S 2.124 Selection of suitable database software

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, IT Security Officer

When purchasing new database software, it is possible to select the software right from the start in such a way that only minimal additional personnel and organisational resources are necessary to achieve a high level of security when it is operated later on.

At the beginning, the field of application and intended purpose of the database system must be clarified so that it is possible to formulate the requirements regarding availability, integrity, and confidentiality. Furthermore, the requirements must be quantified in terms of the amounts of data to be processed, the data processing speed, and the throughput. This information can be used to derive the features the database software to be purchased must have, for example its availability for certain hardware platforms and/or operating systems or the scope of necessary security mechanisms. In this planning phase, it is possible to determine whether and to what extent the hardware must be upgraded and/or replaced to operate the database system later on. The monitoring capabilities required must then also be defined based on the availability requirements, i.e. it must be specified which database states should be detectable and how they will be detected (for example by logging information in a file), as well as how the persons in charge and/or groups of persons in charge will be notified about critical database states (for example by displaying a message on the console).

When purchasing a database software, the following aspects should be taken into consideration in particular:

• The database software must provide suitable internal mechanisms for the identification and authentication of the users (see S 2.128 Controlling access to a database system).
• The database software must provide suitable mechanisms for restricting resources (see S 4.73 Specifying upper limits for selectable data records).
• If confidential data will be administrated in the database, unauthorised access to this data must be prevented.
  The database software to be purchased in this case must provide corresponding data access control mechanisms (see S 2.129 Controlling access to database information).
  It should be possible to form groups and assign a number of users with the same data access privileges to the groups. In doing so, it is obligatory to distinguish between the group of administrators and the group of users. Furthermore, the separation of various administrator roles should be supported (see S 2.131 Separation of administrative tasks for database systems).
• Some databases offer several data access protection mechanisms of different strengths. Here, similar security mechanisms with different levels of security may also be offered. It must be clarified in advance which access protection mechanisms are necessary and which database software meets the defined security requirements. The most important factor in this case is the ability to restrict the access rights to database objects and the data itself.
  Examples:
  • users can be denied the right to create or modify database objects (such as tables).
  • users can be granted read-only access authorisations to a table, but can also be denied write access to the table.
  • access to certain tables or certain fields of a table can be prohibited for certain users.
  • users can be denied all access to records with certain characteristics (for example, a staff employee in Bonn can be denied access to the data of a staff employee in Cologne).
• Some manufacturers offer the possibility of defining both groups and roles. This capability can be used to implement a range of different access control levels for the database objects. The requirements in this regard must be clarified in advance and compared to the available database software products.
• The monitoring and control mechanisms of the database software must be examined as well. The requirements for such mechanisms must be defined and compared to the performance profiles of the products (for examples, see S 2.133 Checking the log files of a database system and S 2.126 Creation of a database security concept).
• It must be checked whether the database software supports a separation of the administrator and auditor roles. It must be possible to set up the auditor role so that it is the only role able to evaluate and delete the log files. This prevents potential manipulations to the log file data by the database administrator.
• In order to protect the integrity of the database, the database software must provide a complete transaction system complying with the ACID principle. Nowadays, this requirement is met by all of the most popular relational database management systems.
• The database must provide mechanisms for backing up the data in the database (see S 6.49 Data backup in a database).
  In terms of database backups, it must be clarified in advance which database backup capabilities must be offered by the database software. For example, partial database backups are not offered by all products available on the market. For this reason, it must be examined in each individual case whether the data backup concept drawn up can also be implemented using the available mechanisms.

Based on these criteria, the database systems available for selection must be examined and evaluated. The software that best meets the specific requirements should then be selected. More in-depth requirements must then be met either using additional products or by developing the corresponding software in-house. However, it should be clarified before purchasing which additional products are available for which database software so that it is not necessary to develop software in-house, which is expensive.

There are generally several different versions of most of the database management systems available on the market at the same time. Different versions of the same database management system usually differ only in terms of their functionality, which also includes the security-relevant functionality, amongst other functionality. The high level of competition has forced some manufacturers to deliver software that is not fully mature and for which it must be assumed that the software contains errors and can only provide limited functionality.

For this reason, it should be examined in a test phase if the database software selected is actually able to provide the necessary functions in the given application environment. This applies especially to the requirements regarding the performance and the mechanisms necessary for contingency planning.

Before purchasing, the experiences gained from comparable installations should also be taken into consideration.

Review questions:

• Were requirements for the database software defined and documented?
• Was the selection made between different database software products based on the defined requirements?