S 2.126 Creation of a database security concept

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT Security Management

The long-term keeping of centralised data is of crucial importance for the information management at authorities and corporations. For this reason, it is essential to create a database concept. Such a concept defines the preparations necessary for putting the database into operation, and should always include a database security concept which focuses on the operation of the database.

Inadequate protection of data might result in a loss of confidentiality, availability or integrity. To prevent this, it is absolutely necessary to prepare a detailed database security concept.

To ensure the security of a database, a suitable database management system (DBMS) needs to be employed. To offer effective protection, the database management system needs to meet the following requirements: The DBMS must be

• based on a comprehensive security policy

• incorporated into the IT security concept of the organisation

• installed correctly and

• administered correctly.

Direct access to the database (e.g. via SQL interpreters such as SQL*Plus) must only be possible for administrative users, in order to prevent manipulation of the data and database objects (e.g. tables and indices). Modifications to database objects must always be controlled via special IDs. For this purpose, the database management system must incorporate a suitable access control and login concept (refer to S 2.129 Controlling Access to Database Information and S 2.128 Controlling Access to a Database System). User IDs which can only perform data modifications via an application must not be granted direct access to the database, while IDs for managing database objects must be granted direct, controlled access.

A database security concept must also settle the following important issues:

• The physical storage or mirroring of database files (e.g. the database management software, the database itself, or the log files) as well as their distribution must be specified in order to increase availability and reliability, for example. For security reasons, mirrored control files should be stored on different hard disks. This would prevent a loss of all the control files in case of a failure on one hard disk. If the database objects of an application are stored in separate data files, these files should be distributed so as to prevent a failure on a hard disk from affecting all applications.

Example:

A database manages the data of two applications, using one data file each for the tables and indices. These data files can be distributed as required among four hard disks.

An unfavourable distribution of data files is:
Hard disk 1: Storage of the data files for the indices of both applications
Hard disk 2: Storage of the data files for the tables of the first application
Hard disk 3: Storage of the data files for the tables of the second application
Hard disk 4: -

A failure on the first hard disk would affect both applications, rendering them unusable.

A more favourable distribution of data files is:

Hard disk 1: Storage of the data files for the indexes of the first application
Hard disk 2: Storage of the data files for the tables of the first application
Hard disk 3: Storage of the data files for the indexes of the second application
Hard disk 4: Storage of the data files for the tables of the second application

In this case, only one application would be affected by a failure on any of the hard disks.

• Once the database has been put into operation, the generated data volumes must be checked regularly in order to plan sufficient increases in storage capacity for future necessities.

• Suitable data backup mechanisms must be employed (refer to S 6.49 Database backups).

• The use of monitoring and control mechanisms must be specified, i.e. whether and to what extent database activities need to be logged. This also includes specifying whether only the times of data modifications should be recorded, or whether the modifications themselves should also be logged (refer to S 2.133 Checking the log files of a database system).

Suitable personnel must be available for planning and operating the database system. The time required to run a database system is not to be underestimated. Experience has shown that an analysis of the accumulated log data alone is very time consuming. The database administrator must possess a detailed knowledge of the installed database management software and must be trained appropriately to use it.

Additional controls:

• Have security objectives related to the use of a database system been formulated and documented?

• Has direct access to the databases via an interactive query language been precluded?