DBA Boundaries Blurring

 
 
By Brian Fonseca  |  Posted 2004-01-26 Email Print this article Print
 
 
 
 
 
 
 

Security concerns, policy changes put heat on database administrators.

As if the role of database administrators in the IT universe was not important enough, many DBAs say growing concerns about database security have increased their workload and blurred their responsibilities with respect to application development. The transition has occurred over the last year in a series of damaging security vulnerabilities in major DBMSes from Oracle Corp., Microsoft Corp. and IBM. The high-profile Slammer worm, which hit in late January of last year, temporarily crippled the Internet and blew through unprotected servers running Microsofts SQL Server.

As a result of Slammer and vulnerabilities exposed in other databases, new mandatory security policies and best practices rippled across traditional boundaries in corporate IT departments. These have profoundly affected application development, the IT production environment and source code migration, resulting in heavier workloads for many DBAs.

"Before [Slammer], my focus of being a DBA was concentrating on making sure data was available in the enterprise," said Don Watters, datagroup manager at PhotoWorks Inc. "[But now its] not just machines giving data to the enterprise, its also our development environment, our test environment, our staging environment—basically anywhere SQL exists."

Seattle-based PhotoWorks runs a SQL Server shop along with Unix-based Pick applications on the UniVerse database in the back office. Slammers impact did not surface until about three months after its debut—and once it had already wreaked havoc on the online imaging providers development environment.

Although Watters had patched his SQL Server instances against Slammer, several instances of Microsofts SQL Server 2000 Desktop Engine, known as MSDE, were left unpatched. MSDE is often embedded within applications where it might not be administered by a DBA. Because of Slammer, PhotoWorks overhauled how it deals with its development environment by changing how it issues software patches and policies, Watters said.

SQL Server was not the only DBMS that had vulnerabilities exposed. IBM, Oracle and Sybase Inc. all reported vulnerabilities and patches to their respective DBMSes in the second half of last year. In September, IBM, of Armonk, N.Y., plugged a buffer overflow security hole in two areas of its Version 7.2 of DB2 for Linux that could allow attackers to execute malicious code using an administrators root-level permissions. Separately, Oracle, of Redwood Shores, Calif., in November acknowledged a vulnerability based on OpenSSL that affected versions 8i and 9i of its namesake database, as well as Oracle Application Server.

For its part, Sybase, based in Dublin, Calif., last month corrected more than 50 vulnerabilities in its mobile database, SQL Anywhere. According to NGSSoftware Ltd., the security company that discovered the Sybase exposures, SQL Anywhere was vulnerable to distributed-denial-of-service attacks and buffer overruns.

Next page: Tensions growing between DBAs, app developers?



 
 
 
 
Brian Fonseca is a senior writer at eWEEK who covers database, data management and storage management software, as well as storage hardware. He works out of eWEEK's Woburn, Mass., office. Prior to joining eWEEK, Brian spent four years at InfoWorld as the publication's security reporter. He also covered services, and systems management. Before becoming an IT journalist, Brian worked as a beat reporter for The Herald News in Fall River, Mass., and cut his teeth in the news business as a sports and news producer for Channel 12-WPRI/Fox 64-WNAC in Providence, RI. Brian holds a B.A. in Communications from the University of Massachusetts Amherst.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel