Database Security Checklist

Pull the live list from the cloud accounts (RDS, Cloud SQL, Azure SQL) plus on-prem CMDB. Cross-check against vCenter and the Tenable asset feed — shadow MySQL on a developer VM is the instance that gets missed and ends up in the next breach report. Record engine, version, owner team, and data-classification tier.

Tier 1 = PHI/PCI/financial; Tier 2 = internal regulated; Tier 3 = public/non-sensitive. Classification drives the controls expected in subsequent steps — a Tier 1 instance without TDE is a finding; a Tier 3 dev sandbox without TDE is not.

Every instance needs a named DBA and a named business owner — the person who signs off on data access decisions. Orphaned databases (former employee in the owner field) are the ones that quietly run unpatched for years.

Pull the CyberArk / Delinea / BeyondTrust report of every account with sysadmin, db_owner, SYSDBA, or rds_superuser. Each must be brokered through the vault — direct logins with shared credentials defeat the audit trail. Flag any account checked out for longer than 8 hours.

Confirm Duo / Okta Verify is required on every PAW (Privileged Access Workstation) used to reach a database. Check the Entra ID conditional access policy explicitly blocks legacy auth — basic-auth bypass is the canonical MFA-defeat path.

Export role memberships from each database (db_owner, db_datawriter, custom roles) and compare to the current Workday roster. Movers and leavers retaining write access is the most common audit finding. Document any account where role exceeds current job function.

Any service account whose password is older than 90 days gets rotated this cycle, with the new credential pushed into the vault and the consuming application restarted. Coordinate with the app owner — silent rotation that breaks an ETL job at 2am is the reason rotation gets postponed.

The built-in sa (SQL Server), SYS / SYSTEM (Oracle), and root (MySQL/Postgres) accounts must be disabled or have login restricted to the local console. Break-glass procedure documented separately with the password sealed in the vault.

For each exception flagged in the RBAC reconciliation: either revoke the access or capture written manager approval with a justification and a re-review date. Open a ticket per exception so the audit trail is complete.

Transparent Data Encryption on every Tier 1 instance — sys.dm_database_encryption_keys for SQL Server, V$ENCRYPTED_TABLESPACES for Oracle, RDS storage encryption flag for AWS. A 'create encrypted, snapshot, restore unencrypted' migration drift is the classic gotcha.

Run sslyze or testssl.sh against every listener. Block TLS 1.0/1.1; require valid certificates from the internal PKI; confirm clients enforce certificate validation rather than 'TrustServerCertificate=True' in the connection string.

Always Encrypted column keys, pgcrypto keys, or app-tier envelope keys all rotate on the documented cadence (typically annually for CEK, every 2-3 years for CMK). Confirm the prior key version is retained for decryption of historical rows.

For AWS KMS / Azure Key Vault / GCP KMS: review the key policy and grant list. The DBA role and the backup service principal should be the only callers of Decrypt for production keys. Wildcard principals (Principal: *) on a CMK is an immediate finding.

Use Tenable, Qualys, or the vendor's own tool (Microsoft Defender for SQL, Oracle DBSAT) against the relevant CIS Benchmark for the engine and version. Attach the report; flag any Level 1 control failures for remediation this cycle.

Oracle CPU is quarterly; Microsoft cumulative updates are monthly. Patch the test ring first, validate one business day, then promote to pilot, then prod. Roll back via VM snapshot or RDS point-in-time if app smoke tests fail. Record exceptions in the change log with a compensating control.

SQL Server: xp_cmdshell, OLE Automation, Database Mail to external relays. Postgres: COPY ... PROGRAM, untrusted PL/Perl. MySQL: secure_file_priv hardened, LOAD DATA LOCAL disabled. Document any exception with the application owner who depends on it.

Database ports (1433, 1521, 3306, 5432) reachable only from the application subnet and the DBA bastion. No 0.0.0.0/0 ingress on a security group, ever. Spot-check with nmap from a developer laptop — if you can connect, the rule is too permissive.

Drop AdventureWorks, Northwind, Oracle's HR/SCOTT/SH schemas, MySQL's test database. They ship with predictable credentials and are favorite targets in automated scans against newly-deployed instances.

SQL Server Audit, Oracle Unified Audit, Postgres pgaudit — all should land in Splunk / Sentinel / QRadar with retention matching the regulatory floor (1 year for SOC 2, 6 years for HIPAA). Verify the agent heartbeat and run a test query that should generate a known log line.

Threshold: 10 failed logins in 60 seconds from a single source = page the on-call DBA. Walk the past quarter's noisy alerts and tune them — alert fatigue is the reason a real password-spray gets ignored.

Pull every CREATE/ALTER/DROP and GRANT/REVOKE from the past 90 days. Cross-reference with the change tickets in ServiceNow / Jira. Schema changes without a change ticket are the audit exception that keeps coming up — investigate or document the standard-change category covering them.

Imperva, IBM Guardium, or DataSunrise rules should cover SQL injection signatures, mass exfil patterns (SELECT * with no WHERE on PII tables), and after-hours admin access. Add a rule for any new high-value table introduced this quarter.

Annual external pentest scoped to include database injection paths, privilege escalation, and credential reuse. Coordinate with the third-party tester on an isolated environment if production scanning would breach SLA. File the SOW and engagement window in the audit folder.

Veeam / Commvault / native backup tool report for the past 30 days — every instance, every night, success status, and a checksum or restore-test indicator. A green dashboard with a script that hasn't actually run in 3 weeks is the backup gotcha to catch here.

3-2-1 with one immutable copy: S3 Object Lock / Azure immutable blob / write-once tape, in a cloud account or vault with no DBA write access. This is the only ransomware-resilient layer — production-writable backups encrypt right alongside the database.

Pick one Tier 1 database; restore the most recent full + applicable logs into a sandbox VPC; run the smoke-test query suite the DBA team maintains. Record actual RPO and RTO. A drill that 'passes' without a wall-clock measurement is not evidence.

Capture actual recovery time and the data-loss window and compare to the contracted SLA in the BCP. If actual exceeds target, log a finding for the next quarter — even a passing drill at 14 hours against a 4-hour RTO is a finding.

A failed restore drill is treated as a SEV1 — production backup is presumed un-recoverable until proven otherwise. Page the DBA on-call, notify the CISO, and freeze production schema changes until a successful drill on the same instance.

The DBA lead and IT security lead jointly sign. Attach the inventory file, the CIS report, and the restore drill record. This package is the artifact auditors pull during the SOC 2 / ISO / customer-due-diligence review.