A Database Administrator Disconnect Over Security Duties

Survey finds database managers out of the loop on overall security objectives, budget details, and strategies

A new set of survey results out this week showed that even as many DBAs are ready to assume the mantle of security practices in their daily duties, there still remains a communication disconnect between these data managers and the security and executive leadership ultimately responsible for data security across an organization.
The survey, conducted by Unisphere Research and sponsored by Application Security Inc., queried more than 750 members of the Professional Association for SQL Server (PASS). Responsible for large swaths of organizational information -- 66 percent of them are entrusted with managing 100 to 500 database instances -- these data managers mostly consider themselves responsible for protecting the data they manage. And yet at the same time, they lack a grasp of the overall security objectives, budget details, and strategies across the entire organization.
The key takeaway from this report is that, in essence, there is a disconnect between what data managers know needs to be done at the technical level, versus the amount of support and awareness the executives on the business side give, says Joe McKendrick, analyst for Unisphere, architect of the survey, and author of the report detailing its results. A lot of these people could not tell us whats going on across the organization in information security. Whats happening is theyre taking good care of their particular domains: Their production databases, for example, are well-locked down. But they dont have a sense of whats going across the organization, and management isnt open to the sharing of information across the organization.
For example, even though three-quarters of respondents said the DBAs are responsible for security, a full 40 percent of them couldnt even tell surveyors the state of their security budget growth during the past year. And 57 percent had no clue how much security breaches cost their organizations in the past year.
Of even more concern is the fact that many basic database security practices are falling through the cracks. Nearly a third of organizations experienced audit noncompliance issues due to access control problems, another 18 percent from configuration issues, and an additional 16 percent due to default ID and password combos.
I saw default passwords and user IDs as a problem, and Im thinking, Thats a problem thats been around since the 60s. Why are we still doing this? says John Klemens, technical director for information assurance solutions for Telos, which works on database security and other security projects for Department of Defense agencies. Why havent we figured that out yet?
Klemens believes security personnel needs to do a better job interfacing with the DBAs to set expectations and to give them the knowledge and tools necessary to get these issues under control.
I think its kind of the same way it was a few years ago with systems administrators with boxes. The DBAs job is to make the database available, make sure things work -- thats their primary responsibility and security normally is someone elses job, he says. What I see is that the DBAs are willing to do security, but a lot of times they dont have the knowledge to do it. And, ultimately, theyre not responsible for setting policies.
McKendrick agrees. Its really important to have those lines of communication open, he says.
The full report is available
here
(PDF) for download.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
A Database Administrator Disconnect Over Security Duties