with Secure Configuration Options

    Some databases supports the execution of script code for certain server-side operations, for e.g in Mongo DB: mapReduce,group, and $where. If you do not use these operations, disable server-side scripting by using the –noscripting option on the command line.

     

  • Request a Security Technical Implementation Guide (where applicable)

    The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense.

  • Consider Security Standards Compliance

    For applications requiring HIPAA or PCI-DSS compliance. For Mongo DB please refer to the MongoDB Security Reference Architecture to learn more about how you can use the key security capabilities to build compliant application infrastructure.

References

admin has written 55 articles