With the onslaught of increasing governmental regulations and never-ending news stories on data breaches, securing corporate data is indeed a hot topic these days. You can also see just how hot by taking a look at the recent books published on database security issues.
At the top of the list is Rob Ben-Natan’s Implementing Database Security and Auditing (Elsevier Digital Press, ISBN: 1-55558-334-2). Ron’s book is a nice guide to database security issues written from a non-proprietary, heterogeneous perspective. The book, published in 2005, manages to quite thoroughly cover a wide variety of database security topics in just about 400 pages. The book addresses the important database security issues including encryption, authentication and password control, access control, SQL injection, and data access auditing. Whether you use DB2 on AIX, MySQL on Linux, Oracle on Unix, or SQL Server on Windows, Ben Natan’s book provides useful guidance.
Of course, you may have more in-depth database security questions and needs, such as how best to implement specific security requirements using a particular DBMS, or which features are actually implemented in your DBMS of choice. That means you’ll need a book that specializes, but no need to worry as books have recently been published for each of the big three DBMSs (DB2, Oracle, and SQL Server).
For Microsoft SQL Server admins, there is How to Cheat at Securing SQL Server 2005 by Timothy Blum, et al (Syngress). Interesting title, isn’t it? It made me wonder: “is this something I really would want to cheat at?” Well, title aside, the book emphasizes best-practice security measures. It offers guidance for maintaining SQL Server security in an enterprise environment, covering topics such as roles and password protection, SQL Server authentication modes, auditing using triggers, and information on encrypting data “at rest” or “in flight.”
If you are charged with securing a Microsoft SQL Server environment the advice in this book could help to save you from a lot of worry and trouble. After all, SQL Server databases are a favorite target for Internet hackers.
For Oracle admins, there is Practical Oracle Security by Aaron Ingram and Josh Saul (Syngress). The book is billed as being designed to help you to establish procedures for protecting your Oracle database environment. It covers a plethora of topics including managing default accounts, TNS, password controls, administration of PUBLIC privileges, and advice on developing a sustainable security plan. And there is a companion web site which contains dozens of scripts for automating Oracle security tasks.
Word of caution, though, check out this review of the book (http://blog.red-database-security.com/2007/11/26/review-practical-oracle-security/) before relying too heavily on the advice within. You might want to consider an alternate Oracle security written by Ron Ben Natan call HOWTO Secure and Audit Oracle 10g and 11g (Auerbach Publications, ISBN: 978-1420084122). This book is a little fresher (published in 2009) and has great reviews on Amazon.
Note: Both of the Syngress titles offer purchasers a free downloadable e-book (PDF) version of the hard copy book at no additional charge.
And finally, for DB2 admins, we have Understanding DB2 9 Security by Rebecca Bond, et al (IBM Press). This book offers quite a comprehensive guide to securing DB2 and leveraging the powerful new security features of DB2 9. This book is well-organized and offer in-depth coverage of DB2 security issues such as identification and authentication controls, label based access control (LBAC), encryption (“at rest” and “in flight”), auditing and intrusion detection, using SSH, and managing patches and fixes.
The book is written for users of DB2 on Linux, Unix, and Windows platforms, and not for the z/OS flavor of DB2. But since there are many similar issues, DB2 for z/OS admins will find much to interest them, too. (And while you’re at it, check out the IBM Press book Mainframe Basics for Security Professionals – not about database security, but interesting for mainframers concerned about security and RACF nonetheless).
If you are looking for additional information on securing your operational databases, there are indeed, many book choices out there that may be able to help you out. Other database security books you might want to check out include:
- Cryptography in the Database by Kevin Kenan
- Database Hackers Handbook by David Litchfield, et al
- Database Security and Auditing by Hassan A. Afyouni
- SQL Injection Attacks and Defense by Justin Clarke
- Save the Database, Save the World by John Ottman