Subpage 4 Security - OBS Consulting - Your Trusted IT Support Services

Skip to main content

Database Security Services

We ensure that your data is confidential, accurate, available, auditable, compliant, and resilient against attack or failure.

Our Database Security services include the following functions:

Identity and Access Management
- Create, modify, disable database users
- Enforce PoLP (Principle of Least Privilege)
- Use role-based access (not individual grants)
- Remove dormant or ex-employee accounts
- Separate admin, app, and reporting accounts

Authentication Controls
- Enforce strong password policies as per the Customer's Standards
- Enable MFA (where supported)
- Use IAM / directory integration (AD, LDAP, cloud IAM)
- Rotate credentials regularly
- Avoid shared accounts

Authorization and Privilege Reviews
- Review privileged roles (DBA, SYSADMIN, SYS)
- Remove direct table access for applications. Use views and stored procedures instead.
- Audit GRANT / REVOKE changes

Encryption and Data Protection
- Protect data at rest and in transit
- Enable encryption at rest (TDE / cloud-managed keys)
- Enforce TLS for client connections
- Manage encryption keys (rotation, expiry)
- Protect backups with encryption

Auditing and Logging
- Enable login auditing
- Log privilege changes
- Monitor data access to sensitive tables
- Retain logs according to the Customer's Policy

Vulnerability and Patch Management
- Track DB engine vulnerabilities
- Apply security patches
- Remove deprecated features
- Disable insecure protocols and ciphers

Data Masking and Exposure Control
- Mask sensitive fields (ID numbers, credit cards) as per the Customer's preferences
- Use dynamic data masking
- Apply row-level security
- Use tokenization, where required

Backup and DR Security
- Encrypt backups
- Restrict access to backup locations
- Periodic Test restores of Databases, including permissions
- Secure replication links

Monitoring and Incident Response
- Monitor failed logins and brute-force attempts
- Alert on privilege escalation
- Investigate suspicious queries
- Support security incident response as per the Customer's processes

On-Prem vs Cloud Database Security

Area	On-Prem Database Security	Cloud Database Security
Security Model	You own everything end-to-end	Shared responsibility with cloud provider
Physical Security	Your data center, your controls	Provider-managed (data centers, access, hardware)
OS & Infrastructure	You secure and patch	Provider secures (managed services)
DB Engine Patching	Fully your responsibility	Provider patches engine (you manage versions)
Identity & Access	DB users, AD/LDAP integration	IAM-first, role-based, MFA
Authentication	Password-heavy	Identity-based, short-lived credentials
Encryption at Rest	Optional, manually configured	Default or one-click
Encryption in Transit	Optional, often inconsistent	Enforced TLS
Key Management	Self-managed keys	Managed KMS / Key Vault
Auditing & Logging	Manual setup, local logs	Centralized, immutable logs
Monitoring & Alerts	Custom tools required	Native monitoring & alerts
Backup Security	Manual, high risk if mismanaged	Automated, encrypted, immutable
High Availability	Complex and expensive	Built-in, multi-AZ
DR & Recovery	Manual planning and testing	Point-in-time + cross-region
Threat Detection	Tool-dependent	Native anomaly detection
Compliance Evidence	Manual audits	Built-in compliance dashboards
Cost of Security	CapEx heavy	Pay-as-you-go