The work of a system administrator is essential for almost any organization, there is no denying that. Whether it is an in-house employee or a subcontractor, system administrator is the person that has a huge impact on continuous and smooth operation of your business and enterprise data protection compliance.
This also applies to databases your company uses. When it comes to database administration, administrators usually perform the following tasks:
- Prevent data loss and protect data integrity
- Manage users and user privileges
- Manage and ensure protection of related network infrastructure
- Supervise database operations and monitor performance
- Perform backup and recovery
In large companies each of these tasks can get so big as to require a separate full time employee. This is why many big enterprises have several administrators managing a single large database for a huge company-wide CRM or ERP system. These are the people that have full control over all the ins and outs of the database and, in many cases, over underlying physical infrastructure. Such a control is necessary for them to perform their duties of ensuring continuous operation of the database and data integrity within it, but it also is a double-edged sword for the organization.
While administrators are often tasked with designing network infrastructure and assigning permissions in order to protect enterprise database from any threat, they themselves are in the best position to perform malicious actions. While password protecting an Access database can stop regular user from accessing it without authorization, it will do little to prevent any malicious actions from administrator. Elevated level of privileges allows database administrators to access sensitive data, which can be used to either steal it or misuse it for personal gain, and easily cover their tracks without anybody noticing. Insider threats make rounds in cyber security circles in recent years, and it is universally agreed that among all possible malicious insiders, privilege users pose the most danger.
Why database administrators are a threat
It’s worth noting that administrators are not the only employees that have access to the company databases. So what makes them such a danger as compared to others? Extend of their access is one thing, but more important factor is how easy it is for them to get away with malicious actions. Potential danger of database administrators can be easily summarized as follows:
Multiple vectors of approach. Elevated privileges and full, unrestricted legitimate access to the database allow administrators to choose among the number of angles for potential attack. Whether to access data directly, copy database as a whole, use malicious code, change privilege level for other users, etc., they have more possibilities than any other user out there.
Malicious attack is very hard to detect. Actions of malicious insiders often are very hard to distinguish from their regular everyday job activities, considering that they supposed to access the data for work anyway. This factor is multiplied for privileged users who often enjoy a greater level of trust from the employer.
- Malicious actions are very hard to prove. It is easy for administrator to change or delete logs in order to cover their tracks. In this case, it will be very hard to determine the perpetrator, not to mention, to prove their guilt. Even when malicious actions are detected, administrator can easily explain it as a mistake.
All of these factors highlight the importance of protecting your database from unauthorized malicious actions by administrators, but they also stand as a testament to how difficult that task really is.
Most companies already employ a basic database protection measures, such as securing physical server, keeping database up to date, using firewalls, encrypting traffic, etc., but most of them will do nothing against database administrators. At the same time, DBMS vendors provide certain security features out of the box, such as ability to control and limit user privileges and access level and to log user actions, but again, most of those features will have little to no effect when it comes to actually protecting your database from the admin’s changes. So, how to protect enterprise database from admin's changes?
In order for such a protection to be truly viable, it needs to be complex and holistic in nature and be a part of company security at every level starting with specific policies.
Essential security policies
Security policies at your company define your very approach to detection, prevention and response to a cybercrime. Sadly, such policies do not always account for insider threats, especially the ones coming from privileged users. However, there are two simple principles, by employing which you can greatly improve protection of your database from insider threats.
Principle of least privilege. The first step in protecting your database from privileged users is to limit their amounts. You need to have as few users with elevated privileges as possible and in order to do it you should give each new user the least amount of privilege possible by default, only raising the bar when it is necessary. This principle can apply to database administrators when you have several of them, a common situation for medium and large sized companies. In this case, it is not necessary to grant each admin every permission possible. Limiting their access only to areas with which they are working will help lower the number of potential attack vectors and will help determining the culprit in case of an insider attack.
Principle of separation of duties. It is a very good practice to separate duties of a database administrator as much as possible. Ideally, each large task should be divided into two or more small chunks and spread between several admins. This way you ensure that no single person has unrestricted authorization to do everything and that people are required to cooperate in order to complete a larger task. Such cooperation heavily discourages insider attacks, as people will be more reluctant to conduct malicious actions when directly working with others. A good example of such separation is to separate backup and recovery processes between two administrators, which will make it much harder for any one of them to steal the data.
Access control and privilege management
Your company should also have clear policies on data access and access control. Controlling access to data and what can be done with it are one of the best tools you have when it comes to insider threat protection, and it should be an essential part of your security.
Remove or change any default accounts. First of all, you should make sure that nobody can access your database by using default credentials, that are often created automatically. More often than not, passwords and names of such account are public knowledge, or simply easy to guess, therefore such accounts should be removed as soon as possible or their credentials changed.
Also, sometimes databases can have a very wide set of default permissions, allowing almost anyone access to the data. In such a case, these default permissions should be removed. For example, in order to protect an Access database, you should remove all default permissions granted when creating a new database.
Prohibit direct use of shared accounts. Administrators often tend to use a single admin or root account in order to access the system that hosts the database, and will often have a single shared database account as well. When malicious actions are performed, such shared accounts can make it very hard to determine who was responsible. Therefore, direct use of shared accounts should be strictly prohibited and each administrator should use a unique set of credentials. Moreover, direct access to the system hosting the database is also undesirable, as it makes your database more vulnerable to hacking attacks. It’s much more secure to use commands such as sudo or su for Linux, or disallow desktop login for Windows and access database remotely.
