Follow Up: DBAs Should *Not* Own Database Activity Monitoring

Written by rmogull | Filed under Data Security, Database, Management, Non-Geek | 6 comments



Based on the comments in my last post on DAM, especially the one from Mike Spiers, I want to make it clear that if you are performing Database Activity Monitoring it should be owned and managed by security.

It’s fine for DBAs to manage regular database auditing (unless they’re the auditing target), but DAM is a security-specific tool whose primary benefits are to create separation of duties (from the DBAs) and to give security insight into the database.

You might need DBAs to get it integrated with the database and confirm performance, but that’s where their involvement stops.

Posted on November 21

6 comments

  1. Richard Bejtlich Nov 23

    This is a perfect example why security should never be totally “integrated” into another group’s functions, like development, operations, and so on. Without a separate security group there’s no way to perform separation of duties. Good point RM.

  2. Leandro Cino Nov 25

    Hi, do you know what kind of companies are using DAM tools?

    And why those companies are using the DAM tools?

    Thanks

  3. Rani Nov 26

    Hi Rich,

    Thanks for the elaborate post and the follow up… I’ve just come back from a week in Europe where neither DBAs nor CISOs own database security just like their American counterparts ;)

    Another way of looking at the problem (and the solution) is that security pros are in charge of creating policy and enforcing it. DBAs are not, but in order to translate policies into procedures, rules and choices that are relevant and applicable to the database, they must be involved.

    I’m glad you took a prescriptive, actionable approach to the present situation, because I think that’s where a lot of companies are stumped. They know there’s a problem, but they’re not sure how to approach it. They’re looking for best practices. The fact that you needed to point out 6 areas of responsibility underscores the complexity of the current situation, but I don’t see a better or simpler short-term approach.

    Rani

  4. rmogull Nov 26

    @Leandro- there is a variety of companies using it. The two biggest groups are public companies using it to help with SOX compliance, and retail using it to help with internal security and PCI compliance.

    They use them to reduce the cost of compliance and to improve their database security.

  5. Leandro Cino Nov 26

    Thanks rmogull. It is interesting to us to understand who is buying or how the market will move into DAM.

    We are a company that has special technology to do DAM (in this moment with MsSQL Server and Oracle).

    We are experiencing some delays addressing the Argentinean and the Chilean market.

    Do you know where is that technology HOT? I mean, which markets do you think we have to focus in to succeed the next year?

    Thanks!!!

  1. Proactivity vs. Reactivity » Musings on Database Security

Leave a reply

Related Posts

Who “Owns” Database Security?
Your Top Five Database Security Resolutions For 2008
SANS Webcast Tomorrow: Database Activity Monitoring