July 21, 2022

Last Updated on January 19, 2024

Attack surface management is achieving lofty buzzword status lately. Part of managing an information asset’s attack surface is looking at the risks associated with the asset that relate to things it connects to, like applications and network. A clear case in point is our databases, which store and organize data specifically so other assets can access it.

When we think about database security, what should we focus on besides the database environment itself?

Database expert Robert Buda, President at Buda Consulting, discussed the database attack surface and how to protect it on a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.

Database security is a team sport

According to Bob, it’s important for database security teams to coordinate with teams securing the network, servers, storage, communications, etc. All of these areas impact database security.

Then there is the security posture of all the applications and tools that have direct or indirect connections to the database. These include business intelligence tools, HR and ERP applications, custom extract-transform-load (ETL) code, etc.

Track and trace

Applications that connect to databases have authorized users and various ways of authenticating them. But when an application or system connects to a database and makes changes, do you still have visibility into which user did that?

Bob explains: “There are really two levels of visibility here. One is the administrative access [to the database] and we have total visibility into that. We can audit for that and secure that at the database level. But for many, many applications, especially web applications, it’s very common to have one or two application owners that connect [to the database]. And the application handles all the security around that.”

For such applications, it’s imperative they have an auditing mechanism built in. An application’s auditing mechanism won’t be as robust as a database auditing mechanism, but it can still be very valuable.

“It’s important that [an application-level audit mechanism] be built in, and many good apps have that,” Bob adds. “But from a database professional’s perspective, we can’t control that. We see all of the transactions that take place for that application as one user. So, if we take a look at the audit logs, we’ll see that database user, let’s call it ‘payroll,’ made these changes to the table. We have no idea what [person] did that. So, that’s definitely a gap. And you need to marry that up with the audit logs that come from the application itself.”

Wider security issues

As a related concern, what if an application accessing the database has vulnerabilities that allow unauthorized users to gain access? The database team might have done everything right security-wise, but the data could still be compromised.

How can you protect the database from insecure applications that need to access it? And what about everything else an application might connect to, such as ETL scripts?

Then, if you extract data from a database, where does it end up? In a database, a data warehouse, a data lake, a temporary storage area?

“It’s really important if we’re trying to secure the entire environment, not just to think about what we’d call the database of record or the system of record, but everywhere else that data might end up via the interfaces that come into the database or that pull data out.”

Taking the cash out of the safe and leaving it on your desk

A huge contribution to the database attack surface is how data is used and controlled (or not) once it’s been extracted from a database. Say it ends up in a spreadsheet on a laptop. Say it gets emailed to somebody else.

“You have this giant lock on the database,” John analogizes. “You think the front door’s locked, but someone who was allowed to open the safe and take out money just put it on his desk in the middle of the bank where it’s open to the public and went to lunch.”

Data loss prevention technology is one way to help with this issue, but it remains a major component of the database attack surface. So are network security problems, physical security problems, and more.

What’s next?

To listen to the entire show featuring database specialist Bob Buda, click here.

Want to find out more about attack surface management? Here is a good starting point: EP#69 – Steve Ginty – Can You Benefit From Attack Surface Management?