Database Security: Threats, Best Practices, Encryption Guide
Database security protects data at rest and in transit from breach, leak, or corruption — encryption, access control, auditing, backups.
What is database security?
Database security is the discipline of protecting databases — and the data they store — from unauthorized access, modification, deletion, and exfiltration. It combines technical controls (encryption, access control, network isolation), operational practices (backups, audit logs, patching), and policy (data classification, retention, regulatory compliance).
Database breaches are among the most damaging security incidents: the 2017 Equifax breach (147M records), 2019 First American (885M records), and ongoing ransomware attacks all originated at the data layer. Strong database security is non-optional for any system handling user data.
Common database security threats
| Threat | Description | Example |
|---|---|---|
| SQL Injection | Attacker injects SQL via user input | ' OR 1=1 -- bypassing login |
| Privilege Escalation | Low-privilege account gains admin rights | Exploiting unpatched DBMS bug |
| Credential Theft | DB credentials leaked or brute-forced | AWS keys in public git repo |
| Insider Threat | Authorized user abuses access | Engineer dumps customer table |
| Backup Theft | Unencrypted backup leaked | S3 bucket misconfiguration |
| Ransomware | DB encrypted by attacker; ransom demanded | MongoDB exposed to internet, encrypted |
| Data Exfiltration | Bulk export of sensitive data | Insider exports user emails |
| DoS / Resource Exhaustion | Attacker overloads DB | Slow queries flood connection pool |
The 8 pillars of database security
1. Authentication
Strong credentials for every DB user. No shared accounts. Use IAM authentication where supported (AWS RDS IAM, Azure AD).
2. Authorization (least privilege)
Each DB user should only have permissions for what they actually do. App user should not have DDL rights. DBA accounts separate from app accounts.
3. Encryption at rest
Disk-level encryption (AWS RDS encryption, TDE in SQL Server/Oracle). Protects against stolen disks, backups.
4. Encryption in transit
TLS for all DB connections. Reject non-TLS connections at the DB level.
5. Network isolation
DB never directly internet-accessible. Place in private subnet; access via VPC peering or bastion. Use security groups / firewalls strictly.
6. Audit logging
Log all sensitive queries (data exports, schema changes, privilege grants). Send to SIEM. Keep ≥ 1 year for compliance.
7. Patching
Apply DB engine + OS patches promptly. Most exploits target known unpatched CVEs.
8. Backups + DR
Regular encrypted backups. Test restores quarterly. Off-site (different region/cloud). Critical against ransomware.
SQL Injection: the #1 threat
SQL injection happens when user input is concatenated into SQL queries. Mitigation: use parameterized queries / prepared statements, never string concatenation.
# BAD — vulnerable to injection
query = f"SELECT * FROM users WHERE email = '{user_input}'"
cursor.execute(query)
# GOOD — parameterized
query = "SELECT * FROM users WHERE email = %s"
cursor.execute(query, (user_input,))Use ORMs (SQLAlchemy, ActiveRecord, Django ORM, Prisma) — they parameterize by default.
Sensitive data handling
| Pattern | Use case | Notes |
|---|---|---|
| Hashing | Passwords | bcrypt/argon2; never reversible |
| Encryption | PII fields (SSN, CCN) | Application-level or column-level encryption |
| Tokenization | Credit card numbers | Replace value with non-sensitive token (PCI scope reduction) |
| Pseudonymization | Analytics on user data | Replace IDs with non-identifying surrogates |
| Masking | Test/dev environments | Show ***-***-1234 instead of full SSN |
| Row-level security | Multi-tenant SaaS | DB enforces tenant isolation |
Database security best practices
- Parameterize all queries. No exception. Use ORMs.
- Least-privilege DB users. App connects with limited account; admins use separate accounts.
- Encrypt at rest + in transit. Default in modern cloud DBs.
- No DB on public internet. VPN, bastion, private subnet.
- Use IAM auth. AWS RDS IAM, Cloud SQL IAM — short-lived tokens beat passwords.
- Rotate credentials. Long-lived passwords are leak risk; AWS Secrets Manager auto-rotation.
- Audit + alert. Log queries; alert on anomalies (bulk exports, off-hours access).
- Apply patches monthly. Subscribe to vendor security bulletins.
- Backup encrypted. + Test restores. + Store off-site.
- Separate prod from dev. Don't copy real data to dev; mask or synthesize.
- Limit blast radius. Sensitive tables in separate schema with stricter access.
- Monitor failed logins. Spike = credential stuffing in progress.
Compliance frameworks affecting databases
- GDPR — EU data; right to erasure, access logs, breach notification 72h.
- HIPAA — US healthcare; PHI encryption, audit logs.
- PCI-DSS — Cardholder data; tokenization, network segmentation.
- SOC 2 — Service org controls; access reviews, monitoring.
- ISO 27001 — Information security management.
- CCPA/CPRA — California consumer data.
FAQ: database security
How do I prevent SQL injection?
Use parameterized queries / prepared statements. Use ORMs that parameterize by default. Never concatenate user input into SQL strings.
Should I encrypt database fields at the application or database layer?
Both have merit. App-level: encryption keys never seen by DB. DB-level (TDE, column encryption): simpler ops but DB sees plaintext. PII often warrants both.
What's the difference between encryption at rest and in transit?
At rest = on disk (protects stolen disks/backups). In transit = on network (protects against MITM). Both are required for compliance.
How often should DB credentials rotate?
Long-lived passwords: every 90 days max. Better: short-lived IAM tokens (auto-rotated). Best: passwordless via IAM federation.
Can I expose my database to the internet?
Almost never. Place in private subnet; access via VPN, bastion, or app server in same VPC. Public DBs = ransomware bait.
What's row-level security?
DB feature (PostgreSQL, SQL Server) that filters which rows a query returns based on user context. Critical for multi-tenant apps.
How do I detect a database breach?
Audit logs + anomaly detection. Watch for: bulk data exports, off-hours queries, new admin accounts, schema changes outside change windows.
Test your DB-backed API security with LoadFocus
LoadFocus runs JMeter and k6 scripts that simulate auth flows, injection patterns, and concurrent load against DB-backed APIs from 25+ regions. Sign up free at loadfocus.com/signup.
Related LoadFocus Tools
Put this concept into practice with LoadFocus — the same platform that powers everything you just read about.