i just stumbled on a blog post by John Oltsik of ESG entitled Database Security Is In Need of Repair written on August 26th, 2009. John reports on a survey ESG conducted that showed Database Security is surprisingly weak given the fact that 58% of the survey respondents said that databases contain the highest percentage of their organizations' confidential data. File Servers came in a distant second at 15%.
How can this be? John says:
1. No one owns database security, rather it appears to be a collective effort done by security administrators, IT operations, data center managers, system administrators, DBAs, etc. With this many people involved, it is likely that database security is fraught with redundant processes, numerous "root" access passwords, and human error.
This resonates with my experience. The worlds of DBAs and IT Security professionals rarely meet. They speak different languages. DBAs are all about availability and performance, just as network administrators traditionally were.
There are two types of Database Security solutions - Encryption and Database Activity Monitoring. Encryption solutions are used for compliance purposes, for example to encrypt the Social Security Number column of a database o block unauthorized users who gain access to the database server. However, it does nothing to block authorized users violating access policies.
Database Activity Monitoring, which I wrote about here, comes in three flavors - logging, network, and host based. In some cases, Database Activity Monitoring can provide a layer of policy control to restrict authorized users (insiders) to just the data they need to do their jobs. And even of those solutions there can be limitations.
In summary, 1) the solutions available are improving and 2) it behooves database administrators to expand their vision to include database security.