Back in the comments to one of my posts on Database Activity Monitoring, Rani asked the question of who should own DAM? I’m going to expand the question to cover all of database security.
This is a pretty tough question we can take in a couple of directions. Out at Oracle OpenWorld last week it was pretty clear that database professionals and security professionals don’t overlap nearly as much as we really need for efficient database security. It’s not a failing of any particular group, just the reality that people who do different jobs have different skill sets, even when they come from the same background. Come January I’ll be having an orthopedic surgeon fixing my bum shoulder, not my dermatologist. Security experts don’t necessarily know the difference between DML or DDL, or how to write an outside join, just as DBAs don’t necessarily know the difference between AES and 3DES.
Eventually we’ll have a growing cadre of security-aware DBAs and database-aware security professionals. Until then we need to slice up the functions a bit and I highly recommend cross-training when you can. I’m not saying that long term we’ll have some uber-DBA/security experts running all database security without outside influence, but some of the functions might consolidate a bit once those skills are easier to find.
Here’s how I slice it:
- DBAs are responsible for secure design and configuration of the database management system.
- A security architect can assist with security design review, but this is an ideal area to increase the security knowledge of the DBA.
- IT Security performs configuration and vulenrability scanning of the database. Results are passed to the database team for remediation, and if a policy violation can’t be fixed for some operational reason, security and the database team need to come up with a joint risk remediation plan that’s documented as an exception.
- Native database auditing is the responsibility of the DBAs.
- Management of those logs can be either security or the database team, depending on the purpose of the logs. If separation of duties is required, security becomes responsible for log aggregation and maintenance.
- Database Activity Monitoring is another joint process. DBAs are involved with the installation, database-side configuration, and maintenance of any database-resident components. Security owns the DAM tool and its ongoing operation. For this to work well, someone on the security team needs basic database training.
In summary, DBAs are responsible for securely designing and configuring their systems, and installing and locally managing (just to keep them running) any database-resident security components that affect the database. Security is responsible for external monitoring and ongoing scanning of deployed systems.
This creates a good separation of duties and allows each side to do what they’re best at. It relies on any DBA-installed components sending regular health checks/heartbeats back to security to make sure they aren’t disabled.
I realize cross-team responsibilities like this can be difficult, but I don’t see any other better approach. In some cases I’ve seen someone on the database team be designated as being responsible for database security, but just remember you’ll lose separation of duties if that individual also has operational database duties.
Reader interactions
7 Replies to “Who”
[…] simply does not generate enough pressure in the organization – please see Rich Mogull’s excellent post on this topic. All in all, I know of companies that analyze and deploy CPUs as soon as three months […]
It’s not a paradox, I think it’s a combination of the fact we haven’‘t had a SQL SLammer for Oracle, and people are scared as heck of ever updating Oracle.
Rich:
It really is a paradox, as everyone has an interest in security, yet no one has enough interest to fix the problem. I blogged about this at: http://www.archimedius.net in “A Perspective on Oracle’s Security Paradox”
Greg
i deploy database auditing/monitoring/assessment solutions. but ultimately its the rsponsibility of the DBA primarily to look after the security of the database in addition to designing and maintaining the database.
[…] on the comments in my last post on DAM, especially the one from Mike Spiers, I want to make it clear that if you are performing Database […]
I make my living helping clients define and deploy database auditing/monitoring/assessment solutions – The reality is that DBA’s are far too involved with the selection, design, and management of dB audit solutions – A well controlled environment requires layers of controls (as Gary stated)
DBA’‘s, service accounts, app acccounts, and any account with excess access – needs to be monitored for violations to acceptable use – DBA’s should not be allowed to tamper with the audit tools – The audit tools need to have proper access/entitlements built in to enforce and enable SOD
I reckon the person to decide on this is the owner (or rather owners) of the business data in the databases. They should be clearly identified by theor management peers and held personally accountable for securing their data plus the associated business processes and systems. DAM, and even DB security, are just part of the bigger framework of controls necessary to secure business assets. Unless the concepts of ownership and acocuntability are understood and supported by management, the rest won’‘t happen reliably, if at all.
G.