Back in the comments to one of my posts on Database Activity Monitoring, Rani asked the question of who should own DAM? I’m going to expand the question to cover all of database security.

This is a pretty tough question we can take in a couple of directions. Out at Oracle OpenWorld last week it was pretty clear that database professionals and security professionals don’t overlap nearly as much as we really need for efficient database security. It’s not a failing of any particular group, just the reality that people who do different jobs have different skill sets, even when they come from the same background. Come January I’ll be having an orthopedic surgeon fixing my bum shoulder, not my dermatologist. Security experts don’t necessarily know the difference between DML or DDL, or how to write an outside join, just as DBAs don’t necessarily know the difference between AES and 3DES.

Eventually we’ll have a growing cadre of security-aware DBAs and database-aware security professionals. Until then we need to slice up the functions a bit and I highly recommend cross-training when you can. I’m not saying that long term we’ll have some uber-DBA/security experts running all database security without outside influence, but some of the functions might consolidate a bit once those skills are easier to find.

Here’s how I slice it:

  • DBAs are responsible for secure design and configuration of the database management system.
  • A security architect can assist with security design review, but this is an ideal area to increase the security knowledge of the DBA.
  • IT Security performs configuration and vulenrability scanning of the database. Results are passed to the database team for remediation, and if a policy violation can’t be fixed for some operational reason, security and the database team need to come up with a joint risk remediation plan that’s documented as an exception.
  • Native database auditing is the responsibility of the DBAs.
  • Management of those logs can be either security or the database team, depending on the purpose of the logs. If separation of duties is required, security becomes responsible for log aggregation and maintenance.
  • Database Activity Monitoring is another joint process. DBAs are involved with the installation, database-side configuration, and maintenance of any database-resident components. Security owns the DAM tool and its ongoing operation. For this to work well, someone on the security team needs basic database training.

In summary, DBAs are responsible for securely designing and configuring their systems, and installing and locally managing (just to keep them running) any database-resident security components that affect the database. Security is responsible for external monitoring and ongoing scanning of deployed systems.

This creates a good separation of duties and allows each side to do what they’re best at. It relies on any DBA-installed components sending regular health checks/heartbeats back to security to make sure they aren’t disabled.

I realize cross-team responsibilities like this can be difficult, but I don’t see any other better approach. In some cases I’ve seen someone on the database team be designated as being responsible for database security, but just remember you’ll lose separation of duties if that individual also has operational database duties.