Morons can hack me? That makes me a moron, too
Recently, I once again got into the debate over whether database security is identity related.
Database security has long been relegated to back room guys, away from the business. RBAC hasn’t been a part of that equation. And that makes it tougher, IMHO, to strike that balance between the need to secure data while simultaneous making that data available to those who need it.
Most often, user context doesn’t get you to the data. You pull up your browser, fill out a form, click Submit, then your data gets posted to a program that then hands it off to a web service which in turn makes requests on your behalf, with its own super-user context. Hijack that super-user, get all the data.
I blogged recently about the other debate here, namely do you want all your users to have their own database context. It’s potentially a lot of database licenses. There’s also the hassle of authenticating users directly to the database. There are solutions, like Oracle Enterprise User Security, that allow you to authenticate users to the DBMS via Active Directory or other sources.
Enforcing a single user context in theory limits the amount of damage a hacker can do in a single session. I can bring back my own data, but not everybody else’s. The audit trail is definitely cleaner.
How dangerous is a rogue privileged account? Still plenty. By now you’ve probably heard of the LulzSec guys, who keep hacking major corporations, allegedly for their own amusement as well as to point out deficiencies in security. I’m not big on their notion of stealing and sharing data for the sake of scaring people into better security.
But here’s what really, really scared me about what they did. They hacked Sony with SQL INJECTION. In this day and age, they used an idiot’s hack. It’s the world’s easiest hack. There is no excuse for not defending against it. Holy crap!
Your inputs need to be secured against it. That’s the programmatic defense. But at the absolute foundation, you need to secure the DBMS itself against this nonsense. So here’s where you can
- Install a database firewall that checks those inputs (eg. Secerno)
- Employ a db-level firewall
Huh? What’s that second option? I’m thinking of something like Oracle Database Vault. In theory, no matter what you put in front of the database, somebody can peek around it. DB Vault is in place essentially within the database itself. You can create realms inside the database limiting the access between those realms, based on -- HEY – role. You can also limit the types and scope of SQL commands. None of this “SELECT * FROM BANK-ACCOUNTS” baloney.
So there. You CAN relate identity to database security. Hell, I don't care if you relate Mongolian sheepdogs to database security, as long as you have it.
SQL injection? Really? It’s 2011, last time I looked.