Hacking Privileged Database User Access

Where: The question of where a database resides, where the data is from, and from where the user is getting access to this data is also important. These questions are especially relevant in light of mounting European data privacy regulations, Cleary says. "Compliance requires of me as an organization that [North American DBAs] not be able to access our consumer database for any of the European countries because [they are] not located within those countries," Cleary says. "So understanding that attribute becomes very important. If I can't apply the compliance control, I could be violating regulatory mandates."

Why: Knowing why a privileged user has access to all of the databases for which he holds the keys is also important. Is it necessary for the user to carry out day-to-day activities? Does he still retain permissions from previous roles in the organization? "So having the technology both interface with the business and really identify at a group level, at a role level, and at a functional level who actually should have access to what kinds of data, and under what circumstances definitely is a critical component," says Jeffrey Wheatman, a Gartner analyst on database security. "If you don't know who should be able to do what, then how do you actually figure out how to put controls around that?"

How: Pinpointing how the user is accessing the databases is also key. Is it through root passwords shared across IT or another business group, or via ad hoc application accounts?

Shared passwords and ad hoc access are two of the biggest stumbling blocks to measured access control that organizations face at the moment. "The level of database access controls are typically just ineffective today because there are just a lot of shared accounts that are going on," Cleary says. "The elimination of that and the review and certification of accounts on a more frequent basis [are important] to make sure not only that the person is still in a valid role within the business, but to also really understand the finer grained entitlement authorizations that are required in order to meet compliance demands."

Answering the who, what, when, where, why, and how questions will help provide visibility into privileged database user access in order to keep auditors at bay and also mitigate risks to the data itself. This occurs through effective access policies, automated access control management, and granular database activity monitoring. But as Wheatman points out, policies without automation leave you just with a "stack of paper." Automated access control applies the policies in a practical way and ensures they're always enforced.

Finally, database activity monitoring helps fill in the gaps: It keeps organizations apprised of activity even when privileged users are using legitimate permissions, and it can give better visibility into account comings and goings if an access control management process isn't fully there yet.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.