A recently published study shows that database administrators don’t fully understand security. According to these fresh findings, database administrators and IT decision-makers in general admit to knowing very little about security issues like change control, patch management, auditing etc. This survey was conducted on 214 Sybase administrators belonging to the International Sybase User Group.
“A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information,” the survey report stated. “Only one out of five take proactive measures to mask or shield this data from prying eyes.”
According to the report’s author, Unisphere Research analyst Joe McKendrick, the ISUG survey is the first released of a series of similar database security surveys being conducted across various database user groups, including those running other platforms such as Oracle and SQL Server.
“This [ISUG survey] pretty much follows the same script [as the survey responses in the other database environments,” McKendrick said. “It’s very consistent — with a very common theme across all of these different user groups and technology bases — that there is a disconnect between management and security.”
The biggest problem seems to be the understanding of change management and patch management, as 37of th% e respondents did not know how to correct unauthorised changes to the database or how long this would take.
Another 35% stated that they rarely apply security patches or did not know how frequently these patches were applied. Almost two thirds of database manipulation have no automated software for database setup or patching.
Surprisingly, almost 50% of the respondents do not believe they will experience security breaches in the next year.
These results are not at all surprising according to Rich Mogull the founder Securosis analysys firm.
“We still see very much a split between the database and security worlds — and not nearly the level of communication between the two of them that we’d like,” Mogull says.
Security experts strongly state organizations need to do a better job in increasing access to data assets for both DBAs and IT professionals.
“We need to ask ourselves, ‘Where are these pieces of classified information and bank account numbers and sensitive organizational data being stored in the databases? Can we identify all the databases they’re in?'” Hutton explains. “And then we can figure out how to create a control structure that prevents, detects, and responds to incidents against that database.”
Experts have also pointed out many organizations fail to properly audit their data to ensure that the policies and controls put in place are actually working. According to McKendrick, the recent survey found that only 16% of organizations perform regular database audits once a month. Another 32% either say they don’t know how often audits are performed or never perform them at all.