Which term best describes a centralized network database containing user account information

Table of Contents Show Historical context Disadvantages Centralized databases vs. Distributed databases

This article uses bare URLs, which are uninformative and vulnerable to link rot. Please consider converting them to full citations to ensure the article remains verifiable and maintains a consistent citation style. Several templates and tools are available to assist in formatting, such as Reflinks (documentation), reFill (documentation) and Citation bot (documentation). (September 2022) (Learn how and when to remove this template message)

A centralized database (sometimes abbreviated CDB) is a database that is located, stored, and maintained in a single location. This location is most often a central computer or database system, for example a desktop or server CPU, or a mainframe computer.In most cases, a centralized database would be used by an organization (e.g. a business company) or an institution (e.g. a university.) Users access a centralized database through a computer network which is able to give them access to the central CPU, which in turn maintains to the database itself.[1][2]

Historical context

The need for databases rose in the 60's with the invention of direct access storage, which allowed users to directly access records. Previously, computer systems were tape based, meaning records could only be accessed sequentially.[3] Organizations quickly adopted databases for storage and retrieval of data. The traditional approach for storing data was to use a centralized database, and users would query the data from various points over a network.[1]

An example for a centralized database could be given with the Australian Department of Defense, which centralized their databases in the mid 1970s.[3]

Advantages

Centralized databases hold a substantial amount of advantages against other types of databases. Some of them are listed below:

• Data integrity is maximized and data redundancy is minimized, as the single storing place of all the data also implies that a given set of data only has one primary record. This aids in the maintaining of data as accurate and as consistent as possible and enhances data reliability.[4]
• Central host computer can be more easily protected from unauthorized access.[4]
• Generally easier data portability and database administration.
• Data kept in the same location is easier to be changed, re-organized, mirrored, or analyzed
• Transactions can more easily comply with the properties of ACID.[5]

Disadvantages

Centralized databases also have a certain amount of limitations, such as those described below:

• Access speed is limited by network speed.[4]
• The central computer is a single point of failure, if the computer experiences downtime, users will not be able to access any data.
• If there is no fault-tolerant setup and hardware failure occurs, all the data within the database will be lost.
• If someone accesses the central computer, all of the data can easily be compromised.
• Difficult to scale as the centralized computer would need to be replaced to scale up.[6]

Centralized databases vs. Distributed databases

The underlying idea of centralized databases is that they should be able to receive, maintain, and complete every single request that the main system must perform by themselves. There is only one database file, kept at a single location on a given network.

A distributed database, however, is a database in which all the information is stored on multiple physical locations.[7] Distributed databases are divided into two groups: homogeneous and heterogeneous. It relies on replication and duplication within its multiple sub-databases in order to maintain its records up to date. It is composed of multiple database files, all controlled by a central DBMS.

The main differences between centralized and distributed databases arise due to their respective basic characteristics. Differences include but are not limited to:

• Centralized databases store data on a single CPU bound to a single certain physical/geographical location. Distributed databases, however, rely on a central DBMS which manages all its different storage devices remotely, as it is not necessary for them to be kept in the same physical and/or geographical location.
• As outlined above, centralized databases are easier to maintain up to date than distributed databases. This is so because distributed databases require additional (often manual) work to keep the data stored relevant, and to avoid data redundancy, as well as to improve the overall performance.[8]
• If data is lost in a centralized system, retrieving it would be much harder. If, however, data is lost in a distributed system, retrieving it would be very easy, because there is always a copy of the data in a different location of the database.
• Designing a centralized database is generally much less complex than designing a distributed database, as distributed database systems are based on a hierarchical structure.

See also

• Database
• Distributed database
• Parallel database
• Centralized computing
• Centralization

