|
|
|
|
|
|
by magic-chicken
2763 days ago
|
|
|
From my experience, regulated industries use a combination of the following techniques : - Dont use passwords for databases. Make services use integrated authentication to interact with the database. - Developers / operations dont have read / write access to production tables. It can be obtained momentarily for ad-hocs operations. - When the database needs to be modified, the script goes through a change management system and it is executed at a planned time, ideally by another person. - If you use private keys, ex for symmetric encryption, don't store them with the data it's used to encrypt. - Use database level encryption on sensitive data to prevent anyone with read access to snoop on PII. - Enable database level audit and change tracking. - Developers don't push their own changes to production. |
|
|
- private networks, using bastion hosts to access when needed.
- very robust and regularly tested backups in case someone screws up the data.
- hardware tokens to access and authenticate any critical parts.