Learning Library

← Back to Library

Database Security: Planning and Practices

14m • Unknown Channel • security • tutorial • intermediate • Watch on YouTube ↗

Key Points

Choose your database deployment (on‑premises, cloud, or remote) and evaluate the provider’s physical security, access controls, and whether you’ll be on shared or dedicated infrastructure.
Isolate critical components (e.g., separate the database from the web/application server) to limit the impact of a compromise in a single layer such as the OS or PHP code.
Verify that any SaaS or e‑commerce platform you use follows the same segregation and security best practices before trusting it with your data.
Enforce strong, complex passwords and robust authentication policies, as weak passwords account for the majority of security breaches.

Sections

Full Transcript

# Database Security: Planning and Practices **Source:** [https://www.youtube.com/watch?v=c3YaDqvSDrQ](https://www.youtube.com/watch?v=c3YaDqvSDrQ) **Duration:** 00:14:27 ## Summary - Choose your database deployment (on‑premises, cloud, or remote) and evaluate the provider’s physical security, access controls, and whether you’ll be on shared or dedicated infrastructure. - Isolate critical components (e.g., separate the database from the web/application server) to limit the impact of a compromise in a single layer such as the OS or PHP code. - Verify that any SaaS or e‑commerce platform you use follows the same segregation and security best practices before trusting it with your data. - Enforce strong, complex passwords and robust authentication policies, as weak passwords account for the majority of security breaches. ## Sections - [00:00:00](https://www.youtube.com/watch?v=c3YaDqvSDrQ&t=0s) **Planning Secure Database Deployments** - The speaker outlines key considerations for database security, emphasizing location choices, access controls, physical safeguards, and evaluating cloud provider and server‑sharing policies during development. - [00:06:58](https://www.youtube.com/watch?v=c3YaDqvSDrQ&t=418s) **Securing Services with Custom Ports** - The speaker advises using non‑standard ports and configuring firewalls to allow only designated IP addresses for consistent, secure access across multiple servers and SaaS services. ## Full Transcript

0:00in today's world you must always be 0:03security conscious but what does that 0:05term usually mean as a technologist i 0:08feel it can apply to many different 0:10things hello my name is jamil spain 0:13developer advocate with the ibm cloud 0:16but when it comes to security i want to 0:18specifically focus on the topic of 0:20database security and to do this i want 0:23to go through a few points which should 0:26illustrate some thoughts to keep top of 0:28mind as you start to plan during 0:30development and definitely i hope you 0:33take these into uh take these notice to 0:36these topics especially at the end of 0:37your project before it's time to go live 0:40here 0:41so the first topic that i want to talk 0:43about is definitely where you're 0:45planning your database to be on-prem or 0:48another cloud another remote location 0:50you should first think about the 0:54user access to the system 0:58as you know you can walk up to any 1:00computer try to log in and actually 1:03start typing things so if you're at home 1:05or in an office make sure you have it 1:07under a locked door 1:10definitely and if you're 1:13considering a cloud provider 1:15they definitely must list out their 1:17cloud procedures security uh protocols 1:20they have in place who has access to 1:22server rooms um and all these kind of 1:24things pay special attention as well 1:26whether you're on a shared environment 1:28versus a dedicated kind of server 1:31so two 1:33very important things to keep in mind 1:34here now secondly 1:37if you're running a particular 1:40application let's say you're doing a 1:41lamp stack well which is common and most 1:44stacks like that are common whether 1:45you're dealing with lamp or the um 1:48or the actual 1:50mysql express 1:52mongodb kind of situation 1:54it's very useful to or convenient to put 1:57all these components on one server but 2:00what does that really expose you to 2:02let's say you're doing a lampstat linux 2:04apache mysql 2:06php and there happens to be a compromise 2:09we know from there there are two things 2:11that can be compromised you have the 2:12operating system 2:14and maybe something in the php code 2:16particularly a vulnerability that could 2:19happen here so in the event that 2:20something doesn't get compromised 2:22another best practice to take into 2:24consideration 2:25is to have separation 2:31and i'll just say of server here do some 2:33shorthand code here so maybe you want to 2:36run that on a separate machine 2:40if 2:44okay so it'll be separated so if in in 2:47the event that something does happen 2:49maybe at a linux os level 2:52you have the ability that data is set 2:54apart on another machine that you can 2:56really isolate what happens there as 2:58well this is especially important if you 3:00have an e-commerce business occurring uh 3:03for you 3:04now if you are subscribing to a sas 3:06service that runs your ecommerce 3:08application do a little check out ask 3:10some questions about do they have some 3:12of these practices in place 3:16next 3:17let's deal with the actual access to the 3:19system we talked about physical access 3:22let's talk about user 3:27now i believe if i can quote a recent 3:29verizon survey is said that most almost 3:3280 percent of of compromises are from 3:35password selection so make sure you get 3:38complex passwords 3:41avoid the usual standard passwords that 3:44are there one two three four five 3:46really figure out some complexity of 3:49characters numbers and special 3:50characters and maybe increase the limit 3:54out to at least be up to more than ten 3:56characters uh really just just figure 3:59out your complexity there what what your 4:01policy should be in that use case 4:05and then also 4:07if you do have sensitive information 4:09like we were just discussing 4:12figure out what the context of the 4:14application is if it is an e-commerce 4:16application we do realize that at some 4:19point you're going to have 4:21sensitive data 4:28and in those scenarios you want to make 4:30sure you probably consider having some 4:33encryption at rest if data must sit if 4:35you must hold credit card information 4:38make sure you actually plan out for how 4:40you do your encryption and decryption 4:43this is actually another way that most 4:45will actually you leverage a third party 4:47provider where you don't really have to 4:49store any sensitive information 4:52it can list on a third party service 4:54which usually is already set up to be 4:57compliant for security have those in 4:59place so if you're not up to the 5:01uh 5:02the 5:03particular situation of planning for 5:05those contingencies please consider 5:08using an outside service which is 5:10already set up to use those and most of 5:12those services will have proper ways 5:15that you can pull data in and out 5:17on demand as you need 5:19usually normally through 5:21rest apis here 5:23okay let's move over to my next four 5:26that we'll use 5:28and so we talked about physical access 5:31which users have access keeping 5:33separation of those servers those 5:35complex passwords and making sure we 5:38have encryption there just in case data 5:40must sit at rest 5:42let's talk about the first next thing is 5:45most database servers they have 5:47uh published default ports 5:53so you want to make sure that you 5:55naturally these are things that most of 5:57these databases can be run locally i can 6:00stage them up pretty easily i know like 6:02mysql is 3306 you have 27017 6:07these are all common published ports so 6:10anyone can research these 6:14now in the actual cyber security world 6:16alone most os especially linux there is 6:20a popular utility you can use to run 6:22scans on different vms over the internet 6:25especially if you have a public ip 6:27address so if i do a scan and it comes 6:30up that 3306 is active 6:33then it immediately lets me know you're 6:35running my sql 6:37database server on that actual server so 6:40it really you want to kind of really 6:42obfuscate 6:43these particular details from being so 6:45easily used and if you want to take that 6:47concept way beyond databases we can also 6:51use that for just normal ssh access you 6:54know the standard port for that is 22. 6:57we can probably run that on something 6:58like 6:592222 you know something that's 7:01non-standard so any of those services 7:04that you want to go live with just do 7:06your research and understand have a 7:07strategy in place on ways that you can 7:10use that and if you're using that across 7:12multiple server servers let's say you're 7:14managing a form of these 7:16maybe it'll be a standard port that you 7:19choose to run across those so everyone 7:21always knows the pattern that you're 7:23going to use now of course 7:26for any of these situations whether you 7:28want to change the port 7:30most 7:34servers if it's an os that you're doing 7:37or we'll just talk about os's now so 7:39you're doing a linux os they're going to 7:41have particular firewalls that are 7:43available here and with that you want to 7:45probably if the goal is that you have 7:48those separate servers and only there's 7:50only one machine that will be 7:54available to communicate with that 7:56server 7:57go ahead and put that server in as a 8:00allowed 8:03ip address okay 8:05rather than standard by default most 8:07services may come up and say access from 8:10anywhere but if you only know the path 8:12that must come in go ahead and set that 8:14up so that happens now with a lot of sas 8:17services you can also do the same thing 8:20i know if i subscribe to a service like 8:22on ibm cloud if i know that my remote 8:25server is only coming from one i p 8:26address that should be what you do only 8:29allow those to come in all right and 8:31maybe if you're working from your own 8:32headquarters or a place that you do 8:34development add in those ips as well to 8:37come now i know what you're probably 8:39thinking hey jamil it is kind of easy to 8:42uh change your ip address but for those 8:45individuals 8:46you really must know what you're doing 8:48to try to imitate other ip addresses uh 8:52uh from what you um to it's not an easy 8:54kind of hack to kind of do so 8:56but for those there these additional 8:58methods can really go in place to really 9:00compound the effect uh that you can have 9:03here 9:04next 9:06when you're running your database you 9:08want to make sure you figure out how 9:10you're going to do backups 9:13especially when i started out with lamp 9:15stacks it's easy to get this whole 9:17configuration set up you can spin up a 9:19vm at home or in the cloud for within 9:22minutes maybe less than an hour and i 9:25can quickly go yum or apt-get and 9:27install the necessary packages to get 9:29apache my sql and 9:32your database and your programming 9:33language install you can be off to the 9:35races live build your site code it up be 9:38live 9:39but we want to make sure that we 9:41actually are able to go through the 9:43process of backing up and restoring all 9:46right you want to be able to put this on 9:48a regular schedule 9:52when you will perform this activity and 9:55most importantly in the situation that 9:57you have separate servers and there is 9:59an event of a a compromise there you 10:02also want to make sure you have a copy 10:04of your data all right that is all is 10:06set up is secure and wherever you're 10:08putting that to 10:10the backups 10:14the backup files at that 10:17make sure that's in a place that is 10:18encrypted all right so you may 10:21definitely you want to if you can do 10:23that extra step of complexity it's not 10:25enough that i'm i have a separate 10:27database server that i do backups on 10:29regularly let's say every morning at at 10:31midnight um or i mean not midnight let's 10:34say 5 a.m 7 a.m whatever the the actual 10:36cadence that you want to run that crime 10:38job but do i really want to keep those 10:40on the same server all right because if 10:42someone is able to compromise that 10:45server they can easily 10:47unzip 10:48uh back that up or maybe change data and 10:52then restore that themselves all right 10:54so definitely make sure you're keeping 10:55those back up somewhere that you know is 10:57safe and secure and if possible if 11:00necessary take extra steps to make sure 11:03that 11:04those backups can be 11:06encrypted in some way especially if they 11:08maintain any sensitive information 11:12and lastly i want to say is that we want 11:15to make sure we're keeping 11:17apps um 11:20up to date 11:24now this is not just for the different 11:26database versions 11:31we know that different vendors will 11:33allow like well if you take my sql for 11:35instance if i can pick on that for a 11:37second 11:38you'll see different versions come out 11:40make sure you're in depth you get the 11:42announcements for what's changed in 11:44different versions as they come out make 11:46sure that is applicable 11:48for you so you want to make sure you 11:50have a strategy for how you will upgrade 11:52and that's usually involved there's 11:54really not a concern there if you're 11:55already planning for your backups being 11:58able to stage a way that you can upgrade 12:00your database server should be as easy 12:02as backing up and restoring to a new 12:04version with uh uh 12:07just off the general principle of that 12:09now naturally some versions may have 12:11changes in underlying infrastructure or 12:13or the way they're constructed from 12:15different versions so you have to 12:16account for that but usually that that 12:18information will be actually documented 12:21for you to use but i want to point out 12:23one more thing here on our last note 12:25here it's not just the actual 12:27application 12:29mysql database or the database versions 12:31it's also any code 12:34that you write you want to make sure 12:35that those are up to date so let's take 12:37for instance 12:38i know um 12:41you know i know it's probably you'll see 12:42on the internet that uh let's take 12:44wordpress for instance there are 12:45thousands of plug-ins that are out there 12:47i think a recent survey found that 12:50at least more than half of those haven't 12:52been updated in years all right so if i 12:55have i may have my database up to date 12:57secure with encryption backed up have 13:00all my 13:01walls covered but let's say i have 13:03vulnerabilities in the application that 13:05i'm running well if someone can gain 13:06access to that application naturally 13:09that will have connections to the 13:10database and so it just opens up another 13:12door that you don't want to have so on 13:15top of that what i'm trying to summarize 13:17here is that beyond having the actual 13:20database at a certain version make sure 13:22that all the code you write that's 13:24accessing that whether it's a 13:25pre-packaged application or something 13:27that you're programming yourself has all 13:30the necessary updates available just to 13:33ensure that code that is accessing the 13:35database there's no impersonation that 13:37can happen there from someone gaining 13:39access to that server 13:41exposing vulnerabilities in the code to 13:43to 13:44actually get get to that 13:46particular database 13:48so 13:49in summary these are just some tips to 13:51consider 13:53when you must kind of look at how secure 13:56you are with your access to your 13:58databases again this is a principle that 14:00i like to think as a solutioning for 14:04project at the start 14:06definitely in the middle and definitely 14:07before you go live in production so on 14:10your next project please take these tips 14:13into consideration thank you for your 14:15time 14:16if you have questions please drop us a 14:18line below and if you want to see more 14:21videos like this in the future please 14:24like and subscribe