DBA Boundaries Blurring

Security concerns, policy changes put heat on database administrators.

As if the role of database administrators in the IT universe was not important enough, many DBAs say growing concerns about database security have increased their workload and blurred their responsibilities with respect to application development.

The transition has occurred over the last year in a series of damaging security vulnerabilities in major DBMSes from Oracle Corp., Microsoft Corp. and IBM. The high-profile Slammer worm, which hit in late January of last year, temporarily crippled the Internet and blew through unprotected servers running Microsofts SQL Server.

As a result of Slammer and vulnerabilities exposed in other databases, new mandatory security policies and best practices rippled across traditional boundaries in corporate IT departments. These have profoundly affected application development, the IT production environment and source code migration, resulting in heavier workloads for many DBAs.

"Before [Slammer], my focus of being a DBA was concentrating on making sure data was available in the enterprise," said Don Watters, datagroup manager at PhotoWorks Inc. "[But now its] not just machines giving data to the enterprise, its also our development environment, our test environment, our staging environment—basically anywhere SQL exists."

Seattle-based PhotoWorks runs a SQL Server shop along with Unix-based Pick applications on the UniVerse database in the back office. Slammers impact did not surface until about three months after its debut—and once it had already wreaked havoc on the online imaging providers development environment.

Although Watters had patched his SQL Server instances against Slammer, several instances of Microsofts SQL Server 2000 Desktop Engine, known as MSDE, were left unpatched. MSDE is often embedded within applications where it might not be administered by a DBA. Because of Slammer, PhotoWorks overhauled how it deals with its development environment by changing how it issues software patches and policies, Watters said.

SQL Server was not the only DBMS that had vulnerabilities exposed. IBM, Oracle and Sybase Inc. all reported vulnerabilities and patches to their respective DBMSes in the second half of last year. In September, IBM, of Armonk, N.Y., plugged a buffer overflow security hole in two areas of its Version 7.2 of DB2 for Linux that could allow attackers to execute malicious code using an administrators root-level permissions. Separately, Oracle, of Redwood Shores, Calif., in November acknowledged a vulnerability based on OpenSSL that affected versions 8i and 9i of its namesake database, as well as Oracle Application Server.

For its part, Sybase, based in Dublin, Calif., last month corrected more than 50 vulnerabilities in its mobile database, SQL Anywhere. According to NGSSoftware Ltd., the security company that discovered the Sybase exposures, SQL Anywhere was vulnerable to distributed-denial-of-service attacks and buffer overruns.

Next page: Tensions growing between DBAs, app developers?