View from the Top Floor
At the highest level, we would want to
consider the protection of our database files, including the database
backups. In the SQL Server 2005 world, native options for protecting our
physical database files, transaction logs and TempDB system
database are non-existent. We would need to depend on features of the
operating system, and on third party tools, for this level of
protection. For example, Red Gate's SQL Backup Pro offers encryption of
the backup files. In the world of SQL Server 2008, Enterprise Edition,
the Transparent Data Encryption feature would be implemented, offering
full protection for the physical files of the database, as well as its
backup files.
Design for Protection
Figure 1 illustrates how the HomeLending database is organized into logical groupings. For example, the borrower names reside in the Borrower_Name table and the borrower's employer data resides in the Borrower_Employer table.
The Borrower_Identification, Borrower_Income, Asset_Account, Liability_Account and Credit_Report
tables all contain sensitive data. Through the normalized design of the
database, this sensitive data is separated from the non-sensitive data.
The Credit_Report table takes advantage of a linked server to further the separation of sensitive data that is contained within that table.
Applied Permissions and Database Objects
The HomeLending database contains the database roles Sensitive_high, Sensitive_medium and Sensitive_low, which provides us the means to control access to database objects. Each database user that exists in the HomeLending database is assigned membership to one of these database roles.
To further elevate the level of overall
security for the database, we deny access to the tables within the
database to all database users. Accessing the data that is contained
within the tables is granted through the creation of views. All INSERT, UPDATE and DELETE commands are funneled through stored procedures.
Obfuscation
Underwriters would be a group of users that would fall into the Sensitive_high
database role. These individuals review financial details and credit
report details to determine if a borrower qualifies for the loan for
which he or she has applied. Therefore, the Sensitive_high database role will be able to view the detailed credit report data contained in the Credit_Report linked table.
The Shipping Clerks represent a group of users that would fall into the Sensitive_medium
database role. These individuals gather information about a loan that
will be provided to potential investors. From this information the
investors will decide to purchase the loan from the lender in the
secondary market. There is no need for this group of users to view the
details of the credit report. They are interested in aggregated versions
of the data, such as the borrower's debt-to-income ratio, their credit
score and the number of times that the borrower has been 30 days late
with repayments. For the Sensitive_medium role, the obfuscation
method of aggregation is a perfect solution. This would be offered
through a view that is available to this database role.
Eyes in the Back of the Head
A honeycomb table, Customer_Information, and a database audit can be created to catch those who may snoop about for plain text sensitive data stored in the HomeLending
database. Notification via database mail was set up to communicate the
occurrence of any activity against this table to our DBA. For a bit of
visual deterrence and intimidation, a silver hammer was provided to the
DBA to whack anyone who may be found to have accessed the honeycomb
table.
Good Habits
Performing regular backups of the database, as well
as the encryption keys, will reduce the risk of data and key loss.
Storing these backups separately will reduce the risk of theft of the
data and the keys. Also, storing a duplicate copy of these backup files,
at an offsite location, will reduce the risk of data loss due to a fire
or natural disaster.
Devices and methods that protect data
externally from the database, such as firewalls, secured network
connections and user interface cryptography methods, are important for a
broader security solution that involves data in transit.
Educate, Educate, Educate
Once the sensitive data has been secured within the
database it is important to educate the users on how to recognize
sensitive data and how it should and should not be communicated. The
users will be the target for those who aim to circumvent your security
efforts through social engineering and phishing attempts. These efforts
to glean sensitive data can come from an external as well as an internal
source.
Strong sensitive data handling policies,
enforcement of these policies and continual education are the keys to
protecting the data that has been entrusted to your business, to
protecting the reputation of your business and, most importantly,
protecting your customers.