Editorials, Security

Availability as a Database Security Component?

In trolling around reading up on different thing to do with database security, I came across a graphic (credit: checkmarx.com) that took what I thought was a surprising look at security and what was included in an overall secure model for data.  There were limited items – Availability, Integrity, Confidentiality.  I won’t go into a lot of specifics, I suspect it was part of a whitepaper and don’t want to impair their document.  But the Availability was a surprise to me when it comes to security.

Not being sure what the model is they’re really reaching for, it would have to be that availability has to be supported by the security models you put in place.  It always got me laughing when people talked about government level security on the old-style NT servers – that the highest level was “unplugged from the network” and in a closet.  We used to joke that it would be even more secure if you unplugged the power cable.  I suspect that this type of thing drives the availability portion of the discussion.  Your solution has to provide for data security while still providing for access and availability.

I took a look at Wikipedia’s page (link here) and their definition is much more “traditional” in that it includes the typical elements:

  • Access control
  • Auditing
  • Authentication
  • Encryption
  • Integrity controls
  • Backups
  • Application security
  • Database Security applying Statistical Method

(An aside: By the way, if you’re up for it, this page on Wikipedia could use a hand… it’s pretty rough…)

I tripped over that last one almost immediately. I suspect (hope) that that’s an AI-based inference.  That you can look at the typical use of the information and recognize when things don’t seem quite right.  Azure does a lot of this in their security monitoring options already.  I think this is a critical component of systems going forward, but there are few models to put in place today (at least that I’ve seen).  There is the start of a web application firewall marketplace, for example, on Amazon AWS.  This has the potential of having libraries of recognizable malicious activity.  It would be really excellent if it moved into a cloud-sourced type of solution that you could report an operation or behavior and start to add it to the collective.  It would be a much more quickly responding tool.  Of course, you have vetting issues and malicious use of the filters even, but it’s a good direction.

The Azure security monitoring and reporting tools are excellent at recognizing out of band behavior as well.  They’ll notify you if things look fishy and I’m sure that sooner than later, they’ll be able to step in with your ok, and block operations and learn what’s ok, etc. for your specific workload at a very detailed level.  Kind of goes back to that telemetry post about learning from the real application of the systems.

The availability thing, though, is an unusual component.  Perhaps it shouldn’t be.  For nearly any systems I’ve been involved with, the end-user was the first to be sacrificed in the search for security.  More login requirements, authentication requirements for devices, phones or ID cards, outright locking them out when something is happening.

It’s either that, or we can re-visit unplugging the system.  That works too.