What Every Database Administrator Should Know About Security

  /     /     /  
Publicated : 22/11/2024   Category : security


What Every Database Administrator Should Know About Security


Database administrators and security people are often at odds with each other. Here are some ways they can get together



[The following is excerpted from What Every Database Administrator Should Know About Security, a new report posted this week on Dark Readings
Database Security Tech Center
.]
To say that there is friction between security professionals and database administrators (DBAs) is putting it mildly.
Database administrators are both the caretakers of database platforms and the managers of data. Very seldom are they also security experts. In many enterprises, the DBA and the security team find themselves at odds because the DBA is judged on availability and ease of use, not security. Yet the security team advocates controls that restrict access, add complexity and slow database performance. Thats not a recipe for keeping end users happy, and DBAs tend to bear the brunt of criticism.
Databases hold a majority of the sensitive data within most enterprises, and have been a prime target for attackers for more than a decade. The considerable skills database administrators bring to the table are often marginalized, with security teams failing to leverage these valuable skills because they feel DBAs lack the security mindset needed to comprehend wickedly resourceful attackers who target enterprise data. Security does not trust DBAs becausethey feel they lack an understanding of the problems at hand.
Bridging the gap between DBAs and security professionals--bringing their respective strengths into play--can only make a company more resilient. The goal is to educate DBAs on the problems security teams are trying to address, and to arm them with enough information so that they can both appreciate the motivation of security requirements and help propose implementations that secure data while not smashing performance and productivity. In this way, DBAs and security pros can work together to create database environments that are not only functional, but highly secure.
The first step in this process is to talk about what most DBAs dont know. To better close the gap between security and database management, lets address the issues of why security is important and some of the key reasons security teams dont work closely with DBAs.
DBAs are not vulnerability researchers.
As a database administrator, its likely you dont understand half of the vulnerabilities databases are vulnerable to. Thats not meant as an insult--even within the security community, vulnerability research is a specialized sub-discipline practiced by only a handful of people. With that said, its important that youfollow these issues if you want to understand why security teams ask you implement specific security controls. Much in the same way you need to understand how bugs affect the database, or how some settings affect stability and performance, you need to have a basic understanding of vulnerabilities.
Essentially, there are three critical things you need to know about any vulnerability: which feature is/was at risk; the basic methods attackers use to exploit the vulnerability; and whether the vulnerability requires credentials to exploit. You can learn more from CERT/Mitre announcements, vendor security announcements and vendor best practices, as well as from following security and/or database blogs.
Hackers know databases as well as you do.
Hackers spend hundreds of hours examining specific features. They work tirelessly to understand how these features work and, more importantly, how a feature can be made to misbehave. They understand the internal workings of the database, and usually how a features documented specification differs from the implementation.
Theres no such thing as a minor database vulnerability no one else knows about. Attackers are aware of potential flaws, and they will know how to probe your database to see if its vulnerable to those flaws.
To read more key points that database administrators should know about security -- and how security people can communicate them --
download the free report
.
Have a comment on this story? Please click Add a Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
What Every Database Administrator Should Know About Security