Whats the workday like for a database administrator? Well, that depends on whether you want the long answer or the short one.
The long one seems to go on for miles: Installing, upgrading, capacity planning, tuning, fixing application performances and recovering documents are just the beginning of it, and that doesnt include firefighting their way through their day-to-day activities.
The short one is easier: chaotic.
So it should come as little surprise that in a study, Forrester Research estimated that DBAs spend only 7 percent of their time addressing database security.
“The problem that we see is that the DBAs dont have the time to do security implementations,” Forrester analyst Noel Yuhanna told eWEEK. “The security group that assigns the policies dont have the database skills, so they assign the stuff to the DBAs, who dont have the time.”
But if DBAs are simply too busy to allocate more than a tenth of their daily resources to database security, who is making sure the data is safe? “If you ask a DBA if the databases are secure, theyll say yes, but because they dont want to lose their jobs,” Yuhanna said.
In an age where hackers have largely shifted their focus from disrupting enterprise networks and businesses to stealing companies confidential information, database security is lacking, and it is everyones and nobodys fault. Hackers will always find new ways to breach security, yet the securing of databases is largely left to DBAs, who have security built into their job descriptions.
“Part of setting up a server, and especially part of setting up a database, is making sure that unauthorized users cant access the data,” Adam Machanic, a Boston-area independent SQL Server and .Net software consultant, told eWEEK.
Yet the DBAs job description contains so many other tasks, it can be impossible to give database security the focus it demands.
“An enterprise relies on its data, and they want it to be secure,” Machanic said. “Its definitely part of the mandate of the DBA to secure their data. In my experience as a database consultant, Ive found that many of my clients tended to take a somewhat less-than-adequate approach to their database security.”
Another reason that database security is lacking in many enterprises is what Machanic calls a “big disconnect” among DBAs: They know a lot about data, but their security knowledge is lacking.
“In the last couple years, things have improved, but not as much as it needs to,” Machanic said. “As we see the continual media frenzy around information security and the related issues, people are wondering what they have to do to be more secure.”
However, the disconnect is not limited to DBAs; analysts said it is within the security department as well. While IT security is at the top of an enterprises agenda these days—and strong policies are often in place to protect their data—it often falters when it comes time for implementation.
“Security is one of the biggest things on the mind of the enterprise these days, and the implementation of IT security is behind,” Yuhanna said. “Security is very good at policies, but bad at implementation.”
An intense media focus on data breaches suggests, however, that this might be changing. “Given the media frenzy around information security over the past few years, this lax attitude is very slowly changing, and so I think we will see DBAs focusing more on security and hopefully doing a better job of implementing secure solutions,” Machanic said.
For the most part, the onus is on the DBAs to attend to database security. It is part of their responsibilities, and they in the end will be held responsible for lapses.
Page 2: The Job of Securing the Database
The Job of Securing
“Based on my perception of the IT industry and associated needs, everyone in IT needs to be more aware of security, but DBAs and other administrators need to actively make security part of their job,” said Pat Phelan, a database consultant in Peoria, Ill. “I think that every DBA needs to be much more aware of security than they have needed to be in the past.” Phelan describes himself as being mostly “in the line of fire” of the increasing demands on DBA roles.
“While I cant speak for every DBA, Ive talked with many of them at conferences, technical events and several online forums,” Phelan said. “Enterprise DBAs all seem to recognize—and sometimes agonize over—database security.”
He sees the DBA field divided into four broad groups: the department DBA, who is usually a Microsoft Office power user who is good with Microsoft Access; the development DBA group, which works almost exclusively with creating code and databases, usually for sale; the small-farm DBA, who has only a few servers to manage, often under another job title, such as network administrator; and the enterprise DBA group, composed of folks who work with databases for 80 percent or more of their day.
“They all have security intertwined in their job somehow, but the way that security links into their job varies a great deal,” Phelan said. “The enterprise-grade DBA may or may not be focused on security because while someone on the enterprise team needs to focus on security, usually only a few people on the team deal with the security issues.”
In response to the gap between the time enterprise DBAs have to devote to database security and an enterprises database security needs, some companies have begun to take a more proactive approach, pulling DBAs out of their regular workgroups and inserting them within an IT security team.
“We believe that the database security administrator role is going to evolve,” Yuhanna said. “In some organizations, it already exists, but theyre called database security professionals, database administrators or database specialists.”
This arrangement solves two dilemmas: IT security professionals who lack substantial database knowledge have people on hand to fill this gap, and DBAs receive the intense security focus and training needed to keep enterprise databases safe.
“Weve spoken to a few Fortune 1000 enterprises and a few have already started to create this role in the security group,” Yuhanna said. “Theyve moved certain DBAs into this group and given them the new knowledge.”
Companies that are spearheading this move are largely in the financial sector, where database security is central to their operations, Yuhanna said. “The banks are really focusing on their database security, and the financial sector is one of the big drivers of this,” he said. “But I think it will evolve into other sectors.”
What is good for enterprise IT security—moving a DBA from one general team to a security-focused one—inevitably will be good for the DBAs themselves, as it offers a new, evolving career for those in this IT role.
“Its definitely a career path for DBAs,” Yuhanna said. “This new database security professional role is evolving, and its going to reside within the security section. Theyll be trained on the knowledge and expertise of the IT security group but already have the knowledge of DBAs. Theyll be managing only the databases security.”
Others agree, and see this shift as not just an evolution of the DBA role, but a much-needed adjustment.
“Given the media frenzy around information security over the past few years … I think we will see DBAs focusing more on security and hopefully doing a better job of implementing secure solutions,” Machanic said. “But I do not feel that this is actually a new career path; rather, it is a correction of the goals of the existing one.”
Check out eWEEK.coms Careers Center for the latest news, analysis and commentary on careers for IT professionals.