References

1. ^ a b Turban, Efraim; Carol Pollard; Gregory R. Wood (2021). Information technology for management: driving digital transformation to increase local and global performance, growth and sustainability (Twelfth ed.). Hoboken. p. 71. ISBN 978-1-119-70290-0. OCLC 1333952841.
2. ^ Neelankavil, James P. (2007). International business research. Armonk, N.Y.: M.E. Sharpe. pp. 96–97. ISBN 978-1-317-42545-8. OCLC 647515744.
3. ^ a b Lake, Peter (2013). Concise guide to databases: a practical introduction. Paul Crowther. London. ISBN 978-1-4471-5601-7. OCLC 868889675.
4. ^ a b c Sumathi, S. (2007). Fundamentals of relational database management systems. S. Esakkirajan. Berlin: Springer. ISBN 978-3-540-48399-1. OCLC 184984668.
5. ^ Iacob, Nicoleta Magdalena; Moise, Mirela Liliana (December 2015). "Centralized vs. Distributed Databases. Case Study" (PDF). Academic Journal of Economic Studies. 1 (4).
6. ^ Silberschatz, Abraham; Henry F. Korth; S. Sudarshan (2011). Database system concepts (Sixth ed.). New York: McGraw-Hill. ISBN 978-0-07-352332-3. OCLC 436031093.
7. ^ "Wikispaces".
8. ^ "Q. What are differences in Centralized and Distributed Database Systems? List the relative advantages of data distribution? - Solved Assignments".

Retrieved from "https://en.wikipedia.org/w/index.php?title=Centralized_database&oldid=1123469750"

Some of the top privilege-related risks and challenges include:

Lack of visibility and awareness of of privileged users, accounts, assets, and credentials

Long-forgotten privileged accounts are commonly sprawled across organizations. These orphaned accounts may number in the millions, and provide dangerous backdoors for attackers, including, former employees who have left the company but retain access.

If privileged access controls are overly restrictive, they can disrupt user workflows, causing frustration and hindering productivity. Since end users rarely complain about possessing too many privileges, IT admins traditionally provision end users with broad sets of privileges. Additionally, an employee’s role is often fluid and can evolve such that they accumulate new responsibilities and corresponding privileges—while still retaining privileges that they no longer use or require.

All of this privilege excess adds up to a bloated attack surface. Routine computing for employees on personal PC users might entail internet browsing, watching streaming video, use of MS Office and other basic applications, including SaaS (e.g., Salesforce.com, GoogleDocs, Slack, etc.). In the case of Windows PCs, users often log in with administrative account privileges—far broader than what is needed. These excessive privileges massively increase the risk that malware or hackers may steal passwords or install malicious code that could be delivered via web surfing or email attachments. The malware or hacker could then leverage the entire set of privileges of the account, accessing data of the infected computer, and even launching an attack against other networked computers or servers.

IT teams commonly share root, Windows Administrator, and many other privileged credentials for convenience so workloads and duties can be seamlessly shared as needed. However, with multiple people sharing an account password, it may be impossible to tie actions performed with an account to a single individual. This creates security, auditability, and compliance issues.

Privileged credentials are needed to needed facilitate authentication for app-to-app (A2A) and application-to-database (A2D) communications and access. Applications, systems, network devices, and IoT devices may be shipped and o deployed with embedded, default credentials that are easily guessable and pose substantial risk. Additionally, employees will often hardcode secrets in plain text—such as within a script, code, or a file, so it is easily accessible when they need it.

vPrivilege security controls are often immature. Privileged accounts and credentials may be managed differently across various organizational silos, leading to inconsistent enforcement of best practices. Human privilege management processes cannot possibly scale in most IT environments where thousands—or even millions—of privileged accounts, credentials, and assets can exist. With so many systems and accounts to manage, humans invariably take shortcuts, such as re-using credentials across multiple accounts and assets. One compromised account can therefore jeopardize the security of other accounts sharing the same credentials.

Applications and service accounts often automatically execute privileged processes to perform actions, as well as to communicate with other applications, services, resources, etc. Applications and service accounts frequently possess excessive privileged access rights by default, and also suffer from other serious security deficiencies.

Modern IT environments typically run across multiple platforms (e.g., Windows, Mac, Unix, Linux) and environments (on-premises, Azure, AWS, Google Cloud)—each separately maintained and managed. This practice equates to inconsistent administration for IT, added complexity for end users, and increased cyber risk.

Digital transformation is massively expanding the privileged attack surface. Here are just a few key ways:

​Cloud and virtualization administrator consoles & environments

AWS, MIcrosoft 365, etc. provide nearly boundless superuser capabilities, enabling users to rapidly provision, configure, and delete servers at massive scale. Within these consoles, users can effortlessly spin-up and manage thousands of virtual machines (each with its own set of privileges and privileged accounts). Organizations need the right privileged security controls in place to onboard and manage all of these newly created privileged accounts and credentials at massive scale.

