Database Security Suffers From Leadership Gap

Monitoring, hardening data stores is often the job of multiple people, and there's no central coordination

If there's one sure thing about database security, it's that most organizations are unsure about who exactly is in charge of protecting their data stores.

As Jon Oltsik of Enterprise Strategy Group (ESG) puts it, the critical task of hardening databases and monitoring access to their information is quite often hampered by "too many cooks in the kitchen."

According to a survey of 175 IT decision-makers polled by ESG, nearly a quarter of them reported that a lack of inter-departmental cooperation was one of the greatest risks to their database security. "We asked who owns database security, and what we found is that a lot of companies have multiple people involved," Oltsik says. "A lot of people are touching the database server and unless you have very, very strong access controls and very strong change management policies, someone is going to step on someone else's toes."

According to ESG, the most common stakeholders listed by survey respondents were security administrators, DBAs, and system administrators. But some organizations could have as many as 10 different individuals or functional groups burdened with responsibility for regulatory compliance when it comes to the sensitive information within their databases. Approximately nine different corporate roles were listed by at least a quarter of respondents as having a say in database security, including the usual suspects along with auditors, compliance departments, and legal staffers.

Unfortunately, with so many stakeholders responsible for securing valuable database information, Oltsik suspects that too many of them believe someone else is taking care of database security -- thus leaving no one at the tiller. He's not the only one to believe so.

"The DBAs and the database architects have tended to operate independently," says Jeffrey Wheatman, a security analyst for Gartner. "I think a lot of security people don't really understand and know what they do. So what has happened is they've sort of said, 'Well, are you doing security?' and the DBAs say 'Sure.' And to their knowledge, they are."

As Alexander Kornbrust explains, more organizations need to get their DBAs and security experts working together in concert.

"Instead of investing in hardware or software, I would start with the people first," says Kornbrust, CEO of Red-Database-Security GmbH, a consultancy that specializes in securing Oracle databases.

He explains that organizations with a very immature database security process may first want to start by educating DBAs about what it means to harden a database and then move on to developing processes to coordinate between them and the security folks. This could start by testing out cooperation with the hardening of just a few databases. Once the team shakes the kinks out of the process, it can move forward with more, he says.

Technology and policy development will also play a role in the coordination, says ESG's Oltsik, who believes change management is extremely important to get everyone on the same page.

"Before anyone does anything to the database server, it needs to be approved," he says. "You want someone mandating who touches it, how they touch it and what they can do when they do touch it. Usually that's the security guys' role."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.