Interview with Serge Rider: human factor in data security

Security issues affect each of us, even if we do not think about it. As developers of database tools, we at DBeaver face these problems and deal with them successfully. That’s why we are glad to share our expertise with you. Today we asked our CTO, Serge Rider to answer several important questions related to security.

What are the three security issues that first come to your mind when we talk about working with data? Why do you think it’s important to take them into account?
This is one of the most popular security questions, and I will unlikely reinvent the wheel today. However, this topic remains relevant.

The first and most important issue is safe access to data. By this I mean who can view and modify certain data. Nowadays, it is considered good practice to use multi-factor authentication (MFA) for secure data access, which means verification by several criteria – password, SMS, hardware token, etc. To distribute access, it is recommended to use role-based permissions.

Not all companies use MFA and role-based permissions. Most often, this is caused by complexity, inconvenience, extra time for connection, etc. Administrators can’t always do this well enough, as the task of assigning roles requires a lot of time and effort, including interacting with HR departments and heads of departments. The human factor is the most dangerous here.

The second issue is the secure storage of data. I think all of you have heard more than once news about data leaks from different companies, including large and popular corporations. To store data securely, we must protect access with special gateways. This can be done through systems like VPN or Bastion.

We should also not forget about industrial espionage. To minimize this kind of attack, we need to separate access to individual parts of the data. In this case, no company employee has access to all data. For additional protection, data should be stored in a closed loop.

The second issue brings a lot of inconveniences, and people deal with this in the following ways:

– store access keys in insecure places on local computers or phones and rarely change them;
– issue access permissions to employees without checking whether they really need them;
– work from other employees’ computers to avoid setting up their own.

In other words, the human factor comes into play again.

I would call the third big issue the data correctness check which ensures the normal security of data exchange. If users see something different from what is actually stored in the database, they may make wrong decisions. We know that many work tools have problems with this. For example, there is often an incorrect representation of numbers or complex data types in the database, including date and time in the different time zones.

This part of data security directly relates to our products, and we do our best so that users get data of complex types correctly.
Sometimes, it seems we have thought about all possible vulnerabilities, but users still find new ones. Can we somehow fight the human factor beforehand?
In short, we can’t. The human factor will always be a vulnerable part of any IT system. But if we talk about ways to improve it, this is AI and, possibly, blockchain technology. With the use of AI in authentication and authorization systems, it becomes possible to automatically detect insecure, reckless, or malicious patterns of employee behavior and report them at an early stage.

A security service consisting of real people will never work as efficiently and continuously as artificial intelligence. AI never sleeps, never gets tired, and can monitor data security and possible leaks 24/7. This is where the pictures from the 1984 book immediately come to mind. However similar approaches have long been used in all large companies. So far, this is being done without AI, but soon, it will be everywhere and primarily to reduce the impact of the human factor.

Regarding data consistency and protection from retroactive changes, blockchain technologies are well-suited. At the moment, none of the popular databases use blockchain to confirm data integrity, but it seems that this is also not far off.
Tell us about the most memorable cases in your work related to security vulnerabilities
I can give many examples because zero-day vulnerabilities happen regularly in IT. We can mention, for example, the 2018 Meltdown vulnerability in Intel processors, which forced the entire server hardware industry to urgently update both hardware and software in data centers or the good old Y2K problem.

Speaking of the more recent and related to our company is the Log4Shell vulnerability of 2021, which made it possible to execute any code on servers using the log4j. This logging library was the most popular at the time. This vulnerability affected up to 40% of all server systems worldwide. We wrote most of the code in Java and have validated all libraries and servers used in our company and our products.

We were relatively lucky because we did not use log4j directly, but we still had to remove some potentially dangerous components and release a new version with a patch within two days. And then, we had to convince our customers and partners for months that we would not suffer from this vulnerability. It was quite a hot moment in our history.
What are the main trends you see in the future of IT security and data security?
As I mentioned earlier, the main security issue is the human factor. I think the main trends should be precisely in reducing its influence. And, of course, AI technology is great for this. I suppose that in the next year or two, industrial monitoring systems using AI should appear, including those that are self-learning on work patterns in specific companies. This should change the overall vision of the corporate and national security service.

I also expect further development of blockchain technologies in the DBMS to validate data consistency.