My column on Database Journal.
I attended a webinar this week presented by Guardium and Dark Reading. A
Forrester Research analyst made this shocking, but likely very true
"SQL injection attacks and internal data thefts are on the rise -- but DBAs
spend less than 5% of their time on database security."
It is sad, but based on what I and other security professionals see every day, I
suspect the 5% figure is optimistic.
Dear DBAs, this statistic is a call to action. We, the DBAs, the keeper of some of the
most valuable assets an enterprise can posses (data), need to change this
When I'm not working on DB2 security or writing about it, I read a lot of
scientific magazines. One of the things I learned recently is that the popular belief about
pearls being started by a sand grain is not quite right. Pearls are actually formed when an irritant becomes
trapped in a mollusk. To protect itself, the mollusk starts putting layers upon
top of layers to form a protective shell around the irritant. That results in the pearl, which is highly
I think DBAs need to take a lesson from "oyster irritants" and start
helping enterprises protect themselves. Members of upper management are probably
not spending their time pouring over DB2 documentation or attending security webinars.
They count on us, the DBAs to do that and, since you're reading my blog, I know that you are
one of the absolutely top notch DBAs who take pride in performing your work to
exceptional standards. grin
It is our job then to share this
knowledge with the organizations we support. The keepers of the money (Management) need to be
helped to visualize what the keepers of the data (DBAs) know.
And, what we know is that DATABASE SECURITY needs a pearl.
The oyster irritant has become my new mental DB2 security image. I want
to help management protect the data with multiple layers of security. I
want an entire pearl necklace, a dozen pearl bracelets and a dozen pearls adorning all my shoes.
The first step that I can offer if you want pearls too, is to ask that you schedule some
time to sit down with your management and share. Tell them that you want to make security a priority and
explain why. Let management know that there is much that can be done at virtually no cost, other than time.
Don't assume that management is aware of the highly configurable and robust security options that
are incorporated into DB2 LUW. Share your knowledge, at a high level, of course, with them
and paint a mental picture of how robust you can make their security architecture. You might
be surprised to find them receptive once they understand what is available without spending
For example, keeping fixpacks current, in addition to being a good practice,
helps keep your data secure. The features that the latest releases of DB2 offer
us are robust. Consider items such as LBAC, SSL enhancements, Trusted Contexts, Separation of Duties features
and DB2's native auditing functionality. Explain to management that all you need is time to sit down and actually do the work.
Help them understand that FIVE percent of your time spent on security is just not enough to enable
all these wonderful security strengthening features.
So, have a heart-to-heart talk with your manager. Tell them you want your
company to succeed in every way possible. Explain that taking the time to configure
database security WILL benefit their bottom line because if they don't take the
time and they have a breach, the costs will be significant. A little time now
will equal a prized pearl later.
IDUG NA Registration is now open:
IDUG North America Conference
Database Journal - DB2Locksmith's Column
I WELCOME YOUR EMAILS TO:
db2locksmith at securedb2.com
Printed from : http://www.dbisoftware.com/blog/db2_security.php?id=163
My column on Database Journal.