'Super Users' Could Threaten Database Security, Study Says

Survey by Independent Oracle Users Group says most database administrators haven't implemented proper defenses

Dark Reading Staff, Dark Reading

October 1, 2008

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Usually, the database administrator (DBA) is your organization's staunchest defender of your sensitive data. But what if that DBA -- or another privileged user -- becomes disgruntled and decides to do some damage?

That possibility is one of the things that keeps Oracle administrators up at night, according to a newly published study conducted by the Independent Oracle Users Group (IOUG). In a survey of more than 300 IT and database administrators, the group found that the greatest risks to corporate data comes from internal access, either by unauthorized users or by "super users" with special access privileges.

Most organizations don't have mechanisms in place to prevent DBAs and super users from reading or tampering with sensitive information in financial, human resources, or other business applications, the survey says. Most of the respondents said they are unable to even detect such breaches.

One out of five respondents expects a data breach or incident during the coming year. Only one out of four said that all of their databases are locked down against attacks. One out of four sites covered in the survey said they do not encrypt the data within their databases, and nearly one in five is not even sure whether such encryption takes place, according to the IOUG.

"The problems are both organizational and technical," says Ron Bennatan, CTO of database security company Guardium Inc. . "DBAs have traditionally focused on performance and availability as their key priorities, while IT security has primarily focused on perimeter and end-point security. Now the two groups need to work together, usually in conjunction with risk and compliance people, to close these gaping holes.

"On a technical level, there are a number of well known limitations with native database logging and auditing utilities, such as their complexity and impact on database performance," Bennatan says. "That means that most DBAs are very reluctant to turn them on, because it just creates more headaches for them and doesn’t really address the core problems."

— Tim Wilson, Site Editor, Dark Reading

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights