Towards Zero-Trust Database Security – Part 1
By Walid Rjaibi, Department of Computing and Mathematics, Manchester Metropolitan University and the IBM Canada Lab, and Mohammad Hammoudeh, Department of Computing and Mathematics, Manchester Metropolitan University
The rise of external threats, internal threats and data breaches is driving enterprises to implement zero-trust security to better protect their IT assets and reduce risk. While zero-trust security for networks and identity management systems have received a great deal of focus, very little attention has been devoted to zero-trust security for database systems. This is a major issue as database systems are the custodian of enterprises’ most critical data and are often the primary target of both external and internal attacks. After all, databases contain valuable data such attackers want to steal. In Part One of this series, we explore both the direct and indirect means through which the same data in a database system can be accessed and the challenges they pose to adhering to the basic tenets of zero-trust security. In Part Two, we outline a set of solutions that are most suitable to address these challenges and enable enterprises to implement zero-trust database security without negatively impacting core database tenets such as query performance.
The 2018 Cost of a Data Breach Study, conducted by the Ponemon Institute and sponsored by IBM, found that the global average cost of a data breach was $3.86 million1. This was an increase of 6.4% compared to 2017 according to the same study. The study also found that the average size of a data breach (in terms of number of records lost or stolen) grew 2.2% from 2017. Meanwhile, Gartner estimates that worldwide spending on cybersecurity in 2018 was around $114 billion, an increase of 12.4% compared to 20172. Recognizing that current approaches are not sufficiently adequate, several organizations are now turning into zero-trust security to better protect their assets and reduce the risk of incurring a data breach. So, what exactly is zero-trust security?
Zero-trust security was coined by Forrester’s John Kindervag in 20103,4. In its essence, zero-trust security removes the notion of trust from the enterprise network (e.g., no more trusted users, devices, or applications). It assumes that untrusted entities exist both outside and inside the enterprise network. The basic tenets of zero-trust security can be summarized as follows:
- Tenet 1: Ensure all resources are accessed in a secure manner regardless of location.
- Tenet 2: Grant access to resources based on “need-to-know” and strictly enforce access control.
- Tenet 3: Monitor and audit all user activities.
While extensive coverage of zero-trust security implementations for networks3 and identity management systems5 exists, very little coverage exists for database systems. We contend that zero-trust security implementations for database systems are equally important for three main reasons. First, database systems are the custodians of the enterprises’ most valuable data. This is the very data attackers of all sorts are seeking. Secondly, the same data entrusted with the database system can be accessed in a variety of distinct and independent ways, thus broadening the database attack surface. Lastly, the database privileges model is inherently a double-edged sword, creating opportunities for privileges to be abused intentionally or unintentionally.
2. Database Threat Model
We assume that organizations are implementing user authentication, auditing, and Transport Layer Security (TLS) which are standard features on all major database systems today. We also assume that organizations are implementing adequate operational policies such as operating system and database software vulnerability patching. In this paper, we focus on direct and indirect means for accessing data in a database and the challenges they pose to adhering to the three zero-trust security tenets outlined in Section 1.
The same data in a database can be accessed in two different ways: Indirectly or directly. Indirect access occurs when a user bypasses the database system altogether. This is most dangerous because it completely bypasses all database access control and auditing. We distinguish between two use cases:
- File system access: This takes place when a user chooses to access the data directly on the file system using operating system commands.
- Storage media access: This takes place when a user recovers the data from the actual storage media such as a stolen or lost hard drive or tape.
Failure to address these two use cases makes it impossible to adhere to the first two tenets of zero-trust security outlined in Section 1.
Direct access takes place using standard database interfaces such as Structured Query Language (SQL). We distinguish between two use cases:
- Interactive database access: This is typically done by database administrators using an interactive interface offered by the database system. This is usually used to perform administrative tasks.
- Application database access: This is the most common use case where end users interact with an application which in turn interacts with the database system to execute requests on behalf of those end users.
The issue with interactive database access is privilege abuse where, for example, a database administrator chooses to abuse their privileges to access sensitive data. The application database access poses two issues. The first one is application bypass where, for example, the application administrator chooses to abuse the application database credentials to access sensitive data or make changes that are not permitted by the application’s business logic. The second issue is the loss of user identity which diminishes the value of auditing to hold users accountable for their actions. This stems from the fact that the application uses a generic user ID to access the database on behalf of all users as opposed to the actual user identity.
