Re: OT: percent of DBAs that know how to impletement database security measures

  • From: "Keith Moore" <kmoore@xxxxxxxxxxxx>
  • To: "Paula Stankus" <paulastankus@xxxxxxxxx>
  • Date: Tue, 4 Apr 2006 16:51:25 -0500 (CDT)

No. That was exactly the case in the example I gave. The application
required DBA access and the username/password was known by all developers
(UN/PW same on development and production)

The management did not want to take the time to make the necessary
application changes. Of course, the effort required increased as time
passed.

The general attitude I have seen is:
1.  If these is any chance that something bad could happen, don't do it.
2.  If it's inside the corporate network, its OK.

Keith


> Guys,
>
>   One thing you are not considering.  The DBA may know how to implement
> security measures but let's say that they are working in a "legacy"
> environment where apps where not setup correctly to begin with.  The DBA
> cannot go out and wily-nily change passwords that might be used across
> applications.  They simply need the assistance and participation of the
> apps group.  That I found was the biggest issue - getting assistance
> from apps development to change code appropriately.  It is not something
> that could or should be done by a DBA in a vacuum.  If the organization
> has a separate security team - then - the DBA might enlist their help to
> get everyone on the same page.
>
>   :)
>
> Keith Moore <kmoore@xxxxxxxxxxxx> wrote:
>   If you take out the part "know how to", as in
>
> ... a full 60 percent of DBAs do not implement database security...
>
> then I would say that based on my experience it's too low.
>
> For example, when I find a shared Oracle account on a production system
> with DBA privileges AND the username equal to the password, the response
> by management is "Yeah, we know, but it's too difficult to change it right
> now. We'll do it later".
>
> Keith
>
>> A little piece of email today told me the following:
>>
>> "... a full 60 percent of DBAs do not know how to implement database
>> security measures, according to Forrester Research".
>>
>> Does that figure seem to be:
>>
>> - too high
>> - too low
>> - just about right
>> - Cowboy Neil
>>
>> Inquring minds want to know.
>> Personally, I think that the phrase lacks the term "properly", as in
>> "properly implement database security measures".
>> "shutdown abort" or "lsnrctl stop" would be examples of "improperly
>> implement database security measures".
>>
>> Paul
>>
>
>
> --
> //www.freelists.org/webpage/oracle-l
>
>
>
>
>
> ---------------------------------
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls.  Great
> rates starting at 1&cent;/min.


--
//www.freelists.org/webpage/oracle-l


Other related posts: