Database Security During Covid-19
Covid-19 has impacted the world in dozens of ways. The IT space is no different, especially when it comes to databases and the way DevOps is having to adjust to the new reality. Remote work is becoming common practice in more and more organizations, something that is triggering additional cyber threats and so are compliance violations. Let's learn why and how organizations can fight these new problems.
The Biggest Covid-19 Challenges
There are dozens of challenges that Database (DB) professionals and developers are facing on a daily basis today. Three biggest ones include:
Bring Your Own Device (BYOD)
Bring Your Own Device (BYOD) was already trending before the Covid-19 outbreak. But the new reality has forced developers, DBAs, and DB professionals to work almost daily from home. They naturally use their private machines to get the job, which are hard to monitor and safeguard like before.
This by itself exposes the databases to malicious activity and suspect code. This is before addressing the dangers that come with unsecured WiFi connections. One thing hasn’t changed. Organisations are responsible for all personal data that devs and IT professionals handle on a daily basis.
Lack of Communication
It's also quite obvious that having dozens of professionals scattered across cities and countries has introduced a plethora of challenges for organizations all around the world. Teams can no longer have coffee together to discuss bottlenecks, not can they collaborate seamlessly like before Covid-19 struck.
The only way to get things done today is by video and tele-conferencing. Unfortunately, like the aforementioned BYOD issue, these remote communications also provide additional opportunity for skilled hackers. There is also the issue of email phishing, which has escalated exponentially in 2020.
Needless to say, these limitations also hamper the development and implementation of development, governance, and security policies of organizations. Checking projects constantly for code accuracy and optimal quality is a problem, and so is the monitoring and tagging of changes in JIRA.
Implementing DevOps smoothly with traditional manual methods was already starting to become challenging in recent years. The dynamic nature of applications and the need for faster iterations (better time-to-market) led organizations to face code drift problems and version control issues.
To make matters worse, pinpointing bottlenecks and monitoring changes has become even more different with dozens of remote logins that are simply creating a lot of headaches for all sides involved. Quality is often compromised, which eventually leads to brand damage and loss of customers.
Did You Know?
As per Securityintelligence.com, more than half of the malicious database activity in 2020 is happening in two countries - 33% in Spain and 23% in the U.S.
5 Ways to Achieve Success
Fortunately, having a proactive gameplan and automating various stages of the development pipeline can help avoid the aforementioned problems.
Establish BYOD Policies
All personal computers used by the developers and stakeholders should be subject to the official approval (and monitoring) of the network administrator, who needs to come up with a solid BYOD policy. This policy should ideally involve strict password and authentication protocols for optimal security.
Besides the obvious steps like automatic device locking after a period of inactivity and limitations for data processing (i.e - Personal Health Information), the organization should have a comprehensive governance mechanism where only the required permissions and access is given to the relevant personas.
Improve Security Training
All organization workers, regardless of their seniority or position, should be able to detect a phishing email and report it to the relevant person. As mentioned earlier, email traffic is growing due to the remote nature of the work today and malicious bodies are making use of this recent development.
You should ideally be creating procedures/policies for employees with access to sensitive data stored in the database (if needed) and other critical systems. All access times and durations should ideally be documented for compliance purposes and also to improve remediation times if and when issues arise.
Address Remote Login Vulnerabilities
This is where many organizations fail to enforce high security standards, despite the steps required being pretty obvious to all. Data sent through a Virtual Private Network (VPN) is encrypted and unreadable if intercepted by an unauthorised third party. Hence this is the first thing everyone must implement.
Furthermore, employees should be required to use a two-factor authentication process (i.e., two layers of security confirmation) to access the VPN. Also, organizations must demand frequent password changes, which should be complex and unique (not common words, dates or identifying information).
It’s also a good idea to require that home Wi-Fi passwords be changed on a regular basis for additional peace of mind. There should also be pre-defined data erasure protocols to avoid the device being sold or transferred to a third-party, malicious or not, with sensitive data still stored on it.
Enforce Secure Communication
Your organization needs to make sure that that video and tele-conferencing services are secure. This is because the mainstream communications apps are vulnerable to hackers. All devs and DB professionals should be required to use only pre-approved service providers to ensure optimal safety standards.
Some of the key aspects of security on this front include the Data Processing Agreement, what kinds of data does the app collect, what permissions are required, and most importantly is there end-to-end encryption with minimal metadata use. The entire checklist is available here.
The Dutch data protection supervisory authority’s comparison of video conferencing tools is a great way to select the right vendor for your needs.
Automate Your Database
The aforementioned tactics will only get you so far. You will also need to automate your database management in order to fight off the bad guys.
- Automated Governance - Policy enforcement is one of the biggest pain points during the Covid-19 period. But automating the governance process can help you manage all passwords and privileges from one centralized dashboard. The control is now absolute.
- Smooth Role Management - Once the DBA has an automated software solution to minimize human intervention and manage roles with just a few clicks, security levels are elevated to a whole new level. Modifying and revoking roles and permissions has to be fast(er) in today’s reality.
- Audit Trails - Manually documenting and recording all database actions is often plagued by human error. Organizations originally had to invest a lot of time and resources to pass compliance audits. But now every login can be automatically recorded and documented for best results.
All in all, automating your database management processes will also improve cross-department collaboration, which is extremely crucial when everybody is working from home. With less friction between the devs, IT staff, and DB professionals, the focus can shift to what is really important - product quality.
WANT TO TIGHTEN UP YOUR DATABASE SECURITY?
Automate your database to protect sensitive data while improving your faster time-to-market and optimizing quality.