Usually, the database administrator (DBA) is your organization's staunchest defender of your sensitive data. But what if that DBA -- or another privileged user -- becomes disgruntled and decides to do some damage?
That possibility is one of the things that keeps Oracle administrators up at night, according to a newly published study conducted by the Independent Oracle Users Group (IOUG). In a survey of more than 300 IT and database administrators, the group found that the greatest risks to corporate data comes from internal access, either by unauthorized users or by "super users" with special access privileges.
Most organizations don't have mechanisms in place to prevent DBAs and super users from reading or tampering with sensitive information in financial, human resources, or other business applications, the survey says. Most of the respondents said they are unable to even detect such breaches.
One out of five respondents expects a data breach or incident during the coming year. Only one out of four said that all of their databases are locked down against attacks. One out of four sites covered in the survey said they do not encrypt the data within their databases, and nearly one in five is not even sure whether such encryption takes place, according to the IOUG.
"The problems are both organizational and technical," says Ron Bennatan, CTO of database security company Guardium Inc. . "DBAs have traditionally focused on performance and availability as their key priorities, while IT security has primarily focused on perimeter and end-point security. Now the two groups need to work together, usually in conjunction with risk and compliance people, to close these gaping holes.
"On a technical level, there are a number of well known limitations with native database logging and auditing utilities, such as their complexity and impact on database performance," Bennatan says. "That means that most DBAs are very reluctant to turn them on, because it just creates more headaches for them and doesnt really address the core problems."
Tim Wilson, Site Editor, Dark Reading