The DevOps emphasis on speed, cloud deployments, and automation presents many privilege management challenges and risks. Organizations often lack visibility into privileges and other risks posed by containers and other new tools. Inadequate secrets management, embedded passwords, and excessive privilege provisioning are just a few privilege risks rampant across typical DevOps deployments.

Edge networks are expanding to serve data faster where it is needed. The access to and from these devices--as well as the devices themselves (often IoT) must all be secured. And despite the pervasiveness of IoT, IT teams still struggle to discover and securely onboard legitimate devices at scale. Compounding this issue, IoT devices commonly have severe security drawbacks, such as hardcoded, default passwords and the inability to harden software or update firmware. Moreover, they may not have enough processing capability on which to run antivirus (AV) software. PAM has a pivotal role to play in IoT & edge security.

Hackers, malware, partners, insiders gone rogue, and simple user errors—especially in the case of superuser accounts—comprise the most common privileged threat vectors.

External hackers covet privileged accounts and credentials, knowing that, once obtained, they provide a fast track to an organization’s most critical systems and sensitive data. With privileged credentials in hand, a hacker essentially becomes an “insider”—and that’s a dangerous scenario, as they can easily erase their tracks to avoid detection while they traverse the compromised IT environment.

Hackers often gain an initial foothold through a low-level exploit, such as through a phishing attack on a standard user account, and then achieve lateral movement through the network until they find a dormant or orphaned account that allows them to escalate their privileges.

Unlike external hackers, insiders already start within the perimeter, while also benefitting from know-how of where sensitive assets and data lie and how to zero in on them. Insider threats take the longest to uncover—as employees, and other insiders, generally benefit from some level of trust by default, which may help them avoid detection. The protracted time-to-discovery also translates into higher potential for damage. Many of the most catastrophic breaches in recent years have been perpetrated by insiders.

The more privileges and access a user, account, or process amasses, the greater the potential for abuse, exploit, or error. Implementing privilege management not only minimizes the potential for a security breach occurring, it also helps limit the scope of a breach should one occur. Implementing PAM best practices (removing admin rights, enforcing least privilege, eliminating default/embedded credentials, etc.) are also an important piece of enterprise IT systems hardening.

One differentiator between PAM and other types of security technologies is that PAM can dismantle multiple points of the cyberattack chain, providing protection against both external attack as well as attacks that make it within networks and systems.

PAM confers several chief benefits, including:

• A condensed attack surface that protects against both internal and external threats: Limiting privileges for people, processes, and applications means the pathways and entrances for exploit are also diminished.

• Reduced malware infection and propagation: Many varieties of malware (such as SQL injections, which rely on lack of least privilege) need elevated privileges to install or execute. Removing excessive privileges, such as through least privilege enforcement across the enterprise, can prevent malware from gaining a foothold, or reduce its spread if it does.

• Enhanced operational performance: Restricting privileges to the minimal range of processes to perform an authorized activity reduces the chance of incompatibility issues between applications or systems, and helps reduce the risk of downtime.

• Easier to achieve and prove compliance: By curbing the privileged activities that can possibly be performed, privileged access management helps create a less complex, and thus, a more audit-friendly, environment.

• Help satisfy cyber insurance requirements: In recent years, ransomware attacks and ransom payouts have hurt the bottom lines, and threatened the viability, of the cyber insurance industry. Cyber insurers appreciate that PAM controls reduce risk and stop threats, and thus, are powerful tool in reducing cyber liability. Today, many cyber insurers mandate PAM controls to renew or obtain new cyber liability coverage. Cyber insurance requirement checklists that are part of, or precede the insurance application process, commonly call out a number of specific controls, such as “Has a PAM system to manage privileged access and accounts."

Additionally, many compliance regulations (including HIPAA, PCI DSS, FDDC, Government Connect, FISMA, and SOX) require that organizations apply least privilege access policies to ensure proper data stewardship and systems security. For instance, the US federal government’s FDCC mandate states that federal employees must log in to PCs with standard user privileges. Multiple NIST frameworks, including those for implementing zero trust principles (zero trust architectures and zero trust network access), also emphasize the need for PAM.

The more mature and holistic your privilege security policies and enforcement, the better you will be able to prevent and react to insider and external threats, while also meeting compliance mandates.

