Cost-Effective Security for Your Data

Why is the security of your data important?

How long could your company operate without up-to-date data? Imagine turning on your laptop and finding it unable to display information from the last seven days. Or noticing that incorrect information is being displayed across all programs. Naturally, your company’s data also requires a certain level of confidentiality. Just imagine a former employee taking a list of all your customers and suppliers on their last day of work.

You can certainly reduce the likelihood of these situations occurring with cost-effective yet efficient measures. It’s important to keep the effort and costs for your organisation as low as possible so that your employees accept the measures.

During application development, basic mechanisms are used to prevent deliberate data manipulation or ensure that each user reads their data. For example, programs have a login page, user and administrator roles, and validation of data entered in the browser. These mechanisms must be built but they are not sufficient to identify and prevent the situations mentioned above.

In the following sections, I will give you concrete recommendations based on my 15 years of experience as a developer, architect, team lead and product owner. They meet the requirements of Building Block APP.4.3 on relational databases from the IT-Grundschutz-Compendium 2023 published by BSI.

If you have other needs or questions

The following tips apply to most German companies, but your data may need more protection depending on which processes are particularly important in your company. If you need additional measures or have questions about implementation, feel free to contact me or comment on LinkedIn.

Goals of these practical recommendations

• To save you time by naming specific measures and tools. These are proven practices that have already been successfully implemented by the majority of German companies for years
• To enable you to check the current state of your data security. With this page, you can ensure that your IT operations have analysed and potentially implemented new tools developed in recent years
• To allow you to adapt the recommendations to your company’s needs. Security requires significant effort, which must be aligned with the criticality of the data to be protected.

The implementation of the recommendations does not guarantee that security standards will be met. The recommendations are general. I cannot offer you a detailed data security concept because I don’t know your business processes and your organisation’s protection requirements. Therefore, it’s important that you adapt the recommendations to your organisation’s context.

Initial measures that lead to quick wins

With little effort, these directly lead to increased availability, confidentiality and integrity of your data.

Large amounts of data are not stored and processed directly in a web application; instead, applications store and manage data in a database.

1. Change all passwords for all accounts created during installation. This also applies to passwords you received from a system manufacturer. You must assume that multiple people know these passwords

2. Monitoring of the server where the database runs: If web applications run slowly or error pages occur frequently, the cause could be a server with not enough power for the application. To save effort, it’s better to use a server monitoring solution like the free Nagios (for Linux-based operating systems), which can monitor popular applications. This replaces the alerts offered by database manufacturers

   • This will show you whether the server has sufficient resources to store an ever-increasing amount of data and serve users
   • With monitoring tools, thresholds can be set and development teams will be alerted when these values are exceeded

3. Creation of a security policy using free benchmarks from the Center for Internet Security (CIS) for each database brand. Your employees can register for free with CIS and apply these checklists after installing new databases. If you find some steps irrelevant for your organisation, you can create and maintain your own version in your wiki or other documentation system. But your employees must compare and implement CIS recommendations every six months, which is very time-consuming

   • Here you can find the introduction for protecting Oracle databases and here for Microsoft SQL. If you have questions or find the benchmarks too extensive, I could help you

4. Hardening the database management system, encrypting connections and uniform configuration are effortless when you implement CIS benchmarks

5. Regular database backup: There are proven approaches that have been used for decades, and they depend on how high the damages are if this data is not available for your business:

   • Damages or revenue losses occur after just a few seconds. For example, your ERP system that enables logistics, purchases and communication with customers and suppliers, or an online shop with high turnover. Typically, here a pair of databases on different machines are used. If one fails, the second is immediately available. The data is always stored twice. Additionally, you must make an hourly copy of changed data and a nightly full copy
   • Damages occur after several hours. For example, B2B sales systems with low turnover, secondary systems that send invoices and other documents. Here it’s advisable to make a copy of data changes every 4 hours to once nightly. A full copy can be made twice per week
   • Damages occur after a few days. For example, systems for managing information of branches on Google Business, Facebook and Yelp. Here it’s sufficient to make a full copy once per week
   • The key point here is to invest more effort in data backup the more critical the data is for your business. Banks cannot afford data loss. When designing and implementing your systems’ backup concept, you or the developer will certainly add database copies

6. When defining a regulated process for creating new databases, you only need to document whether the database contains financial, data protection-relevant or patient data. This is important to consider whether additional measures are required for this data

