Oracles top security guru
on securing the database"> eWEEK.COM: Relating to the fact that you just addressed the Cyber Security Summit, Im wondering, are databases a particular point of weakness in national security? DAVIDSON: Consider the human body, which also includes a number of organs with disparate functions, all of which are geared to preserving the life and health of the individual. You might ask whether the heart is more at risk than the liver? Or the immune system? Or the brain? You cant answer the question without understanding what the risks are to each organ, and what other risks there are to the system as a whole (e.g., people who skydive are at greater overall risk than those who sit on the porch knitting).As with any other type of systems, national security systems are themselves subject to risk mitigation. That is, what is the threat (to the system)? What are the remedies for those threats? Can we completely mitigate the threat, or is there risk that we cannot reduce? Some of these risks will vary "body by body." It is not as if there is only one database for all national security; there are many, used for different purposes, in different configurations. At the macro level, databases are actually part of our ability to ensure national security because they are the workhorses for so many defense and intelligence entities in terms of data collection, analysis, including our ability to tie seemingly unrelated events together (connecting the dots), and the like. eWEEK.COM: What about when it comes to small/medium database usersare their database protection practices prone to being compromisedmore so than large enterprises or government usage? DAVIDSON: Again, you cant come up with a blanket statement without looking at the overall "body of health." For example, if you dont secure the operating system, the database that runs on it can be at risk even if the database itself is configured securely. For example, if I lock my jewelry box, but the burglar breaks into my house, she can walk off with the jewel boxso much for the lock! Also note that many users have databases in their systems they may not even know about. This was one of the reasons Slammer spread so virulently, because of the embedded databases in other products that the customer/user did not even know was there and thus did not know to patch. Its as if your basement flooded in a hurricane, and you were astonished because you did t even know you had a basement, or youd have sandbagged it. [Editors Note: Click here to read about last springs infamous SQL Server onslaught.] Next page: Common mistakes made when securing the database.