While a good Cybersecurity Framework specifies the implementation of controls to mitigate information-related risk for the full life cycle of critical data, in practice I have observed that in many organizations the framework implementation tends to focus on the networks, the servers, and the applications. The lack of database focus exposes the mission-critical data of the organization to unnecessary risk. This blog is intended to bring this issue to the forefront and to suggest that having a database professional implement a relevant CIS database benchmark can ensure that the database is secure even if a particular risk was not identified by the security framework implementation team.
Server, Network, and Application Bias
In my experience, security considerations of servers, networks, and to a lesser degree applications, are given more attention in most organizations than databases. In fact, a firm that we work with that specializes in helping customers implement security frameworks told me that they see database administrators involved in only about 5% of cybersecurity framework implementations!
Because of this bias, and because of the absence of database experts in the process, when security implementers examine the controls in the cyber security frameworks and specify corrective or preventive actions to take, they tend to neglect the database.
This bias toward non-database components of an organization’s IT infrastructure is evident even in the introduction of the well-respected NIST special publication 800-53 A r5 document. The target audience is described as follows :
- Individuals with system development responsibilities (e.g., program managers, system designers and developers, systems integrators, information security engineers and privacy engineers);
- Individuals with information security and privacy assessment and monitoring responsibilities (e.g., Inspectors General, system evaluators, assessors, independent verifiers/validators, auditors, analysts, system owners, and common control providers);
- Individuals with system, security, privacy, risk management, and oversight responsibilities (e.g., authorizing officials, chief information officers, senior information security officers,11 senior agency officials for privacy/chief privacy officers, system managers, information security and privacy managers); and
- Individuals with information security and privacy implementation and operational responsibilities (e.g., system owners, common control providers, information owners/stewards, mission and business owners, system administrators, system security officers, and system privacy officers).
Conspicuously missing from that long list of individuals mentioned as responsible for information security are Database Administrators. But the database is arguably the most important part of the environment to secure. This is where the data lives!
Why choose CIS benchmarks as database security guidelines?
The Center for Internet Security is an independent non-profit organization that provides frameworks for keeping organizations safe from cyber threats. These frameworks include lists of controls that protect the organization from internal or external threats. CIS also provides benchmarks that are essentially configuration guides used to assess and improve the security of specific applications, databases, or operating systems.
Fortunately, the CIS database benchmarks are just that — database benchmarks. They prescribe vendor-specific configuration settings that need to be set to mitigate known vulnerabilities.
CIS benchmarks are a fast and more certain path to database security. They provide a more prescriptive approach to satisfy the key data security objectives of cyber security frameworks like NIST, ISO 27001, and CMMC.
The CIS database security benchmarks provide a specific set of configuration guidelines one must follow to eliminate or mitigate known vulnerabilities in the target database, operating system, or application. Carefully following these guidelines can fill potential gaps that may remain when an organization determines which controls need to be implemented to satisfy the requirements of the framework and manage information related risk effectively.
Database-First Security
I believe that an important part of the fight against ever-increasing cyber threats is to focus intently on securing the database. Applying proper controls at the database level first ultimately requires that controls be applied properly at other layers required by the frameworks.
For example, properly limiting user privileges inside the database (by role), forces designers and administrators to implement role based security and OS authentication in a more thoughtful way. Also, thoughtfully limiting OS system privileges and DBA privileges at the database level forces System Administrators to allocate privileged accounts in a more thoughtful way, enforcing principals like segregation of duties.
If you are leveraging Oracle, MS SQL Server, MySQL, or MongoDB to hold mission critical or sensitive data, I strongly recommend that you leverage CIS benchmarks as a compliment to any cyber security framework.
The CIS benchmarks are available for free here. Contact us today for a free no-obligation consultation