Database Security: Defense in Depth for Your Most Valuable Asset
Databases are where the crown jewels live -- customer data, financial records, health information, intellectual property. A breach at the database layer is the worst-case scenario for any organization. Database security requires defense in depth: multiple overlapping layers, each capable of stopping an attacker who has bypassed the layer above.
Security Layer Taxonomy
Database Security Layers
├── Network Layer
│ ├── Private subnets (no public IP)
│ ├── Security groups / firewall rules
│ ├── VPC peering / PrivateLink
│ ├── TLS for all connections
│ └── IP allowlisting for admin access
├── Authentication Layer
│ ├── IAM-based authentication (AWS RDS IAM, GCP IAM)
│ ├── Certificate-based (mTLS)
│ ├── LDAP / Active Directory integration
│ ├── Short-lived credentials (Vault dynamic secrets)
│ └── Multi-factor for admin access
├── Authorization Layer
│ ├── Role-based access control (RBAC)
│ ├── Row-level security (RLS)
│ ├── Column-level permissions
│ ├── Schema-level isolation
│ └── View-based data masking
├── Encryption Layer
│ ├── At-rest (TDE, volume encryption)
│ ├── In-transit (TLS 1.3)
│ ├── Field-level / column-level encryption
│ ├── Client-side encryption
│ └── Key management (KMS, Vault Transit)
├── Audit Layer
│ ├── Query logging (pgaudit, MySQL audit plugin)
│ ├── Connection logging
│ ├── Schema change tracking
│ ├── Data access monitoring (DAM)
│ └── Alerting on anomalous queries
└── Backup & Recovery Layer
├── Encrypted backups
├── Cross-region replication
├── Point-in-time recovery (PITR)
├── Backup access controls
└── Regular restore testing
Encryption Comparison
| Aspect | At-Rest (TDE / Volume) | In-Transit (TLS) | Field-Level / Column | Client-Side |
|---|---|---|---|---|
| Protects against | Physical theft, disk access | Network sniffing, MITM | DBA access, SQL injection exfiltration | All server-side threats |
| Performance impact | Minimal (hardware AES) | Low (TLS 1.3 is fast) | Moderate (per-field ops) | High (app-level crypto) |
| Key management | Cloud KMS / HSM | Certificate management | App-managed or KMS | App-managed |
| Searchable | Yes (transparent) | Yes (transparent) | No (unless using searchable encryption) | No |
| Compliance | Baseline requirement | Baseline requirement | PCI DSS, HIPAA for sensitive fields | Maximum data sovereignty |
| Implementation | Toggle on managed DB | Enforce sslmode=require | Application code changes | Application code changes |
| Who can read data | Anyone with DB access | Anyone with DB access | Only key holders | Only key holders |
Access Control Model Comparison
| Model | Description | Granularity | Complexity | Best For |
|---|---|---|---|---|
| RBAC (Role-Based) | Permissions assigned to roles, users assigned to roles | Table / schema level | Low | Most applications, clear role hierarchies |
| ABAC (Attribute-Based) | Policies evaluate attributes (user, resource, environment) | Field / row level | High | Complex multi-tenant, dynamic policies |
| Row-Level Security | Database enforces per-row visibility | Row level | Medium | Multi-tenant SaaS, data isolation |
| Column-Level | Permissions on specific columns | Column level | Medium | PII protection, mixed sensitivity |
| View-Based Masking | Views expose masked/filtered data | Flexible | Low | Reporting, analytics access |
Compliance Mapping
| Control Area | SOC 2 (TSC) | HIPAA | PCI DSS 4.0 | GDPR |
|---|---|---|---|---|
| Encryption at rest | CC6.1 | 164.312(a)(2)(iv) | Req 3.5 | Art. 32 |
| Encryption in transit | CC6.1 | 164.312(e)(1) | Req 4.2 | Art. 32 |
| Access control | CC6.1, CC6.3 | 164.312(a)(1) | Req 7, 8 | Art. 25, 32 |
| Audit logging | CC7.1, CC7.2 | 164.312(b) | Req 10 | Art. 30 |
| Backup/recovery | A1.2 | 164.308(a)(7) | Req 12.10 | Art. 32 |
| Data classification | CC6.1 | 164.312(a)(1) | Req 3.2 | Art. 30, 35 |
| Vulnerability mgmt | CC7.1 | 164.308(a)(5) | Req 6, 11 | Art. 32 |
| Incident response | CC7.3, CC7.4 | 164.308(a)(6) | Req 12.10 | Art. 33, 34 |
Database Security Maturity Model
| Level | Name | Characteristics |
|---|---|---|
| 1 | Basic | Default credentials changed, TLS enabled, backups exist. |
| 2 | Standard | RBAC implemented, audit logging enabled, encryption at rest. |
| 3 | Hardened | RLS/ABAC, field-level encryption for PII, dynamic credentials via Vault. |
| 4 | Proactive | Continuous vulnerability scanning, query anomaly detection, automated rotation. |
| 5 | Advanced | Client-side encryption, formal data classification, automated compliance reporting, chaos testing on recovery. |
Strategic Recommendations
Network isolation is non-negotiable. Databases must never have public IPs. Use VPC PrivateLink or peering. Even within a VPC, use security groups to restrict access to specific application subnets.
Eliminate long-lived credentials. Use Vault dynamic secrets or IAM-based database authentication. Every credential should have a TTL measured in hours, not months.
Row-level security for multi-tenant. If you run a SaaS platform, implement RLS at the database layer -- not just in application code. Application bugs should not be able to expose one tenant's data to another.
Audit everything, alert on anomalies. Enable pgaudit (PostgreSQL) or the audit plugin (MySQL). Feed audit logs into your SIEM. Alert on unusual patterns: bulk exports, after-hours admin access, new query patterns.
Test your backups. An untested backup is not a backup. Schedule monthly restore tests. Verify that PITR works within your RTO/RPO targets.
Resources
- CIS Benchmark for PostgreSQL
- AWS RDS Security Best Practices
- OWASP Database Security Cheat Sheet
- PostgreSQL Row-Level Security Docs
:::