Here is an overview of the most important PAM best practices:

1. Establish and enforce a comprehensive privilege management policy: The policy should govern how privileged access and accounts are provisioned/de-provisioned; address the inventory and classification of privileged identities and accounts; and enforce best practices for security and management.

2. Identify and bring under management all privileged accounts and credentials: Privileged account discovery should include all user and local accounts; application and service accounts database accounts; cloud and social media accounts; SSH keys; default and hard-coded passwords; and other privileged credentials – including those used by third parties/vendors. Discovery should also include platforms (e.g., Windows, Unix, Linux, Cloud, on-prem, etc.), directories, hardware devices, applications, services / daemons, firewalls, routers, etc.

The privilege discovery process should illuminate where and how privileged passwords are being used, and help reveal security blind spots and malpractice, such as:

3. Enforce least privilege over end users, endpoints, accounts, applications, services, systems, etc.: A key piece of a successful least privilege implementation involves wholesale elimination of privileges everywhere they exist across your environment. Then, apply rules-based technology to elevate privileges as needed to perform specific actions, revoking privileges upon completion of the privileged activity. Ensuring true least privilege is not just about enforcing constraints on the breadth of access, but also on the duration of access. In IT security terms, this means implementing controls that provide just enough access (JEA) and just-in-time (JIT) access.

Broken down to the tactical level, least privilege enforcement should encompass the following:

• Remove admin rights on endpoints. Instead of provisioning default privileges, default all users to standard privileges while enabling elevated privileges for applications and to perform specific tasks. If access is not initially provided but required, the user can submit a help desk request for approval. For most Windows and Mac users, there is no reason for them to have admin access on their local machine. Also, when it comes down to it, organizations need to be able to exert control over privileged access for any endpoint with an IP—traditional, mobile, network device, IoT, SCADA, etc. From 2015 -2020, 75% of Critical Microsoft vulnerabilities could have been mitigated by removing admin rights (Source: Microsoft Vulnerabilities Report 2022).

• Remove all root and admin access rights to servers and reduce every user to a standard user. This will dramatically reduce the attack surface and help safeguard your Tier-1 systems and other critical assets. Standard, “non-privileged” Unix and Linux accounts lack access to sudo, but still retain minimal default privileges, allowing for basic customizations and software installations. A common practice for standard accounts in Unix/Linux is to leverage the sudo command, which enables the user to temporarily elevate privileges to root-level, but without having direct access to the root account and password. However, while using sudo is better than providing direct root access, sudo poses many limitations with regards to auditability, ease of management, and scalability. Therefore, organizations are better served by employing server privilege management technologies to supplement or replace sudo. These PAM technologies allow granular privilege elevation and elevate privileges on an as-needed basis, while providing clear auditing and monitoring capabilities.

• Remove unnecessary privileges. Apply least privilege access rules through application control, as well as other strategies and technologies to remove unnecessary privileges from applications, processes, IoT, tools (DevOps, etc.), and other assets. Enforce restrictions on software installation, usage, and OS configuration changes. Also limit the commands that can be typed on highly sensitive/critical systems.

• Eliminate standing privileges (privileges that are “always-on”) wherever possible. Privileged access for human users should always expire. While zero stand privileges (ZSP)—the removal of all standing privileges—is the ideal end state for human user accounts, many machine/application counts will continue to need persistent privileges to maintain uptime goals. Implement just-in-time privilege management (also called privilege bracketing) to elevate privileges on an as-needed basis for specific applications and tasks only for the moment of time they are needed.

• Limit privileged account membership to as few people as possible: This simple rule radically reduces the overall enterprise attack surface.

• Minimize the number of rights for each privileged account: With this rule intact, any compromised account will yield a threat actor with only a limited set of privileges, and help limit the scope of a security breach.

4. Enforce separation of privileges and separation of duties: Privilege separation measures include separating administrative account functions from standard account requirements, separating auditing/logging capabilities within the administrative accounts, and separating system functions (e.g., read, edit, write, execute, etc.).

When least privilege and separation of privilege are in place, you can enforce separation of duties. Each privileged account should have privileges finely tuned to perform only a distinct set of tasks, with little overlap between various accounts.

With these security controls enforced, although an IT worker may have access to a standard user account and several admin accounts, they should be restricted to using the standard account for all routine computing, and only have access to various admin accounts to accomplish authorized tasks that can only be performed with the elevated privileges of those accounts.

