Database security is everyone’s responsibility
There’s an ever-growing need for understanding database security best practices — and having a clear picture of database security threats and vulnerabilities is a valuable skill for all cybersecurity professionals to learn, says Infosec Skills author Monette Davis.
“It used to be, make this as easy for yourself as a database administrator (DBA) as possible, and now that's no longer the case,” says Monette, who recently released a Database Security Learning Path.
“There are things you need to do, things you need to separate, to make sure that you are keeping your user accounts and passwords in a safe location, and not sharing those with other teams and with other systems. It's changed quite a bit.”
FREE role-guided training plans
Recent high-profile data breaches have come in a variety of forms:
- Japanese e-commerce platform Mercari recently disclosed a data breach that exposed tens of thousands of customer financial records.
- Russian hackers added malicious code to SolarWind’s Orion network management software to access top government officials’ email accounts, including that of the acting head of the Department of Homeland Security and the department’s cybersecurity staff.
- A phishing attack exposed Social Security numbers and other personal information of thousands of state workers in California.
- Chicago-based CNA Financial is said to have paid $40 million to recover access to its systems from a ransomware attack in March, and Colonial Pipeline paid $5 million to regain its IT network.
How database security has evolved
“When I first started as a DBA, it was mostly you wanted people to have the least privilege,” says Monette, a database security engineer who has worked in database administration and security for nearly 20 years.
“You would use that same service account or same user account across the board for all of your databases. That's not the best practice now. You don't want to use that same service account because if it is compromised, then attackers can run the gamut on all of your systems.”
Monette believes database security is an important, growing need for IT and security professionals as well as database administrators. After mentoring a number of junior database administrators and other professionals, she’s created a nine-course learning path to teach those needed skills.
Database security training courses
Topics covered in Monette’s Database Security Learning Path include:
- Database security assessment
- Who’s responsible for data security?
- What data requires elevated security?
- When is database security important?
- Why is database security necessary?
- How to secure databases in use
- How to secure databases in motion
- How to secure databases at rest
- Auditing and monitoring database security
- Policies and procedures for database security
“I know I'm better as a hands-on learner and as a visual learner, so I try to show how things work like tokenization or encryption — things that are a little more complex to grasp when just hearing it,” she explains. “I try to give visualizations as well as hands-on training so that you can actually see how things work. I really like for people to put their hands on the keyboard and understand it while they're going through it.”
The learning path covers both SQL, which is a relational database, and MongoDB, which is a non-relational database.
“I went through the install process as well as setting up some data obfuscation — so data masking and encryption and explained why you would want to do it,” said Monette. She also demonstrates creating views, using schemas and providing options in ways of reducing who has access to what data.
The courses also cover the hows and whys of understanding the backend of a database and the security protocols to protect sensitive data
Skills needed for database security professionals
Whether you work in healthcare, retail, television or a small mom and pop store, you’re going to hold some type of consumer data, Monette explains.
“If it's just their name and address, that's still protected information,” says Monette. “Even if you're not afraid of someone stealing sensitive data, you don't want to leave yourself open to someone just wiping out everything that you have and needing to start from scratch because that could ruin a business, especially a small one.”
That’s why one of the most important things to know is how to classify data and why you're classifying that data, says Monette. “These courses definitely cover that, and it also covers ways of protecting the data: data-in-use, data-in-transit and data-at-rest.”
“Having a good policy in place is usually the last thing people look at, but it should go right up there with the data classification,” she notes. “As you’re classifying your data, you also need to be making policies.”
The proliferation of data and threats
The proliferation of databases and increased use of cloud computing and storage are making database security a top priority.
“There are a ton more ways of storing data. You have your on-prem, you have in the cloud — and what is your responsibility as a database administrator if it is in the cloud? What part do you play there?” Monette asks.
“We go over who is responsible for data security — basically everyone is — but there are also parts and pieces within that, teams that have more of a responsibility than others. Honestly, I think everyone should know these skills.”
Learn more about Monette Davis’ Infosec Skills courses:
Sources
E-commerce giant suffers major data breach in Codecov incident, Bleeping Computer
Insurance Firm CNA Financial Reportedly Paid Hackers $40 Million, The Hacker News
Colonial Pipeline Paid Nearly $5 Million in Ransom to Cybercriminals, The Hacker News
SolarWinds Hackers Accessed DHS Chief's Email, Dark Reading
Phish Leads to Breach at Calif. State Controller, KrebsOnSecurity
In this Series
- Database security is everyone’s responsibility
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity