Database Security Suffers From Leadership Gap

If there's one sure thing about database security, it's that most organizations are unsure about who exactly is in charge of protecting their data stores.

As Jon Oltsik of Enterprise Strategy Group (ESG) puts it, the critical task of hardening databases and monitoring access to their information is quite often hampered by "too many cooks in the kitchen."

According to a survey of 175 IT decision-makers polled by ESG, nearly a quarter of them reported that a lack of inter-departmental cooperation was one of the greatest risks to their database security. "We asked who owns database security, and what we found is that a lot of companies have multiple people involved," Oltsik says. "A lot of people are touching the database server and unless you have very, very strong access controls and very strong change management policies, someone is going to step on someone else's toes."

According to ESG, the most common stakeholders listed by survey respondents were security administrators, DBAs, and system administrators. But some organizations could have as many as 10 different individuals or functional groups burdened with responsibility for regulatory compliance when it comes to the sensitive information within their databases. Approximately nine different corporate roles were listed by at least a quarter of respondents as having a say in database security, including the usual suspects along with auditors, compliance departments, and legal staffers.

Unfortunately, with so many stakeholders responsible for securing valuable database information, Oltsik suspects that too many of them believe someone else is taking care of database security -- thus leaving no one at the tiller. He's not the only one to believe so.

"The DBAs and the database architects have tended to operate independently," says Jeffrey Wheatman, a security analyst for Gartner. "I think a lot of security people don't really understand and know what they do. So what has happened is they've sort of said, 'Well, are you doing security?' and the DBAs say 'Sure.' And to their knowledge, they are."

As Alexander Kornbrust explains, more organizations need to get their DBAs and security experts working together in concert.

"Instead of investing in hardware or software, I would start with the people first," says Kornbrust, CEO of Red-Database-Security GmbH, a consultancy that specializes in securing Oracle databases.

He explains that organizations with a very immature database security process may first want to start by educating DBAs about what it means to harden a database and then move on to developing processes to coordinate between them and the security folks. This could start by testing out cooperation with the hardening of just a few databases. Once the team shakes the kinks out of the process, it can move forward with more, he says.

Technology and policy development will also play a role in the coordination, says ESG's Oltsik, who believes change management is extremely important to get everyone on the same page.

"Before anyone does anything to the database server, it needs to be approved," he says. "You want someone mandating who touches it, how they touch it and what they can do when they do touch it. Usually that's the security guys' role."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.