As if the role of database administrators in the IT universe was not important enough, many DBAs say growing concerns about database security have increased their workload and blurred their responsibilities with respect to application development.
The transition has occurred over the last year in a series of damaging security vulnerabilities in major DBMSes from Oracle Corp., Microsoft Corp. and IBM. The high-profile Slammer worm, which hit in late January of last year, temporarily crippled the Internet and blew through unprotected servers running Microsofts SQL Server.
As a result of Slammer and vulnerabilities exposed in other databases, new mandatory security policies and best practices rippled across traditional boundaries in corporate IT departments. These have profoundly affected application development, the IT production environment and source code migration, resulting in heavier workloads for many DBAs.
“Before [Slammer], my focus of being a DBA was concentrating on making sure data was available in the enterprise,” said Don Watters, datagroup manager at PhotoWorks Inc. “[But now its] not just machines giving data to the enterprise, its also our development environment, our test environment, our staging environment—basically anywhere SQL exists.”
Seattle-based PhotoWorks runs a SQL Server shop along with Unix-based Pick applications on the UniVerse database in the back office. Slammers impact did not surface until about three months after its debut—and once it had already wreaked havoc on the online imaging providers development environment.
Although Watters had patched his SQL Server instances against Slammer, several instances of Microsofts SQL Server 2000 Desktop Engine, known as MSDE, were left unpatched. MSDE is often embedded within applications where it might not be administered by a DBA. Because of Slammer, PhotoWorks overhauled how it deals with its development environment by changing how it issues software patches and policies, Watters said.
SQL Server was not the only DBMS that had vulnerabilities exposed. IBM, Oracle and Sybase Inc. all reported vulnerabilities and patches to their respective DBMSes in the second half of last year. In September, IBM, of Armonk, N.Y., plugged a buffer overflow security hole in two areas of its Version 7.2 of DB2 for Linux that could allow attackers to execute malicious code using an administrators root-level permissions. Separately, Oracle, of Redwood Shores, Calif., in November acknowledged a vulnerability based on OpenSSL that affected versions 8i and 9i of its namesake database, as well as Oracle Application Server.
For its part, Sybase, based in Dublin, Calif., last month corrected more than 50 vulnerabilities in its mobile database, SQL Anywhere. According to NGSSoftware Ltd., the security company that discovered the Sybase exposures, SQL Anywhere was vulnerable to distributed-denial-of-service attacks and buffer overruns.
Next page: Tensions growing between DBAs, app developers?
Tensions growing between DBAs,
app developers?”>
Experts see growing tension between two notoriously territorial groups—DBAs and application developers—that are being required to work more closely together in increasingly complex environments.
A reason for additional responsibilities placed on DBAs shoulders can be traced to needed mastery of operating-system-related functionality steadily migrating to the database. Todd Langille, associate director of Administrative Computing for Dartmouth College, in Hanover, N.H., said more DBAs are being assigned “tweaking and tuning” tasks typically associated with programmers.
“[DBAs] have more exposure and responsibility for middle-tier applications like Web servers and application servers; theres a whole middle layer of software that has come along for the ride with our move toward Web-based applications,” said Langille. “Its definitely adding up to another big chunk of work to an already-burdened staff.”
Langille, who oversees an Oracle9i database, said he is investigating a few ways to alleviate DBA time constraints, including contract services, better education of development teams in the area of troubleshooting and system diagnostics, and trouble-ticket interceptions. Over the last year, Dartmouth has changed how it performs source code migration and database object migration into the production environment. The move, made to restrict user access to the production environment, has smoothed some ruffled developer feathers with more detailed audit trails, Langille said.
Newer federal laws such as the USA Patriot Act and the Sarbanes-Oxley Act have prompted many enterprises to give DBAs more authority to apply security controls where they deem them necessary and without as much red tape. That has meant a lot to Amy Smith, who supervises 14 DBAs managing IBM DB2 UDB (Universal Database) software at CIT Group Inc.
“Its empowering,” said Smith, vice president of the Database Service Bureau at CIT, in Livingston, N.J. “Now we can call the shots a lot more because were doing it under the guise of protecting assets of the company; it gives us more flexibility.”
All the DBMS vendors have been talking up enhancements in upcoming versions of their software. The vendors are trumpeting direct improvements in security and improvements in other database administration tasks that should give DBAs more time to deal with security matters.
Microsoft has taken pains to salvage its database security reputation by bolstering the next version of SQL Server, code-named Yukon, with an off-by-default architecture and a variety of new protection features, officials said. For instance, common language run-time is not enabled in Yukon out of the box, meaning users must receive permissions to write stored procedures. In addition, stringent password components have been put in place, such as an uppercase numbers and characters requirement, time expiration, and account lock-out components.
Granular permissions in Yukon, due in the second half of this year, have been carefully assembled, said Tom Rizzo, director of product management for SQL Server at Microsoft, in Redmond, Wash.
“Today, we have tens of permissions in SQL Server,” said Rizzo. “In Yukon, well have hundreds of permissions. Its the principle of least privilege.”
Other new Yukon security features include the capability to separate execution context for applications or code running in the database, as well as integration with Microsoft Update. To help distinguish between DBAs and developers, Rizzo said Yukon clearly breaks out responsibilities for administering users and database schemata.
Oracle, for its part, has augmented security components in its new Oracle 10g database, such as Oracle Internet Directory and Oracle Identity Management, enabling access management and user provisioning, officials said. The upgrade, due this month, comes more than a year and half after Oracle began touting its Oracle9i database in marketing materials as “unbreakable.” Some Oracle users said security issues still take up a great deal of their time.
“It would be naive to think that there wont be some exploits which can be applied to Oracles unbreakable environment. … Hopefully, nobody takes that in a 100 percent literal sense,” said Jim Raub, director of enterprise and advanced technologies for Paetec Communications Inc., in Fairport, N.Y.
However, Oracles promotion of Oracle 10gs support for grid computing is not resonating with some DBAs.
Dartmouths Langille said that despite all the hype by Oracle, the enabling of grid computing is not likely to become important to his institution. He cited the fair amount of overhead management and logistics of identifying machines and said that ensuring their security is too significant a hurdle to build and maintain a grid environment.
IBM is blurring the DBA and developer lines with the next version of DB2, code-named Stinger, due late this year. The company last fall rolled out tools that will make it easier for application developers using Microsofts Visual Studio to tap into Stinger, officials said.
Despite assurances of enhanced security measures and improved self-service functions in forthcoming products by leading DBMS vendors, a number of DBAs cannot shake the harsh lessons learned by being “Slammed.”
“The biggest change [in the last year] we have made is to schedule monthly downtimes specifically for updating all of our servers with the now-monthly Microsoft security patches,” said Brad McGehee, DBA at Dairy Farmers of America Inc., in Kansas City, Mo. “Before, we had only done it on a case-by-case basis, but as bad as Slammer was, we decided to be more proactive.”
McGehee said the patch installs take place every month, on a Sunday, meaning employees must work weekends more often.
The worms sheer magnitude has led McGehees organization to investigate software to help institute better patch management and tools to capture viruses at the firewall.
As DBA staffing levels continue to increase and companies investigate how to do more with data management, many experts predict a serious shortage of DBAs starting by the second half of next year, said Charles Garry, an analyst at Meta Group Inc., in Stamford, Conn.
“Not only will there be that increased demand, but [DBAs] are going to need to know more and be paid more. Thats like cold water in the face of a lot of companies,” Garry said.