How To Improve DBA And Security Team Relations

If ever there were an "odd couple" tension of Oscar and Felix proportions within the IT operations community, it would be the mismatch between database administrators (DBAs) and the security pros tasked with managing risk on the data stores the DBAs keep humming. DBAs are "performance junkies," according to John Kindervag, principal analyst for Forrester Research. Meanwhile, many IT security professionals came up through the ranks of network administration ranks and know very little of the arcane world of fields, tables, and queries.

"DBA staff tends to be focused on business development and functionality. While database security plays a role in implementing business logic, it’s typically not the driving priority," says Brad Johnson, vice president at consultancy SystemExperts. "DBAs tend to view their work from the perspective of a normal user, while IT security staff tends to look at DB or Web functionality from the perspective of an intruder. The former is trying to do their job, the latter is trying to 'break in' to get access to data or services that were meant to be controlled or private."

The lack of a common ground in knowledge base and the divergence in business goals can often lead the two groups to grow so at odds that data security gets lost in the conflict. However, CISOs can do a lot to foster better relations between database staff and security staff for improved database risk management. Here are some of the top suggestions from database security experts.

Build Consensus Through A Collaborative Environment
"Creating common ground between two disparate groups within IT is no easy task -- it requires a refresh in process and perspective and for both sides to understand that they have a common agenda," says Reuven Harrison, CTO for Tufin Technologies.

While DBAs may be primarily concerned with performance, no DBA wants to see his charges breached in an embarrassing fashion. It is up to management to help DBAs and security staff bridge the gulf through better team-building.

"Often there are turf battles, as one party or another tries to control security," says Todd McDaniel, a DBA for consulting firm SWC Technology Partners. "When this happens, it is imperative that management fosters an integrated and helpful inter-team atmosphere."

Be Open To DBAs' Education And Input
Security pros can go a long way toward cultivating that environment by spending just as much time listening to DBAs as talking to them.

"Work with team members to help them learn to cooperate by taking the extra step in explaining their perspective while at the same time having an open ear and mind to the other team’s perspective," McDaniel suggests.

[Why isn't DAM taking hold in the enterprise? See Five Hurdles That Slow Database Security Adoption.]

McDaniel's colleague Lowry Kozlowski, also a DBA for SWC, says that in many cases the DBAs can educate the security team on how native database security features can be used to lock down data. Similarly, if DBAs already have a change management process in place, security can be brought into the loop by including "the security team to be on the requests," she says.

Use Security Reviews As An Educational Tool
According to Johnson, one method he has seen go a long way toward bridging the gaps between DBA and security understanding is to conduct periodic security reviews that include all of the major stakeholders: DBAs, application developers, IT security staff, and security testers.

"What typically happens is that the testing staff can describe or show how they are able to exploit various vulnerabilities, which often lead to implementation changes that can account for those issues," Johnson says, explaining that even just conducting these reviews quarterly can make a big difference. "They tend to be very efficient as the testers can describe the results quickly and convincingly, and then the DBAs and application developers can imagine tactics and techniques to thwart them."

Make Controls And Documentation Your Common Language
However, some experts warn that addressing internal and external findings can sometimes be time-consuming and costly.

"Documenting processes and exceptions to security controls is easier and cheaper than addressing findings," says Brian Gay, owner of Think Forward Consulting.

As DBAs and security professionals navigate their relationship among one another, security controls should become their common ground, and documentation of those controls the common language they share. This is important, as documentation and controls will need to be updated regularly to keep up with new regulations and security threats.

"Meet periodically with the team to review and update the documentation," Kozlowski says. "Regulations can change, so the documents will need to be reviewed to verify if they still meet requirements on a regular basis."

Become An Ally
One of the justifiable reasons many DBAs resist a closer working relationship with security is that when things go wrong with critical databases, at the end of the day it is the DBA who ends up holding the bag. Security professionals will gain a lot of respect and cooperation from DBAs if they're willing to go to bat for their colleagues during turbulent times.

"In an operational environment, DBAs are always the first to be blamed when an incident occurs on a system," Gay says. "The IT security team needs to partner with DBAs to defend against false accusations or assumptions."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.