DBAs don’t get security? That’s surprising to me, but it’s the first line of this piece on the gap between DBAs and security staffin many companies. Apparently according to a survey, most DBAs don’t apply security patches very often, don’t manage change control, and don’t have tight controls or an understanding of how to detect and respond to unauthorized changes to data.
That might be the case in the Sybase world, or even the Oracle world, where it seems that I hear the DBAs do more management of corporate fiefdoms than database platforms. In the SQL Server world, however, we haven’t had too many security patches, and I know most DBAs are diligent about applying the service packs, if they’re allowed to by software vendors.
I think that too often the technology workers that don’t work in security are lax about paying attention to strict security controls. They often tend to have a very loose change control process, and that’s not even counting the fact that the majority of developers and DBAs I know don’t bother to do any obfuscation of production data that is restored on development environments. Many of them don’t even think about implementing any type of security for dev instances at all, much less the same level of protection applied to production systems.
It’s not all DBAs and developers, however. Most of the fault lies with management, in my opinion. Too often management wants to get work completed quickly, wants rapid changes to configurations in the hope that applications will run quicker, and doesn’t want any resources devoted to changing data in development environments. They often barely want to devote any resources to testing, and don’t understand the value of security for development systems.
Security has rarely been well implemented by management in many industries and areas. Too often the lack of understanding of risk along with the impatience for the delays associated with security result in a halfhearted effort. I can only hope that at some point the ease with which digital assets can be exposed will force priorities to change and make security more of a requirement rather than an option.