DB2 LUW Security -- Pearls and the DB2 DBA

The news is out and it is, indeed, disturbing.


I attended a webinar this week presented by Guardium and Dark Reading. A Forrester Research analyst made this shocking, but likely very true statement:

"SQL injection attacks and internal data thefts are on the rise -- but DBAs spend less than 5% of their time on database security."

It is sad, but based on what I and other security professionals see every day, I suspect the 5% figure is optimistic.

Dear DBAs, this statistic is a call to action. We, the DBAs, the keeper of some of the most valuable assets an enterprise can posses (data), need to change this dynamic !!

When I'm not working on DB2 security or writing about it, I read a lot of scientific magazines. One of the things I learned recently is that the popular belief about pearls being started by a sand grain is not quite right. Pearls are actually formed when an irritant becomes trapped in a mollusk. To protect itself, the mollusk starts putting layers upon top of layers to form a protective shell around the irritant. That results in the pearl, which is highly prized.

I think DBAs need to take a lesson from "oyster irritants" and start helping enterprises protect themselves. Members of upper management are probably not spending their time pouring over DB2 documentation or attending security webinars. They count on us, the DBAs to do that and, since you're reading my blog, I know that you are one of the absolutely top notch DBAs who take pride in performing your work to exceptional standards. grin

It is our job then to share this knowledge with the organizations we support. The keepers of the money (Management) need to be helped to visualize what the keepers of the data (DBAs) know. And, what we know is that DATABASE SECURITY needs a pearl.

The oyster irritant has become my new mental DB2 security image. I want to help management protect the data with multiple layers of security. I want an entire pearl necklace, a dozen pearl bracelets and a dozen pearls adorning all my shoes.

The first step that I can offer if you want pearls too, is to ask that you schedule some time to sit down with your management and share. Tell them that you want to make security a priority and explain why. Let management know that there is much that can be done at virtually no cost, other than time. Don't assume that management is aware of the highly configurable and robust security options that are incorporated into DB2 LUW. Share your knowledge, at a high level, of course, with them and paint a mental picture of how robust you can make their security architecture. You might be surprised to find them receptive once they understand what is available without spending additional funds.

For example, keeping fixpacks current, in addition to being a good practice, helps keep your data secure. The features that the latest releases of DB2 offer us are robust. Consider items such as LBAC, SSL enhancements, Trusted Contexts, Separation of Duties features and DB2's native auditing functionality. Explain to management that all you need is time to sit down and actually do the work. Help them understand that FIVE percent of your time spent on security is just not enough to enable all these wonderful security strengthening features.

So, have a heart-to-heart talk with your manager. Tell them you want your company to succeed in every way possible. Explain that taking the time to configure database security WILL benefit their bottom line because if they don't take the time and they have a breach, the costs will be significant. A little time now will equal a prized pearl later.


IDUG NA Registration is now open: IDUG North America Conference

My column on Database Journal. Database Journal - DB2Locksmith's Column

I WELCOME YOUR EMAILS TO:
db2locksmith at securedb2.com