Many database security projects arrive DOA because database administrators and security pros aren't singing the same tune.
As more organizations act to protect data at its most fundamental state, within the database, one of the biggest challenges that they run into is a people problem. In order to truly mitigate data risks, security teams need to learn to not only play nice with their database administrators, but to make them meaningful stakeholders in securing the databases they're entrusted to manage. That takes education, respectful conversations, and a willingness from both parties to open their minds a bit, experts say.
"There's a shift going on where [as an industry] we're changing our database security practices and we're starting to focus on that lost realm of the database security," said Josh Shaul, CTO of Application Security. "The folks who 'own' that database, the database administrators (DBAs), are finding their worlds changing in a significant way, and some of the freedoms that they've had are being taken away from them in order to do the security stuff. From my experience, I've seen that dynamic really create a gap in understanding or perspective between the DBA and security team that often has led organizations to get stuck in the muck around the area of database security."
The perception gap stems largely from a divergence in technology backgrounds.
"Often the DBA's focus is on performance and tuning and often many of them haven't been trained on security. They do their best and they're trying to learn it on the fly," said Scott Laliberte, managing director at Protiviti. "On the flipside, a lot of the security professionals out there do not have good database skills. They tend to be operating system, network, and application folks, and you can get security folks providing recommendations that aren't real practical or can introduce a problem within the database. The DBAs, therefore, fight them very hard."
According to Larry Whiteside, CISO for Visiting Nurse Service of New York, the way a lot of security controls work necessarily require some form of performance overhead within the database. It is only natural for the kneejerk reaction from DBAs to be somewhat negative.
Role-based access control based on least user privilege is one of the most effective ways to prevent the compromise of corporate data. Our new report explains why proper provisioning is a growing challenging, due to the proliferation of "big data," NoSQL databases, and cloud-based data storage. Download the report now. (Free registration required.)
Published: 2015-05-25 Cross-site request forgery (CSRF) vulnerability in the login page in IBM License Metric Tool 9 before 220.127.116.11 and Endpoint Manager for Software Use Analysis 9 before 18.104.22.168 allows remote attackers to hijack the authentication of arbitrary users via vectors involving a FRAME element.
Published: 2015-05-25 IBM License Metric Tool 9 before 22.214.171.124 and Endpoint Manager for Software Use Analysis 9 before 126.96.36.199 do not send an X-Frame-Options HTTP header in response to requests for the login page, which allows remote attackers to conduct clickjacking attacks via vectors involving a FRAME element.
Published: 2015-05-25 Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 188.8.131.52 iFix10, 6.0.5 before 184.108.40.206, and 220.127.116.11a before 18.104.22.168 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
Published: 2015-05-25 The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (hea...
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.