There are many reasons why enterprises are failing to hold database administrators (DBAs) accountable through monitoring and policy enforcement, but one of the big factors is historical inertia.
“In every environment you have DBAs and sys admins and application developers and all those types of folks, who by nature of their privileged access have access to the data as well as sort of the underpinnings of the database,” says Jeffrey Wheatman, a security analyst for Gartner. “Historically the issue has been that there’s not really many ways or certainly not many effective ways to prevent those folks from availing themselves of that type of permission.”
But that is just not the case anymore. Organizations can choose to implement enterprise access control technology that spans across the database and a number of other key applications to manage admission to most valuable data. They can install database activity monitoring tools that can track user activity and enforce real-time access to data based on the user and the data being access. And at very least they can start taking advantage of security technology embedded natively in their database management systems that have most recently started offering fine-grained access control via data masking.
There’s just no technological excuse anymore. At this point, the stumbling block is the cost and complexity issue that keeps many a security project at bay.
Whatever the methodology, Wheatman suggests that the only way an organization can truly safeguard its databases from privileged user abuse is to start building the foundation for a monitoring framework through role-based access control.
“I think it really needs to start with good role-based access control,” Wheatman says, figuring out from a business perspective who should be able to do what and then implementing layers of active controls to enforce that.
Channel partners have the opportunity not only to help build awareness around the threat of unchecked privileged assets, but to also help their customers lay the cornerstone to database security through role-based policies. As Kurt Johnson, vice president of strategy for identity management player Courion, defining roles and policing access around their need-to-know status is the only way other levels of monitoring and control can have meaning.
“It really helps put this information into context,” he says. “Because unless you know who that person is, what their function is and what their role is in the organization, it’s a challenge to really understand whether that information they’re accessing is appropriate for them or not.”
The issue of defining roles and policies is a “huge business issue,” says Rich Mogull of Securosis.
“It’s not like you can flip a switch and then suddenly disconnect everybody,” Mogull says.
This is where experienced channel partners and consultants can really add value to the implementation of the security technology. According to Mogull, the process can take months on end for a small IT team. Partners can assist in helping customers through the arduous process of conducting a risk assessment, reviewing actual access needs by departments and job roles, and eventually defining policies based on those findings.
Once set, those policies need some kind of technical control to make them count.
“Obviously policy is really important; we talk to clients about policy and process all of the time. But if that’s all you have it is just a stack of paper,” Wheatman says. “Unless you have the technical controls on the back end, that policy is difficult to enforce.”
Channel partners can also help customers decide which technical controls are appropriate for their environment and their risk tolerance. Organizations seeking a high degree of assurance may want to implement big-picture identity management and access control solutions that sweep across a wide range of applications within the enterprise beyond the database. Those who are mostly concerned with database controls on a narrow range of database types may rely only on some of the advanced role-based controls offered natively within the database.
And those who may not be quite ready for a big enterprise-wide identity management push but still must control a heterogeneous database environment may want to look into database activity monitoring and other data-centric tools such as data leak prevention (DLP).
“Let’s face it, these database implementations can be so complicated–just to give you an idea, in one of the major ERP programs out there a typical midsize implementation has 70,000 tables,” Wheatman says. “That’s why things like database activity monitoring and DLP are good compensatory controls, because you’re never going to get perfect access controls.
Not only that, but being third-party tools, database activity monitoring solutions offer a good umbrella across all database management systems.