Database security: protecting the crown jewels

"If we're really going to protect what's in the database, we should be doing it within the database," Clifton notes. "You need to be able to write rule sets like, ‘Certain voter records are viewable, but not writable,' or, ‘Only people from the voter registration office can change a record.'"

Structuring issues with database queries and tables, along with complications with views and updates (among other limitations), have so far inhibited administrators from enforcing policy inside the database, where it should be, says Clifton.

The next stage in database security, he contends, is to come up with a simple database language that allows for strong access controls within the database without making administration a nightmare. These systems, he says, should be built to take advantage of up-and-coming federated identity networks because of their ability to tie fine-grained controls to attributes at the user level (instead of an application or groups, which is how most access controls are currently handled).

In terms of database improvements, Oracle's Database Vault, akin to a firewall that sits inside the database kernel, can be used to set access control rules based on time of day, location of user, and data being requested.

"There is inherent benefit in doing security from inside the database server, particularly in the areas of performance and management," says Vipin Samar, vice president of database security products at Oracle. "Encryption at the column or the entire application level, changing access rules - all of that can be conducted within the database and natively managed within the database application."

However, Oracle's Database Vault is virtual, meaning it's more a layer on the database than an actual change to the database structure. Not to mention, it is an Oracle-centric solution, and most networks run various flavors and types of databases needing monitoring, says King, who's company uses Guardium to monitor its client databases.

Washington Metropolitan Area Transit Authority (WMATA) in Washingon, DC, also uses Guardium to monitor, audit and manage vulnerabilities and changes on its critical database systems. With more than 11,000 employees, WMATA conducts more than seven million financial transactions a year, making it responsible for passing Level 1 merchant audit, according to the PCI DSS.

"It used to be that all we could see was what application, such as PeopleSoft, was accessing the database. Now, with Guardium, we can see who's accessing the database through the application," says Victor Iwugo, director of IT security at WMATA.