Database Security

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1255955,00.html

Quite an interesting article, and it talks about concepts that are very logical, obvious, and yet something that's hard to implement and track.
How so?

Let's say you're the CISO of a company/govt organization that has access to highly sensitive data such as taxes, divorce records, alimony and so on. What would be your first instinct relating to protecting the data? Encryption, RBAC, ACL...?
There are many choices and each comes with its own tradeoffs. 'Mindboggling' is a mild word for the conundrum you just got yourself into.

Believe it or not, people actually abuse power! Hmmm didn't know that one, did you?

Now that you do, start with the basics. Make a list of talented people who can handle the responsibilities that will be given to them. They should be held strictly accountable at all times when it comes to the ownership and privacy of the information entrusted in their hands.

Then define roles and responsibilities that will match those tasks. With the help of commercially available software, you can do that very quickly.
For especially sensitive data, institute authentication codes. Meaning, access to certain types of data should only be possible with the help of a code that's generated by a security officer who oversees the overall security aspects of the data.

Thus, you now have division of roles and a division of how the responsibilities are executed. How does this help? Two words - collusion avoidance (and detection).

Next, logging and audit control.

Make sure the software that you use can log certain types of searches and classify them as inappropriate when applicable. It should alert the manager or supervisor within a time defined by an SLA. This kind of alert is preferred to be real-time so any violation can be stopped immediately.
Audits should be performed on a regular basis, and at least 3 times a year on a surprise! basis. That will keep any potentially devious employees somewhat honest and probably catch those that have crossed the line before they could do more damage.

Rewards - any quarter/6 months/year when there have been no violations, every employee in the security team should be congratulated and rewarded for saving the CISO's reputation and bonus.

Continuous improvement -- this phrase is used so much it's almost near meaningless, but because it's almost meaningless, if I use it just once or twice it won't hurt.

But let me define it slightly differently -- CI means new ways of figuring out how to keep secure data secure (think new hacking methods, new forms of spyware/malware/adware/badware, spam, viruses, trojans - boy you have your hands full). How to keep employees from stealing data or misusing their newfound power. How to maintain the integrity of the system and its value.
How to have business running 24/7 with no bottlenecks from the DB department. How to maintain the system's authority as the final arbiter of the correctness of data that resides within.

Needless to say most of these have strong security angles, but the top rank goes to getting employees to keep the data secure and keeping themselves honest. Very honest.
Remember: Encrypted databases and password-protected sites are powerless to stop an employee with the proper key and password, but relevant training dealing in ethics and company policies pertaining to correct use and access of records, coupled with rewards for excellent and spotless conduct, should go a long way. Combined necessarily and mandatorily with the latest technology to keep data visible to only those that need to see it, this approach should be quite foolproof.

It's quite difficult, if not downright impossible, to expect 100% adherence to policy (otherwise we wouldn't have any scandals). So, the next best step to remedy and fix a potentially devastating violation in the future is to ENCOURAGE and REWARD good habits than simply discourage and penalize bad ones. This is not to say that the bad eggs should not be disciplined/terminated/penalized, but that good behavior should be recognized and made worthwhile.

Be safe!