5. Segment systems and networks to broadly separate users and processes based on different levels of trust, needs, and privilege sets. Systems and networks requiring higher trust levels should implement more robust security controls. The more segmentation of networks and systems, the easier it is to contain any potential breach from spreading beyond its own segment. Also implement microsegmentation, a key zero trust strategy, to isolate resources by creating zones. Microsegmentation further restricts line-of-sight visibility and access to applications, protecting against lateral movement.

6. Enforce password security best practices:

• Centralize security and management of all credentials (e.g., privileged account passwords, SSH keys, application passwords, etc.) in a tamper-proof safe. Implement a workflow whereby privileged credentials can only be checked out until an authorized activity is completed, after which time the password is checked back in and privileged access is revoked.

• Ensure robust passwords that can resist common attack types (e.g., brute force, dictionary-based, etc.) by enforcing strong password generation parameters, such as password complexity, uniqueness, etc.

• Routinely rotate (change) privileged passwords, decreasing the intervals of change in proportion to the password’s sensitivity. A top priority should be identifying and quickly changing any default credentials, as these present an out-sized risk. For the most sensitive privileged access and accounts, implement one-time passwords (OTPs), which immediately expire after a single use. While frequent password rotation helps prevent many types of password re-use attacks, OTP passwords can eliminate this threat. In the case of DevOps workflows, implement dynamic secrets, at type of ephemeral/OTP generated as needed to a single client.

• Eliminate password sharing—each account should have a unique login to ensure a clear oversight and a clean audit trail.

• Never reveal passwords—implement single sign-on (SSO) authentication to cloak passwords from both users and processes. Password managers can auto-inject passwords as needed.

• Remove embedded/hard-coded credentials and bring under centralized credential management. This typically requires a third-party solution for separating the password from the code and replacing it with an API that enables the credential to be retrieved from a centralized password safe.

7. Lock down infrastructure: Extend PAM principles to implement robust infrastructure access management. Access to infrastructure—whether for on-premise, cloud, or OT environments—should be proxied via VPN-less PAM technologies. This can entail implementing a privileged access workstation (PAW), which are hardened, dedicated assets use to secure all admin access. The principle of least privilege should also be applied to ensure that the range of activities and infrastructure access for any one PAW is limited.

8. Monitor and audit all privileged activity: This can be accomplished through user IDs as well as auditing and other tools. Implement privileged session management and monitoring (PSM) to detect suspicious activities and efficiently investigate risky privileged sessions in a timely manner. Privileged session management involves monitoring, recording, and controlling privileged sessions. Auditing activities should include capturing keystrokes and screens (allowing for live view and playback). PSM should cover the instances during which elevated privileges/privileged access is granted to an account, service, or process.

Privileged session monitoring and management capabilities are also essential for compliance. SOX, HIPAA, GLBA, PCI DSS, FDCC, FISMA, and other regulations require organizations to not only secure and protect data, but also be capable of proving the effectiveness of those measures.

9. Implement dynamic, context-based access: This is a key zero trust principle and entails delivering just-enough access, just-in-time—in the proper context. This is accomplished by evaluating multiple inputs (real-time vulnerability/threat data for a target asset, geolocation and temporal data, user data, etc.) to determine how much and for how long privilege can be provisioned. Apply real-time vulnerability and threat data about a user or an asset to enable dynamic risk-based access decisions. For instance, this capability can allow you to automatically restrict privileges and prevent unsafe operations when a known threat or potential compromise exists for the user, asset, or system.

10. Secure privileged task automation (PTA) workflows: Privileged task automation involves entails automating tasks and workflows—such as robotic process automation (RPA)—that leverage privileged credentials and elevated access. These complicated workflows are increasingly embedded within modern IT environments and require many moving—and sometimes ephemeral—parts that all needed to be onboarded and seamlessly managed for privileged access.

11. Implement privileged threat/user analytics: Establish baselines for privileged user behavioral activity (PUBA) and privileged access. Monitor and alert to any deviations from the baseline that meet a defined risk threshold. Also incorporate other risk data for a more three-dimensional view of privilege risks. Accumulating as much data as possible is not necessarily the answer. What is most important is that you have the data you need in a form that allows you to make prompt, precise decisions to steer your organization to optimal cybersecurity outcomes.