How secure are databases in general?
-
How vulnerable are databases to unprivileged data access?
I'm thinking about a scenario where you have multiple users accessing the same database server but they don't have access to each others data.
-
How are you managing the user accounts that access these discrete databases? Assuming your ACL's are sound I wouldn't think there could be any compromise.
-
@dustinb3403 said in How secure are databases in general?:
How are you managing the user accounts that access these discrete databases? Assuming your ACL's are sound I wouldn't think there could be any compromise.
Yes that's true when everything works as expected. But have there been many security vulnerabilities that would allow hackers to defeat the security and access the data anyway?
-
Here's a decent best practice for securing databases.
https://security.berkeley.edu/resources/best-practices-how-articles/system-application-security/database-hardening-best-practices -
@pete-s said in How secure are databases in general?:
@dustinb3403 said in How secure are databases in general?:
How are you managing the user accounts that access these discrete databases? Assuming your ACL's are sound I wouldn't think there could be any compromise.
Yes that's true when everything works as expected. But have there been many security vulnerabilities that would allow hackers to defeat the security and access the data anyway?
But those are unknowns, things that you can't count on happening or not happening.
-
@pete-s said in How secure are databases in general?:
How vulnerable are databases to unprivileged data access?
Databases is a completely generic concept. A database at its core is just a file(s) on disk. In fact, the file system itself is a document database (a la MongoDB.) So this boils down to:
How vulnerable is a file to unprivileged data access?
That's really all that is asked with that question. You can secure database files the same as any other, they are no more or less vulnerable because their data is structured.
-
They are vulnerable, but mostly because applications use a single authenticated user to access a given database. So most of the vulnerabilities are in the web pages and/or applications using a database.
-
@pete-s said in How secure are databases in general?:
I'm thinking about a scenario where you have multiple users accessing the same database server but they don't have access to each others data.
That's not a question about the database security, but would be a question as to the security of the application that is connecting to the database which might be an application in the traditional sense (if the app talks directly to the DB file such as with Spiceworks) or it might be an DBMS for more modern apps (think WordPress talking to MariaDB.)
The database files are not relevant to the security concerns here, but would be a question purely about the apps themselves and/or the application's own security.
-
@pete-s said in How secure are databases in general?:
@dustinb3403 said in How secure are databases in general?:
How are you managing the user accounts that access these discrete databases? Assuming your ACL's are sound I wouldn't think there could be any compromise.
Yes that's true when everything works as expected. But have there been many security vulnerabilities that would allow hackers to defeat the security and access the data anyway?
This would be completely unique to each application and/or DBMS. Vulnerabilities in one would not reflect on another. Think of a bug in Windows, would not relfect on a risk in AIX, for example.
Also, typically DBMS do not handle the kind of security you are thinking of. They do, but not in the way that you think.
Typically database management system security (the kind from SQL Server, Oracle, MariaDB, PostgreSQL, MongoDB, etc.) separates applications or customers from each other. One WordPress install talks to one database, that sort of thing.
Applications handle users sharing data in the same database typically. Think Bob and Sue have accounts in WordPress and can't see each other's data. That's Wordpress security, not database security, involved.
-
@travisdh1 said in How secure are databases in general?:
They are vulnerable, but mostly because applications use a single authenticated user to access a given database. So most of the vulnerabilities are in the web pages and/or applications using a database.
That's application security, not related to the database. Same risk would exist with no database.