4.2 Database Credentials Policy

00:01

Oh, and welcome back to I t. Security policy. This is a continuation of Module four. We're going to start with the first policy, which is the database credentials policy,

00:10

and it's storing myself. Troy Lemaire here on SCIRI.

00:14

The learning objective for this training is gonna be

00:18

general information and specific requirements of

00:21

database credentials.

00:23

So if we look at our sand sample policy

00:30

beginning, we have an overview

00:32

database Database authentication credentials are a necessary part of

00:36

authorizing applications

00:38

to connect to internal databases. However incorrect you storage and transmission

00:42

good lead to compromise a very sensitive

00:45

assets and be a springboard, a wider compromise within the organization.

00:51

We look at the purpose. The policy states that the requirements for securely storing and retrieving database user names and passwords for use by program

00:59

now access the database running on one of the company's networks.

01:03

Software applications running on the company's network may require access to one of the many internal database servers in order to access these databases of program US authenticate to the database by presenting acceptable credentials.

01:15

So basically what they're saying

01:17

if you wrap it up in a nutshell, is that certain systems and our applications are going to connect to a database that's within the network

01:25

and is on one of the servers for it to connect. You don't want just anybody to connect to that database and get access to that information. So that's why you're gonna use credentials and specify the type of credentials that are gonna be used with some requirements on

01:41

now, if we look at the policy itself in the general section in order to maintain the security of the internal databases, access by software programs must be granted on Lee after authentication with credentials

01:52

credentials use must not reside in the main executing body of the program's source code in clear text. So basically, this is requiring any type of program that is created by internal employees or third party contractors to make sure that they are encrypting their authentication method of the username password of whatever's being used

02:12

and not being clear. Text where somebody can

02:15

take apart that source code and then see what the database credentials to then make their own programs.

02:21

Specific requirements

02:23

guards the storage of the database, user name and passwords.

02:27

It may be stored and file separate from the executing body of program,

02:30

but the file must not be were world readable or rideable, meaning it must be encrypted in some kind of way.

02:37

They

02:38

the credentials may reside on the database server,

02:40

but a hash function number identifying the credentials may be stored in the executing body of the program, meaning that it has been hashed or encrypted

02:50

database. Create jobs may be stored as part of an authentication server

02:53

such as L doubt,

02:55

meaning that the authentication happens once the user logs in

03:00

through a system and then connect. It uses a L DAP connection, which grants rights to that user to be ableto have that authentication into the database.

03:10

Database cleaners may not reside in the documents. Tree of a Web server

03:15

asked. The authentication must not allow access to the database that they solely upon a remote user. Authentication on the remote host

03:23

and passwords or pass phrases used to access database must here at here to password policy.

03:30

If we're looking at the retrieval of the database user names and passwords,

03:32

if it's stored in a file that is not source coast, that database username password must be read from the file immediately prior to use

03:40

scope into which you may store database credentials must be physically separated from the other areas of your code. Again, don't put your

03:49

authentication database credentials inside of the code if anything's being programmed.

03:53

Languages that execute from search source code. The credentials source file must not reside in the same brows of or excusable file directory tree, in which the executing body of the code resides again. If you're looking at Windows file structure are Lennox file structure. You don't want the credential source file to be in within that same directory,

04:13

and that way you can go in and

04:15

password protect or have different rights on that separate directory so that

04:19

you cannot get to that automatically

04:24

access the database usernames and passwords, every program or every collection of programs.

04:29

Implementing a sitting single business function must have unique database credentials. Sheridan Credentials

04:33

between programs is not allowed

04:36

in databases. Use our our system level passwords and their defining the password policy.

04:43

Developer groups must have a process in place to ensure that database passwords are controlled and change in accordance with the password policy.

05:00

So if we look at what we covered today

05:02

database Prince has recovered general information as well a specific requirements for database credentials.

05:15

If we look at one of our policy recap questions, database credentials must not be stored in a location that could be accessed through a

05:20

blank blank,

05:24

and that would be through a Web server

05:28

database. User names and passwords may be stored in a file separate from the blank blank of the program's code,

05:34

and that is the executing body of the program's code.

05:41

Looking forward in our next lecture will be looking at server policies and the disposal policy.