Hacking Privileged Database User Access
How to provide least user privilege to your privileged database users
November 13, 2009
The prospect of restricting access to your database is tricky when it comes to privileged users, such as database administrators who need to keep the databases running, developers who need to tap into databases to get them to work, or super users who just need an inordinate amount of access to get their jobs done.
Privileged users are in a class of their own when it comes to database activity. Plain and simple, their extended access poses a much higher risk exposure to the data: These users touch, move, and manipulate more data than the average user. So chances are higher that they'll make a mistake that compromises data, or will operate maliciously and undetected.
Some form of database activity monitoring is a key part of that system. But even more impactful -- and perhaps more immediate for less mature organizations -- is the often forgotten first step of employing the rule of least privilege. Do your privileged users really need the database permissions they currently have, and is their level of access appropriate?
Asking who, what, when, where, how, and why can help determine how to apply their privileges.
Who: Look at the specific user in question and his role within the organization. Unfortunately, organizations often don't apply this correctly. For example, a DBA is in charge of "databases" and therefore will be granted access to every database under the sun, when in reality that DBA may actually need access only to very specific databases.
This lack of inquiry into privileged roles and permissions is especially problematic among IT users of all stripes, says Brian Cleary, vice president of marketing for Aveksa.
"You'll never get IT to admit that because they're so used to have the keys to the kingdom that it is very difficult for them to relinquish those keys under the mantra of policy control," he explains. "But the reality is that the insider threat is so high and the compliance rules so tough that they have to."
What: You also need to look at which database(s) a user has access to, and how much she can access and manipulate. "The first thing you have to do is to be able to compartmentalize the access to the specific database that you want to secure," says Cheryl Traverse, CEO of Xceedium. "If you have 100 Oracle databases, you'll need to compartmentalize users so that they only have access to the databases that they are authorized to touch."
Unfortunately, many of today's enterprises still don't have a way to automate this compartmentalization, or even an efficient way to track who has access to what databases. "They're not even aware of who has access into these databases and how many accounts are there," says Prat Moghe, general manager of data compliance for Netezza. "Management in the database space is highly manual. Many people actually keep Excel spreadsheets manually of how many accounts are in the database and who has ownership, so there is no automation around it."
When: Study when users access data in the database, and for how long. Establishing and enforcing time-sensitive access policies can often be the key ingredient to preventing after-hours shenanigans among privileged users who may have the right to access a specific database, but are planning to abuse their permissions. The key is distinguishing between normal behavior and out-of-policy activity, Moghe says. Where: The question of where a database resides, where the data is from, and from where the user is getting access to this data is also important. These questions are especially relevant in light of mounting European data privacy regulations, Cleary says. "Compliance requires of me as an organization that [North American DBAs] not be able to access our consumer database for any of the European countries because [they are] not located within those countries," Cleary says. "So understanding that attribute becomes very important. If I can't apply the compliance control, I could be violating regulatory mandates."
Why: Knowing why a privileged user has access to all of the databases for which he holds the keys is also important. Is it necessary for the user to carry out day-to-day activities? Does he still retain permissions from previous roles in the organization? "So having the technology both interface with the business and really identify at a group level, at a role level, and at a functional level who actually should have access to what kinds of data, and under what circumstances definitely is a critical component," says Jeffrey Wheatman, a Gartner analyst on database security. "If you don't know who should be able to do what, then how do you actually figure out how to put controls around that?"
How: Pinpointing how the user is accessing the databases is also key. Is it through root passwords shared across IT or another business group, or via ad hoc application accounts?
Shared passwords and ad hoc access are two of the biggest stumbling blocks to measured access control that organizations face at the moment. "The level of database access controls are typically just ineffective today because there are just a lot of shared accounts that are going on," Cleary says. "The elimination of that and the review and certification of accounts on a more frequent basis [are important] to make sure not only that the person is still in a valid role within the business, but to also really understand the finer grained entitlement authorizations that are required in order to meet compliance demands."
Answering the who, what, when, where, why, and how questions will help provide visibility into privileged database user access in order to keep auditors at bay and also mitigate risks to the data itself. This occurs through effective access policies, automated access control management, and granular database activity monitoring. But as Wheatman points out, policies without automation leave you just with a "stack of paper." Automated access control applies the policies in a practical way and ensures they're always enforced.
Finally, database activity monitoring helps fill in the gaps: It keeps organizations apprised of activity even when privileged users are using legitimate permissions, and it can give better visibility into account comings and goings if an access control management process isn't fully there yet.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like