The Job of Securing the Database

Tasks are left mostly to DBAs, who rarely have the time or training to do them.

Whats the workday like for a database administrator? Well, that depends on whether you want the long answer or the short one.

The long one seems to go on for miles: Installing, upgrading, capacity planning, tuning, fixing application performances and recovering documents are just the beginning of it, and that doesnt include firefighting their way through their day-to-day activities.

The short one is easier: chaotic.

So it should come as little surprise that in a study, Forrester Research estimated that DBAs spend only 7 percent of their time addressing database security.

"The problem that we see is that the DBAs dont have the time to do security implementations," Forrester analyst Noel Yuhanna told eWEEK. "The security group that assigns the policies dont have the database skills, so they assign the stuff to the DBAs, who dont have the time."

But if DBAs are simply too busy to allocate more than a tenth of their daily resources to database security, who is making sure the data is safe? "If you ask a DBA if the databases are secure, theyll say yes, but because they dont want to lose their jobs," Yuhanna said.

In an age where hackers have largely shifted their focus from disrupting enterprise networks and businesses to stealing companies confidential information, database security is lacking, and it is everyones and nobodys fault. Hackers will always find new ways to breach security, yet the securing of databases is largely left to DBAs, who have security built into their job descriptions.

"Part of setting up a server, and especially part of setting up a database, is making sure that unauthorized users cant access the data," Adam Machanic, a Boston-area independent SQL Server and .Net software consultant, told eWEEK.

Yet the DBAs job description contains so many other tasks, it can be impossible to give database security the focus it demands.

"An enterprise relies on its data, and they want it to be secure," Machanic said. "Its definitely part of the mandate of the DBA to secure their data. In my experience as a database consultant, Ive found that many of my clients tended to take a somewhat less-than-adequate approach to their database security."

Another reason that database security is lacking in many enterprises is what Machanic calls a "big disconnect" among DBAs: They know a lot about data, but their security knowledge is lacking.

"In the last couple years, things have improved, but not as much as it needs to," Machanic said. "As we see the continual media frenzy around information security and the related issues, people are wondering what they have to do to be more secure."

However, the disconnect is not limited to DBAs; analysts said it is within the security department as well. While IT security is at the top of an enterprises agenda these days—and strong policies are often in place to protect their data—it often falters when it comes time for implementation.

"Security is one of the biggest things on the mind of the enterprise these days, and the implementation of IT security is behind," Yuhanna said. "Security is very good at policies, but bad at implementation."

An intense media focus on data breaches suggests, however, that this might be changing. "Given the media frenzy around information security over the past few years, this lax attitude is very slowly changing, and so I think we will see DBAs focusing more on security and hopefully doing a better job of implementing secure solutions," Machanic said.

For the most part, the onus is on the DBAs to attend to database security. It is part of their responsibilities, and they in the end will be held responsible for lapses.

Page 2: The Job of Securing the Database