Figure 1. Database threat model.
Failure to address privilege abuse and application bypass makes it impossible to adhere to the first two tenets of zero-trust security outlined in Section 1. Similarly, failure to address the loss of user identity makes it impossible to adhere to the third tenet of zero-trust security (also outlined in Section 1). Figure 1 summarizes this database threat model.
Database systems contain enterprises’ most valuable data and are often the primary target of both internal and external attacks. Implementing zero-trust database security starts with first understanding the database threat model. Table 1 summarizes these threats and how they relate to the basic tenets of zero-trust security. In Part Two of this series we outline solutions and best practices for addressing these threats and implement zero-trust database security.
- The Ponemon Institute, https://www.ibm.com/security/data-breach, 2019.
- Gartner, https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019, 2019.
- Gilman, D. Barth, Zero Trust Networks: Building Secure Systems in Untrusted Networks. O’Reilly Media, 2017.
- Walker-Roberts, M. Hammoudeh, A. Dehghantanha, “A Systematic Review of the Availability and Efficacy of Countermeasures to Internal Threats in Healthcare Critical Infrastructure”, IEEE Access, 6, pp.25167-25177, 2018.
- Centrify, https://www.centrify.com/education/what-is-zero-trust-privilege, 2019.
Walid Rjaibi is Distinguished Engineer and Chief Technology Officer (CTO) for Data Security with IBM in Toronto, Canada. Prior to his current role, Walid was Research Staff Member in network security and cryptography with IBM Research in Zurich, Switzerland. Walid’s work on Data Security has resulted 26 granted patents and several publications in journals and conference proceedings such as the IDUG solutions journal, the internation conference on security and cryptography (SECRYPT), the internation conference on data engineering (ICDE), and the internation conference on Very Large Databases (VLDB).
Mohammad Hammoudeh is the Head of the CfACS IoT Laboratory and a Reader in Future Networks and Security with the Department of Computing and Mathematics, Manchester Metropolitan University. He has been a researcher and publisher in the field of big sensory data mining and visualization. He is a highly proficient, experienced, and professionally certified cybersecurity professional, specializing in threat analysis, and information and network security management. His research interests include highly decentralized algorithms, communication, and cross-layered solutions to Internet of Things, and wireless sensor networks.
Dr. Syed Ahmad Chan Bukhari is a semantic data scientist, a tech consultant and an entrepreneur. He received his PhD in computer science from University of New Brunswick, Canada. He is currently working as postdoc associate at Yale University, School of Medicine and at National Center for Biotechnology Information (NCBI) under scientific visitor’s program. At Yale, he is working as part of two NIH-funded consortia, the Center for Expanded Data Annotation and Retrieval (CEDAR, http://metadatacenter.org) and the Human Immunology Project Consortium (HIPC, http://www.immuneprofiling.org). Dr. Bukhari specific research efforts are concentrated on several core problems from the area of semantic data management. On the standards side, his focus is on the development of metadata and data standards development, and improving data submission and reuse through the development of methods that leverage ontologies and semantic web technologies. As part of the AIRR community (AIRR,http://airr.irmacs.sfu.ca) data standards working group, Dr. Bukhari with his colleagues have introduced an initial set of ontology-aware metadata recommendations for publishing AIRR sequencing studies. On the application side, his research aims are providing non-technical users with scalable self-service access to data, typically distributed and heterogeneous. Semantic technologies, based on semantic data standards and automated reasoning, alleviate many data access-related challenges faced by biologists and clinicians, such as data fragmentation, necessity to combine data with computation and declarative knowledge in querying, and the difficulty of accessing data for non-technical users. As an entrepreneur, Dr. Bukhari and his team is working on the development of a collaborative annotation toolkit for radiologist. His startup scaai labs (http://scaailabs.com) was in top-ten innovators list of 2015 contest at sillicon valley (http://www.globaltechsymposium.com/innovators.html). His research and entrepreneurial work has been picked by the CBC Canada, PakWired, and UNB News.