Databases are a goldmine for criminals. Successfully tracking an intrusion can depend 100% on administering database accesses and permissions. Unauthorized user actions, as well as possible intruder actions, need to be tracked and audited in order to maintain the integrity of the information stored in the database.
The security architecture of the database will depend 100% on what the administrator is continuously auditing and tracking from user actions. In addition, granting and providing access to the right information – not more – is critical to stop possible intrusions.
There are a lot of tools for administering and configuring database security. Scripts, programs and special resources are included with vendor products (such as the SQL Server Resource kit), but it’s critical to understand how to utilize these tools. The information in the article applies to all RDBMSs (Relational Database Management Systems) products such as SQL Server, Oracle 8i and Sybase Adaptive Server.
Principles of RDBMSs Security
The goal of the security architecture of a RDBMSs is to protect and verify that every piece of information that is stored in the database. Business information needs to be verified, to assure that the no data has been changed. This goal is divided in the following aspects: only authorized users should be able to view data stored in the repository, authorized individuals should feel confident that the data presented to them is accurate and not improperly modified and users should be able to access the data they need, when they need it.
Most RDBMSs manage the security information with two users sysadmin and dbaadmin. The sysadmin – system administrator – normally has authority over the operating system resources and actions. The dbaadmin – database administrator – has authority over the RDBMSs subsystem. For example, in SQL Server the dbaadmin user is called “sa” by default and the sysadmin is called “Administrator” in Windows 2000.
Users need to be given a specific type of access to utilize the information stored on the database. When a user tries to access the database, the RDBMS verifies it’s identity using the internal subsystem before determining or allowing the user to access the information.
For example in our business manager scenario, a business manager might need to have “Write” access to the company financial information to change sales information, while the secretary might need to have “Read” access to read those reports. In that case, the dbaadmin authority is responsible to give specific access required by the manager and the secretary.
Those privileges apply only to those specific actions that the dbaadmin has granted, so if the secretary user tries to write information to the database, the RDBMS will deny it.
Security for Administration and Management
Like most computer networks and systems, a database needs to be updated and maintained regularly. Each new user that is added or piece of information requires several operations; starting and stopping the RDBMS, administering user accounts and managing database backups.
To perform database maintenance operations, individual users can be given the rights to perform operations such as database backup, creation of reports and addition of information. Someone with a higher authority, such as dbaadmin must grant the user the privilege to perform such operation over the database.
Normally, only the sysadmin manages upgrades to hardware and software. Some vendors offer proprietary RDBMS extensions to grant this ability to non-sysadmin users. Another method to accomplish this is the use of a non-sysadmin user that can be given the permission to perform this operations.
Figure 1. SQL Server security properties. To access this menu go to right click the server that you want to administer, choose Properties and click the Security tab.
RDBMS Performance Tools
Managing RDBMS performance is about constantly monitoring the system health and audit any changes. Common performance problems include operating with higher response times and higher CPU usage. Interpreting what is the source of the problems is a key part of troubleshooting and solving performance issues.
Correctly configuring maintenance tasks on your RDBMS is a key to good performance. Simplifying the process of configuring the RDBMS is a key part of an operations plan. Several tools exist to create an automate maintenance plan for your databases. Maintenance actions can consist of database statements, operating system commands, executable programs or scripts.
Operating system tools are used to monitor resource usage (such as disk, CPU and memory). For example, System Monitor can be used to manage SQL Server disk counters. Alerting capabilities and user feedback are also key for RDBMS. User feedback can be used to find information about how fast the end users think that the system is running. Alerts can be used to perform actions on the RDBMS when a specific system condition occurs.
* Originally published at 2000Trainers
Click here to sign up for FREE Tech. newsletters from Murdok!
Leonard Loro, MCSE, MCSD, ISS, MCT, CCNA, is a recognized e-Business specialist. His experience includes engaging, managing and implementing large consulting projects for government agencies and companies like Microsoft, Nissan as well as other Fortune 500’s. Leonard can be reached at Leonardo.loro@enresource.com.
