Exclusive Preview: Dr. Kabay’s Insights on Database Management and Security

By Dr. M.E. Kabay

August 23, 2024

The following is an excerpt from Dr. M.E. Kabay’s excellent new book, The Expert in the Next Office: Tools for Managing Operations and Security in the Era of Cyberspace.

From page 303:

DATABASE MANAGEMENT AND SECURITY

DBs [databases] are ubiquitous and, like many pervasive infrastructure, sometimes we have to remind ourselves to consider their security implications. How often do most people think about the security implications of electrical systems, air-conditioning, data archives, and garbage? Security specialists do, yet I rarely meet security specialists who explicitly include DB-management systems in thinking about their organizations’ security. That’s ironic, because the huge data leakages of which we read constantly are almost always related to data from DBs.

We regularly hear about cyberattacks involving brute-forcing secure logins or exploiting software flaws, but there’s a new segment of the cybercriminal economy that’s growing fast: attackers who target companies that have unintentionally left data out in the open via misconfigured DBs. [Bressers (2021)]

But why not just leave DBs to DB Administrators (DBAs)?

At one level, having at least a grasp of the principles of DB management systems (DBMS) security is as important to security professionals as having a grasp of programming principles or of telecommunications principles. We need to be able to speak a common language with our colleagues as we discuss IA.

At another level, understanding how DBs are designed and implemented speaks to our need as security professionals for a supportive relationship to our users, because data requirements and data relationships are at the heart of security requirements. As I’m sure you’ve heard many times, it’s the rare organization where security is the driving force; we serve the strategic goals of the organization and that means we need to understand data requirements. On another level, there are security implications to how programs and data structures work; understanding how DBs work gives us insights into why the user interfaces work as they do and, even more important for security personnel, how systems can fail or be abused.

On a practical level, you may yourselves need to create a DB or participate in reviewing the security requirements for a DB and having a solid grasp of the principles will help you assimilate the details of any specific points you need to learn.

For an in-depth lesson for how to code securely, take Dr. M.E. Kabay’s course, “Secure Coding.”

Contact us for more information about our courses, and/or to obtain a demo account.