Employ strong and unique passwords. Strength of passwords is what in many ways defines the strength of accounts protection inside your company. Often times, employees will use personal details, such as date of birth, or some generic strings like 123 as their passwords, and administrators are rarely better at this than their less tech savvy peers. Therefore, it should be part of a company-wide security policy to use strong passwords and the corresponding guidelines should be created. Moreover, malicious insiders can easily get a password from a colleague and use it for an unauthorized access to your database. In order to prevent this, each employee should use a unique password and password sharing should be strictly prohibited. Another good practice that can help to strengthen protection from both insider and outsider attacks is to completely change passwords once in a while or use automated password vaults.
Manage admin privileges. Apart from access control, another great tool for insider threat protection that you should definitely employ is user privilege management. As mentioned above, principle of least privilege applies to administrators just the same as to everybody else, especially if you have a lot of them servicing a single database. In this case, it is best to strictly separate their duties and grant different sets of permissions to each of them, limiting their access only to objects and features needed for them to properly do their job.
Depending on the database management system you use, the ways to manage user permissions can differ. Most of them allow to assign permissions individually, but it may not be the most efficient solution most of the time. For this situation many DBMS offer ability to assign either customized or pre-defined roles to users, allowing to quickly grant and revoke permissions or even sets of permission in bulk. This will allow you to effectively limit permissions of database administrators and limit the scope of their access and ways that they can use it.
User action monitoring
While privilege management and access control are great deterrent measures, in order to effectively protect your database from insider threats, you need a way to detect them. As mentioned above, insider threat detection is a complex problem that is very hard to solve without a clear insight into what user is doing. Therefore, the best way to detect insider attack is to have a full audit trail of all user actions.
The most obvious choice for the source of such an audit is the database and system logs. However, the effectiveness of such logs can be limited. While they provide a lot of data, they can rarely give you a full picture. They are also often hard to search and work through in order to find the actual information relevant to the incident. However, the most glaring flaw of such logs is that they are not well protected against privileged users. In many cases, database administrator will be able to either stop the audit process, or alter, or ever delete the results.
Therefore, in order for user action monitoring to be truly effective, a specialized third party solution, designed to record privileged user actions should be employed. Such employee tracking software will not only help you to protect your database, but will also serve as a powerful deterrent to any potential malicious insiders, while resulting records can be easily used as evidence if needed.
Ekran System – privilege action monitoring tool to protect your database
A great example of a specialized user action monitoring solution that can be effectively used to protect databases from potential malicious actions by administrators is Ekran System. Ekran System is insider threat detection tool that provides you with all the necessary knowledge and capabilities to efficiently detect malicious actions and appropriately respond to them. Main strong suits of Ekran System include:
Full monitoring of every user action. Ekran System gives you a full audit trail of user session in the form of an indexed video recording of user screen coupled with relevant metadata. You can easily see every action the same way users saw it on their screen and easily search the recording as needed. Metadata is used to illustrate the video with additional information, such as running scripts for SSH sessions.
Privilege user monitoring. Ekran System is fully designed to effectively monitor privileged users as well as subcontractors and third party providers. Monitoring agent is reinforced with driver-level protection, which makes it impossible to stop or shut down even for system administrator. Therefore, Ekran System will be able to easily monitor administrator actions without any way for them to interfere with recording process, giving full insight into how they work with your database.
Alerting and session blocking. Ekran System has customizable alert functionality, allowing you to set up alerts that suit your own situation. As soon as potential malicious action is detected, a notification will be sent to security personnel via email. They then will be able to view the session live and remotely block the user if necessary. Ekran System also monitors USB devices and can automatically block them, if needed. This feature can be employed to prevent administrators from using USB mass storages to copy the content of your database.
The big downside of specialized user action monitoring solutions is their cost of deployment. In many cases you need to buy a separate piece of infrastructure (such as management tool or a server) for a fixed price, regardless of how many endpoints you need to monitor. While this is not a problem for large companies, smaller ones can struggle with justifying the cost.
Ekran System, on the other hand, charges only based on the number of monitored endpoints without any fixed charge for an infrastructure, which makes for a cost-effective deployment even for small and medium sized companies. Therefore, regardless of the size of your company, you can use Ekran System to effectively set up an audit trail and gather employee activity statistics that will help you catch any potential malicious actions by your system administrators and reliably protect your database.
In conclusion to this article I also wanted to touch on one subject that was omitted from it up until now, but nevertheless is highly relevant: enterprise IT security compliance requirements. In most countries certain types of data are protected by both local and international law, financial and personal data in particular. In this case using privileged access management and user action monitoring tools becomes not only a good practice, but also a requirement. However, it is important to remember, that the purpose of compliance is not to check the boxes and appease the regulators.
Compliance helps companies protect their data by providing the standards for security that they should adhere to. And compliance should not be your main reason to use security measures anyway. Nowadays, data is an extremely valuable asset, regardless of the size of your company or place it takes on the market, therefore, protecting it should always be high on your list of priorities.
User monitoring and access management solutions will help you to both achieve compliance and protect your data, but for the maximum effect they should be complemented by smart security policies, and other conventional security measures, such as thorough background checks.
Described in this article practices and solutions constitute the cornerstone of reliable protection of your database from malicious actions by your own administrators. But this list is not exhaustive. By choosing solutions that are best suited for your specific situation and integrating them into security system of your organization, you will be able to greatly strengthen your security posture and will take a giant step in the direction of reliably securing your valuable data.
Read also: The list of cyber security measures that will protect your business.