News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Eric Ogren's picture
Eric Ogren

Security Impact

More posts | Read bio

June 29, 2007 - 2:45 P.M.

Time to give the DBAs a break

7 comments

Database Administrators have traditionally been amongst the most valued members of IT. The DBAs were the folks that could be trusted to bridge application business demands with technical implementation best practices.  DBAs were blessed with all of the necessary privileges to support the business with online applications.

Somewhere along the line the DBA became public enemy number one. Every technical interpretation of SOX starts with segregation of duties, auditor requirements for database security products start with an ability to monitor local and telnet DBA access, and PCI requires audit trails for “all actions taken by any individual with root or administrative privileges”. There seems to be a lot of unproductive time and money spent on monitoring DBA activity because of compliance mandates. 

This fixation on the DBAs and privileged users is way out of proportion to business and security needs. Enterprises need help mapping database security issues to business risk, regularly scanning application environments for vulnerabilities, and even discovering where all of their databases are! Then IT can move on to such things as tightening up access paths to the database, removing passwords hardcoded into applications, auditing for unauthorized privilege escalation, or even patching in a virtual datacenter. There are many security tasks to tackle that actually deliver greater business and security benefits. I understand the need for a technical audit function, but organizations should be able to prioritize according to business needs. Isolating the DBAs is not the most pressing security risk in any organization.

I got started on this when a vendor briefed me on their tool to detect credit card numbers in databases. My first thought was, isn’t it easier to just ask the DBAs? The DBAs have to be part of the solution to a more secure business; they are not the problem.  

 

 

What People Are Saying

Add new comment

John and Anonymous #2 - This

Submitted by Rani Osnat on July 17, 2007 - 7:47 P.M.

John and Anonymous #2 -
This is not just about SOX (or PCI, or HIPAA, or GLBA...) - when 2.3 million records with credit card data get stolen, as in the Fidelity National Information Services (FIS) incident, the issue is not compliance. FIS is a member of the PCI council and an S&P 500 company. They are PCI and SOX compliant, I'm pretty sure of that. However, someone - in this case a DBA but it could have been a developer, sys admin, consultant etc. - managed to steal this much data with criminal intent. It's a security issue. SOX didn't cause this. This kind of thing happened long before SOX. The difference is that this kind of event used to be quietly swept under the carpet, and now thanks to breach notification laws it's not.

Reply | Report this comment

What you folks thinking??

Submitted by Anonymous on July 10, 2007 - 10:59 A.M.

What you folks thinking?? DBA's have no control of broken business process. A DBA can't fix data issues if the business does not enter the data and report on the data held within their systems.

Reply | Report this comment

Any part of the organization

Submitted by John Electra on July 9, 2007 - 11:34 A.M.

Any part of the organization that has the power to potentially evade access controls on corporate systems needs to be aware that they will be placed under greater scrutiny. This applies to DBAs, sysadmins, network admins, app admins, and others.

Is this what SOX intended? I don't think so. As Eric notes (in part), SOX is supposed to put in place a legal framework for a system of controls to assure the credibility of public financial reports.

How this system of controls is implemented in practice is industry- and organization-specific. A lamentable fact, given that many consulting organizations are having a field day in providing very costly definitions of this system of controls.

Since the one thing these consultants can easily point to is that unfettered administrative access to a computer system is an avenue for attack, they insist on placing rigorous system controls in this area.

How does this help the overall goal of SOX? It's debatable.

Reply | Report this comment

It only takes one

Submitted by Anonymous on July 5, 2007 - 11:07 A.M.

It only takes one well-publicized failure, and we all get penalized. Get ready, because another one just occurred:

http://www.forbes.com/feeds/ap/2007/07/03/ap3882026.html

I expect to have another group of people calling to ask how this can be prevented.

This is my personal opinion and does not necessarily reflect my employer or others.

Reply | Report this comment

Eric, Having met with many

Submitted by Rani Osnat on July 4, 2007 - 8:03 A.M.

Eric,
Having met with many DBAs over the past year and discussing database security, my impression is that they are indeed part of the solution. The risk that privileged users (DBAs and others) should not be underestimated, but the vast majority of DBAs are not the bad guys... not only that but they know a lot more about database security, or the lack thereof, than most CISOs.
DBAs also understand, however, that they're working in a sensitive part of the organization, and that they too need to be monitored, audited etc.

Reply | Report this comment

Thanks Rani, I agree that

Submitted by Eric on July 6, 2007 - 4:33 P.M.

Thanks Rani,

I agree that most DBAs would have a healthy list of things to do to improve database security. SOX is about the integrity of reports, not the security of the database. They are different. The DBAs will tell 'em.

Eric

(with no thanks to the Fidelity DBA :)

Reply | Report this comment

That's you think that

Submitted by Katty on July 4, 2007 - 7:02 A.M.

That's you think that there're no problems here. That's business, and they just try to make everythink without any help form other companies... FREEDOM forever... but a little bit stupid I think ;)

Reply | Report this comment

Related Posts

Web application security -- time for services
DATAllegro CEO Stuart Frost responds to patent suit
Top 10 data disasters
Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
Intel readies 2.3GHz, 3.5GHz WiMax support with Kilmer Peak
First iPhone worm spreads Rick Astley wallpaper
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.