Database Security Checklist

Pull the live list from the cloud accounts (RDS, Cloud SQL, Azure SQL) plus on-prem CMDB. Cross-check against vCenter and the Tenable asset feed — shadow MySQL on a developer VM is the instance that gets missed and ends up in the next breach report. Record engine, version, owner team, and data-classification tier.

Tier 1 = PHI/PCI/financial; Tier 2 = internal regulated; Tier 3 = public/non-sensitive. Classification drives the controls expected in subsequent steps — a Tier 1 instance without TDE is a finding; a Tier 3 dev sandbox without TDE is not.

Pull the CyberArk / Delinea / BeyondTrust report of every account with sysadmin, db_owner, SYSDBA, or rds_superuser. Each must be brokered through the vault — direct logins with shared credentials defeat the audit trail. Flag any account checked out for longer than 8 hours.

Confirm Duo / Okta Verify is required on every PAW (Privileged Access Workstation) used to reach a database. Check the Entra ID conditional access policy explicitly blocks legacy auth — basic-auth bypass is the canonical MFA-defeat path.

Export role memberships from each database (db_owner, db_datawriter, custom roles) and compare to the current Workday roster. Movers and leavers retaining write access is the most common audit finding. Document any account where role exceeds current job function.

Any service account whose password is older than 90 days gets rotated this cycle, with the new credential pushed into the vault and the consuming application restarted. Coordinate with the app owner — silent rotation that breaks an ETL job at 2am is the reason rotation gets postponed.

The built-in sa (SQL Server), SYS / SYSTEM (Oracle), and root (MySQL/Postgres) accounts must be disabled or have login restricted to the local console. Break-glass procedure documented separately with the password sealed in the vault.

Transparent Data Encryption on every Tier 1 instance — sys.dm_database_encryption_keys for SQL Server, V$ENCRYPTED_TABLESPACES for Oracle, RDS storage encryption flag for AWS. A 'create encrypted, snapshot, restore unencrypted' migration drift is the classic gotcha.

Run sslyze or testssl.sh against every listener. Block TLS 1.0/1.1; require valid certificates from the internal PKI; confirm clients enforce certificate validation rather than 'TrustServerCertificate=True' in the connection string.

Always Encrypted column keys, pgcrypto keys, or app-tier envelope keys all rotate on the documented cadence (typically annually for CEK, every 2-3 years for CMK). Confirm the prior key version is retained for decryption of historical rows.

Use Tenable, Qualys, or the vendor's own tool (Microsoft Defender for SQL, Oracle DBSAT) against the relevant CIS Benchmark for the engine and version. Attach the report; flag any Level 1 control failures for remediation this cycle.

Oracle CPU is quarterly; Microsoft cumulative updates are monthly. Patch the test ring first, validate one business day, then promote to pilot, then prod. Roll back via VM snapshot or RDS point-in-time if app smoke tests fail. Record exceptions in the change log with a compensating control.

SQL Server: xp_cmdshell, OLE Automation, Database Mail to external relays. Postgres: COPY ... PROGRAM, untrusted PL/Perl. MySQL: secure_file_priv hardened, LOAD DATA LOCAL disabled. Document any exception with the application owner who depends on it.

Database ports (1433, 1521, 3306, 5432) reachable only from the application subnet and the DBA bastion. No 0.0.0.0/0 ingress on a security group, ever. Spot-check with nmap from a developer laptop — if you can connect, the rule is too permissive.

SQL Server Audit, Oracle Unified Audit, Postgres pgaudit — all should land in Splunk / Sentinel / QRadar with retention matching the regulatory floor (1 year for SOC 2, 6 years for HIPAA). Verify the agent heartbeat and run a test query that should generate a known log line.

Threshold: 10 failed logins in 60 seconds from a single source = page the on-call DBA. Walk the past quarter's noisy alerts and tune them — alert fatigue is the reason a real password-spray gets ignored.

Pull every CREATE/ALTER/DROP and GRANT/REVOKE from the past 90 days. Cross-reference with the change tickets in ServiceNow / Jira. Schema changes without a change ticket are the audit exception that keeps coming up — investigate or document the standard-change category covering them.

Imperva, IBM Guardium, or DataSunrise rules should cover SQL injection signatures, mass exfil patterns (SELECT * with no WHERE on PII tables), and after-hours admin access. Add a rule for any new high-value table introduced this quarter.

Veeam / Commvault / native backup tool report for the past 30 days — every instance, every night, success status, and a checksum or restore-test indicator. A green dashboard with a script that hasn't actually run in 3 weeks is the backup gotcha to catch here.

3-2-1 with one immutable copy: S3 Object Lock / Azure immutable blob / write-once tape, in a cloud account or vault with no DBA write access. This is the only ransomware-resilient layer — production-writable backups encrypt right alongside the database.

Pick one Tier 1 database; restore the most recent full + applicable logs into a sandbox VPC; run the smoke-test query suite the DBA team maintains. Record actual RPO and RTO. A drill that 'passes' without a wall-clock measurement is not evidence.

Capture actual recovery time and the data-loss window and compare to the contracted SLA in the BCP. If actual exceeds target, log a finding for the next quarter — even a passing drill at 14 hours against a 4-hour RTO is a finding.