CISO, talk to your DBA: Barriers to database security
July 2007 seems to have been particularly bountiful in database breaches. In that month alone, organizations across America admitted to breaches exposing anywhere from tens of thousands of records to millions of records. Disney, Western Union and the University of Michigan were among those, as well as a particularly unpleasant breach at Cetergy, a subsidiary of Fidelity National Information Services, where a DBA working for the company stole over 8.5 million records (by last count) including credit card and bank account details.
You would think that enterprises realize by now that databases, which hold the “crown jewels” of sensitive information, need protecting. Indeed, recent surveys have shown that many think that database security is important, but there seems to be a serious discrepancy between what they say and what they do. Most enterprises spend far more on filtering spam (or on anti-virus software, or on web filtering) than on protecting databases.
So why is it that enterprises seem to willing to spend so much effort and money on preventing an email selling V1@gra from getting to the very last employee, yet seem powerless when it comes to protecting vital customer data, financial information and intellectual property residing in databases?
The disparity of knowledge and budgets
Ask an IT security professional about the latest development in firewalls, or the latest Internet Explorer vulnerability, and you will get a well-informed response. Ask about recently discovered database exploits, and you will get a blank stare. This is partly an evolutionary issue – database security is a relatively new area in IT security – but partly this is due to its unique complexity.
Databases are complex beasts – among the most complex applications within the enterprise. They are also at the epicenter of a web of applications, from CRM to ERP to web-based systems. A single database is often connected to several other databases, and to numerous applications. Databases also have unique vulnerabilities, they face unique threats and have demanding business continuity requirements that make them difficult to defend. Additionally, what needs protecting is not only the database infrastructure, but also the data that resides in databases. Such data-centric security requires a specific focus on sensitive data and an understanding of who (or what) should be accessing which data, and under which circumstances. This complexity is why database administrators need such deep expertise, and why they are among the highest earning IT professionals.
Database administrators, however, are neither tasked nor measured on database security. The primary function of a DBA is to run the database smoothly. Uptime, performance and cost-effective use of resources are the KPIs (key performance indicators) that DBAs are measured on and, consequently, concentrating their attention on. Security is one of those things that a DBA would not be rewarded for if done right, but might take the fall for if it goes wrong.
The lack of database-specific knowledge among IT security professionals is therefore here to stay, at least in part. We cannot expect everyone to become DBAs. CISOs, who hold the key to IT security budgets, are often unaware of the risk their databases pose, or have little knowledge of what needs to be done or where they should start. Insider breaches, such as the one at Fidelity National Information Services, further exacerbate the situation by creating the impression that DBAs are the ones databases should be protected against, discouraging a dialog between those who are charged with protecting the enterprise IT infrastructure, and those who can help achieve it.
In other words – database security is falling between the cracks. Those who should be tasked with securing databases do not understand the threat well enough, and those who do understand it have other objectives and no budget.
The way forward
Running a web search for “director of database security” reveals that there are not many of people with such a job title. It is a telling sign that among the numerous large organizations I have had contact with (among them large financial services companies, telecommunication companies, health care organizations and others), only one organization has a full-time manager specifically in charge of database security – a company that had suffered a large database breach in the past. Does this mean that enterprises must experience a serious breach in order to wake up and smell the coffee, taking database security seriously? Perhaps in some cases, but this is a specific organizational solution that will suit some more than others.
It sounds reasonable for a large enterprise employing dozens, sometimes hundreds of DBAs, with dozens more handling IT security, to have a single authority concentrating the required knowledge for database security and coordinating all efforts around it. Such an entity, whether it is part of the DBA group or part of the security team, would establish the necessary best practices and prioritization of tasks related to database security.
Short of a permanent position, companies can create a task force or appoint a project leader for a limited time, in order to establish the minimum baseline for database security, create policies and procedures and select the right tools for the job.
However, the basic and necessary first step is for security professionals to recognize that there are serious gaps in their knowledge when it comes to database security. Database-specific knowledge is crucial for successfully enforcing security policy as it relates to databases, and that knowledge is most readily available with database administrators. Only serious dialog between IT security and the DBA department would create the knowledge necessary to create and enforce an effective security policy for databases, and prioritize it correctly among the other IT security items.
- Dan Sarel, vice president, product management, Sentrigo Inc.