Regular audits

If you have fewer than 20 databases, store no confidential data, have no legal security requirements like KRITIS and potential damages from an outage or data theft do not exceed EUR 100,000, you can check every 6 months:

• whether documented measures were properly implemented
• whether there are deviations in database server configuration. With administrators’ help, you can compare the configuration with free Center for Internet Security (CIS) benchmarks
• whether applications use accounts with restricted rights
• how many administrator accounts exist, who uses them and for what purpose
• whether there are vulnerabilities in the database log

For time-intensive tasks or potentially costly damages, it may be worthwhile to invest in a database auditing tool. Costs per database server are approximately EUR 20,000 p.a. (as of 2025). The offered functions include:

• automatic generation of auditing reports providing an overview of databases, tables with sensitive data, and users, administrator accounts and connections to databases
• Development of customised reports to meet audit requirements while simultaneously checking security measure implementation. With this function, you can verify configuration specifications
• Prevention of possible attacks like SQL injection or brute force
• Simple detection of anomalies in data access. Notifications can be sent if needed
• Collection of all accesses and changes to data structures. With this solution, you can answer all regulatory inquiries. In case of an investigation, you have evidence of attacker’s steps or events (forensic analysis)
• Blocking of suspicious accesses. This includes administrator accesses
• Administrators are required to read or modify tables with financial, data protection-relevant or patient data only under the four-eyes principle

If you don’t want to worry about data security requirements, I can offer you the following services:

• Regular auditing of your databases
• Verification of compliance with legal requirements like IT-Grundschutz and KRITIS
• Preparation of reports on found vulnerabilities
• Tracking of correction implementation
• Support with regulatory inquiries or investigations
• Support in case of suspected data theft or data manipulation

Please contact me if you’re interested.

Protection of non-relational databases (NoSQL)

Depending on how important the data is for your organisation, you must treat it as carefully as other databases. The Center for Internet Security has free checklists for the most popular NoSQL databases like MongoDB, MariaDB and Hadoop. For backup to work, you must read the manufacturer’s instructions. The tools work differently for each NoSQL database.

Want your systems to be always available? Then buy quality software!

When selecting a software supplier, you should ensure that product quality and service reliability are guaranteed. Poor design, inadequate performance and hard-to-maintain applications can lead to later outages, high database maintenance costs and data theft.

The Building Block CON.8 of the IT-Grundschutz-Compendium covers procurement. It deals with selecting manufacturers who focus on quality and developing software that matches your business interests and has appropriate quality. This helps you minimise data integrity loss and the introduction of unsafe database scripts¹.

Data encryption in the database offers few benefits

I have worked with several systems that store encrypted data in the database and found no benefits. Basically, you must implement the above-mentioned measures, regularly check them and find no vulnerabilities in the database auditing tools log. After that, you can weigh using data encryption. Other measures, like searching for vulnerabilities in libraries used by applications, are easier to implement and much more effective.

In my professional practice, I have worked with several systems that enable encrypted storage of data in the database. However, these systems have not proven advantageous.

The above-mentioned measures must be implemented and regularly checked for effectiveness. Care must be taken that no vulnerabilities are found in the database auditing tools log. Subsequently, careful consideration can be given to whether data encryption is actually necessary.

Key management to allow applications to read data and increased effort for backup restoration are the main disadvantages. Encryption effectiveness is guaranteed as long as the application hasn’t been compromised.

Additional measures that some German companies need

1. Long-term archiving of data: Similar to backup conception, you must define which data must be archived for legal reasons, how often, with what procedure and what retention periods apply. Once a year, restoration can be checked
2. Security checks of database systems are usually unnecessary. If you already use an auditing tool, the tool will identify vulnerabilities. If a hacker attack occurs, database servers must be reinstalled
3. If data comes from elsewhere and is regularly imported, it’s good to document this process and assign a responsible person. This is important not only for data security but also for future development projects. It can happen that in some companies it’s not clear where data from a system is transferred to
4. Emergency preparedness: If the database is truly critical for your business, you need an emergency plan. It states the responsible persons, how to report, what must be done to restore normal operations, how long this is expected to take and what resources are needed. I have never worked in a company that needs emergency preparedness. Usually, standard security measures and a good backup concept are sufficient to quickly restore regular operations
5. Federated databases: In case your systems need links between databases, only certain people should have rights to connect the databases