Survey: Database Administrators, IT Security Still Not On The Same Page

By Ericka Chickowski, Contributing Writer
Dark Reading

DBAs lack understanding of change control, patch management, ISUG study says

Database administrators still don't get security, according to a study published Wednesday.

Many DBAs and general IT decision makers admit they know little about critical database security issues, such as change control, patch management, and auditing, the survey says.

Conducted by Unisphere Research on behalf of Application Security Inc., the survey questioned 214 Sybase administrators belonging to the International Sybase User Group (ISUG) about their database security practices. The prevalent theme running throughout the survey was that most organizations lacked controls to keep database information protected across the enterprise.

"A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information," the survey report stated. "Only one out of five take proactive measures to mask or shield this data from prying eyes."

According to the report's author, Unisphere Research analyst Joe McKendrick, the ISUG survey is one in a series of similar database security surveys being conducted across numerous database user groups, including those that run other platforms, such as Oracle and SQL Server.

"This [ISUG survey] pretty much follows the same script as the survey responses in the other database environments," McKendrick said. "It's very consistent -- with a very common theme across all of these different user groups and technology bases -- that there is a disconnect between management and security."

One of the biggest problems is a lack of understanding of change management and patch management, according to the research. The survey found that 37 percent of respondents didn't know or weren't sure how long it takes to detect and correct unauthorized changes to the database.

About 35 percent of those surveyed said that they rarely apply security patches across their database portfolio or didn't know how often patches were applied. Just less than two-thirds of organizations do not have any kind of automated database configuration management or patch management tools employed.

Yet, well more than half of respondents said they don't think they are likely to experience a breach in the next year.

According to Rich Mogull, founder of analyst firm Securosis, the results from this ISUG survey aren't very surprising.

"We still see very much a split between the database and security worlds -- and not nearly the level of communication between the two of them that we'd like," Mogull says.

Mogull believes that the lack of knowledge about change management isn't strictly a security issue. "That's something that the database guys themselves should be keeping track of for performance reasons, if nothing else."

Many security experts believe that organizations need to do a better job increasing the visibility of data assets across the enterprise -- to both DBAs and security professionals. This visibily starts with data classification, says Alex Hutton, principal in research and risk intelligence for Verizon Business.

"We need to ask ourselves, 'Where are these pieces of classified information and bank account numbers and sensitive organizational data being stored in the databases? Can we identify all the databases they're in?'" Hutton explains. "And then we can figure out how to create a control structure that prevents, detects, and responds to incidents against that database."

And this is is only the first step, experts say. A lot of organizations fail to properly audit their data to ensure that the policies and controls put in place are actually working. According to McKendrick, the recent survey found that only 16 percent of organizations perform regular database audits once a month. Another 32 percent say they don't know how often audits are performed -- or never do them at all.

"There's either no auditing at all, or else it is auditing after the fact -- you know, checking the barn doors after all of your horses have been stolen," McKendrick says. "These audits take place may be quarterly, so you could have a major data breach take place in early January -- and it's late March when you're finding out about it."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.