What is database security?

Database security is the term used for the collection of security tools, processes, and other measures that protect a database from malicious cyberattacks or misuse. It is a subset of data security, and aims to safeguard the:

• database management system (DBMS)
• applications that access and use the data stored in databases
• data that is stored and managed within databases
• associated hardware as well as servers, networks, and other relevant computing infrastructure. 

Why database security is important

Database security isn’t just important – it is essential. Businesses and organisations that use databases to store sensitive data have a legal obligation to protect the confidentiality and integrity of the data they extract, store, manipulate, and manage. Failure to do so – known as a data breach – can result in significant consequences.

For example, in the UK, the Information Commissioner’s Office (ICO) enforces the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018. In the event of a data breach, the ICO can respond with:

• assessment notices
• warnings
• reprimands
• enforcement notices
• penalty notices (administrative fines).

“For serious breaches of the data protection principles,” the ICO website states, “we have the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.”

Other consequences for data breaches can include:

• the theft of commercially sensitive information or intellectual property 
• reputational damage
• the loss of customers, sales, partners, stakeholders, revenue, investors, and so on
• time and money lost on system repair and restoration.

Common threats to database security

External hackers and other cybercriminals pose an ongoing challenge for database security, but internal culprits are also a major source of data breaches. Common security threats, both internal and external, include:

Human error

Human error is the top cause of data breaches. Data and database users unfamiliar with appropriate cybersecurity measures can compromise systems and their data through:

• weak passwords
• password sharing
• carelessness and misuse
• negligence
• software misconfiguration.

These kinds of behaviours make it easier for a security breach to occur. For example, they can grant unauthorised access to systems, or unintentionally expose vulnerabilities within databases.

Insider threats

An insider threat is a term used to describe someone who has access to a database – and malicious intent. This can include internal employees with legitimate access to a system, as well as outsiders who have gained access to existing credentials – typically using illegal tactics such as phishing – and are now able to infiltrate the database. 

SQL and NoSQL injection attacks

Databases that aren’t kept secure can be vulnerable to structured query language (SQL) and NoSQL (or non-SQL) injection attacks.  

SQL is a standardised programming language used to manage relational databases and data operations. NoSQL databases, meanwhile, are non-relational, essentially meaning that they store data differently. But both can be susceptible to injection attacks, which occur when attack strings are inserted into the database queries served by web applications or HTTP headers. This malicious code allows cybercriminals to access a database’s backend, as well as sensitive or private data they wouldn’t otherwise be able to see. 

Denial of service (DoS/DDoS) attacks

A denial of service attack, or DoS attack, occurs when an attacker sends so many requests to a target database server that the server is unable to fulfill legitimate requests from real users. These attacks can often lead to servers becoming unstable or even crashing altogether.

There are also distributed denial of service (DDoS) attacks, which occur when the attack comes from multiple servers. Because of the distributed nature of the attack, it can be more difficult to stop.

Malware

Malware is software written with the sole purpose of exploiting vulnerabilities or damaging databases and systems. Malware can infiltrate databases – as well as associated operating systems, web servers, and so on – through any device connected to a database’s network, which is why it’s important to safeguard both devices and the database servers themselves.

Attacks on backups

The data stored in databases is typically protected through backups – but these backups also need protection. Security measures should also be scalable enough to keep pace with the ever-increasing volumes of data stored and used by organisations.

Database security: solutions and best practices

While the security risks and threats to database security are numerous, there are also several ways organisations can ensure a secure database and safeguard their data from attacks. Some examples of database security best practices and security controls include:

Data activity monitoring

Monitoring and auditing database activity is vital for detecting suspicious data access or use in real-time, allowing organisations to respond to threats immediately.

Encryption

Data encryption uses encryption keys to convert data into a scrambled format that can only be accessed and deciphered back into a readable format by intended parties. This means that even in the event of a data breach, any data obtained by an attacker is safe. Other forms of protecting data include tokenisation, which swaps sensitive data for a token that must be presented in order to retrieve data, and data masking, which effectively anonymises data into a version that can still be understood, but has been stripped of any private or sensitive information.

Access and permissions

Controlling access to databases, and the permissions granted within them, is essential. Measures in this area should include:

• Authentication, which requires users to enter valid identification and password details in order to access the database.
• Authorisation, which determines the level of user access an individual has within the database. For example, it might determine whether someone has read-only access to the database, or the ability to amend or delete data.
• Access control, which is the overarching system used by system or database administrators to assign permissions, user accounts, and so on.

Firewalls

Firewalls are often referred to as the first line of defense in security. A firewall acts as a barrier between a database and network traffic, and can be used to filter out unauthorised users who shouldn’t have access to the database.

Physical security

While databases are used and accessed virtually, on-premise database servers require physical database security. They should be secured against external personnel as well as staff not directly associated with database maintenance, and also need to be kept in climate-controlled database environments to prevent overheating. 

Penetration tests

Penetration tests are a helpful way for information security professionals to gauge how well their data management and security policies are working within their organisations. By effectively attempting to hack their own systems, security professionals can spot gaps or weaknesses within their security, which in turn means they can safeguard data privacy and ensure database and network security for their employers.

Help keep databases secure

Develop the skills to design and implement database systems that can effectively manage and manipulate data – and keep it secure – with the MSc Computer Science at the University of Wolverhampton. This flexible Master’s degree has been developed for ambitious individuals who may not have a background in computer science, and is delivered 100% online.

The degree includes a key module in database systems and security, so in addition to learning other in-demand computer science skills, you will explore different types of data and database systems to gain an appreciation of where they are applicable. This includes areas of study such as:

• database concepts and techniques
• database design (Oracle Data Modeller)
• relational model concepts working with database technologies 
• SQL and Oracle 
• non-relational systems such as NoSQL, MongoDB, and Oracle NoSQL 
• database management and administration management of data.

This module will also enable you to apply a critical understanding of, and demonstrate ability in, the tools and techniques used in the development of database applications, and understand the fundamental aspects of data governance and data security.