Not on the Same Page

Are DBAs not on the same page as security staff? DBAs don’t get security? That’s surprising to me, but it’s the first line of this piece on the gap between DBAs and security staffin many companies. Apparently according to a survey, most DBAs don’t apply security patches very often, don’t manage change control, and don’t have tight controls or an understanding of how to detect and respond to unauthorized changes to data.

That might be the case in the Sybase world, or even the Oracle world, where it seems that I hear the DBAs do more management of corporate fiefdoms than database platforms. In the SQL Server world, however, we haven’t had too many security patches, and I know most DBAs are diligent about applying the service packs, if they’re allowed to by software vendors.

I think that too often the technology workers that don’t work in security are lax about paying attention to strict security controls. They often tend to have a very loose change control process, and that’s not even counting the fact that the majority of developers and DBAs I know don’t bother to do any obfuscation of production data that is restored on development environments. Many of them don’t even think about implementing any type of security for dev instances at all, much less the same level of protection applied to production systems.

It’s not all DBAs and developers, however. Most of the fault lies with management, in my opinion. Too often management wants to get work completed quickly, wants rapid changes to configurations in the hope that applications will run quicker, and doesn’t want any resources devoted to changing data in development environments. They often barely want to devote any resources to testing, and don’t understand the value of security for development systems.

Security has rarely been well implemented by management in many industries and areas. Too often the lack of understanding of risk along with the impatience for the delays associated with security result in a halfhearted effort. I can only hope that at some point the ease with which digital assets can be exposed will force priorities to change and make security more of a requirement rather than an option.

Steve Jones

The Voice of the DBA Podcasts

About way0utwest

Editor, SQLServerCentral
This entry was posted in Editorial and tagged . Bookmark the permalink.

1 Response to Not on the Same Page

  1. Joe Fleming @MuadDBA says:

    It’s not surprising to me, based on the number of companies that slap the title of DBA on anyone who creates an Access database or installs SQL Server somewhere. It happens a lot that inexperienced people are thrown into the role without a lot of mentoring or training. We’ve even got sessions around it at SQLSaturday and Summit…the Accidental DBA is the unofficial title, I guess.

    So if the poll includes these folks, it’s not surprising that security is one of the areas where there are knowledge gaps.


Comments are closed.