Musings on Database Security

Fern Halper, an analyst with Hurwitz & Associates wrote in her blog “Data makes the world go ’round” about database activity monitoring (as well as highlighting some of what my company Sentrigo does).

In the summary of her post she raises an important issue – that most DBAs are reactive rather than proactive when it comes to monitoring their databases. I’ll take this even further… it’s not just DBAs (and I’m not going to get into the whole issue of who owns database activity monitoring…) but companies in general are too reactive when it comes to database security.

Yes, I know that security doesn’t generate revenues, it doesn’t even reduce costs – at least not in any consistent, measurable way. Security is all about reducing risk and the cost associated with that risk. The problem is that by being reactive, companies are addressing yesterday’s risks, not today’s or tomorrow’s risks. There are a several biases in how the IT security budget is allocated, and one of the biggest biases is the visibility bias: The tendency to invest in protecting against visible threats, even if they are small. Spam is a good example. It doesn’t do much harm, but it’s visible every day in everyone’s inbox (I’m not talking about malware, just the “classic” commercial spam which is 99.9% of spam). Companies are investing more today in reducing the marginal spam to the n-th degree, with diminishing returns, than they are in database security. Far more.

Risk, on the other hand, is not just a question of visibility or sheer quantity. It’s also a question of the potential damage of even a single attack, and the probability of such an attack succeeding. The risk posed by inadequate database security is currently greater than the risk posed by spam, given the counter-measures already in place for the latter. Yet many enterprises, by force of habit and inertia, continue to invest in protecting against threats for which they already have good enough solutions, whereas other areas remain barren. Some companies do, of course, shift their attention to new threats every once in a while, but I wonder how many enterprises do an annual (or more frequent) risk assessment that includes a “green field” threat analysis and gap analysis?

I’ll be presenting on Oracle database hacking and security at the UKOUG DBMS Special Interest Group meeting this week. The meeting will take place on Thursday, 20th March 2008 in Baylis House, Slough (UK, obviously). Here’s the link for the agenda and details http://www.ukoug.org/calendar/show_event.jsp?id=3358

Hope to see some of you there – come and say hello…

Just a short announcement this time – Sentrigo is hosting a live webinar/webcast with Pete Finnigan where he’ll share his wisdom on Oracle database security, show some attack vectors and how one can detect and prevent them, as well as other good stuff.

Those of you who’ve ever attended one of Pete’s masterclasses at an OUG or security conference know that they are well worth attending, and those of you who haven’t – you’re now given the chance to attend from the comfort of your own computer…

It takes place on Friday, March 28th. You need to register in advance – here.