Survey: DBAs lack clout to apply database security best practices

While many database admins are tasked with protecting sensitive data, few of them have the financial or business-support resources to do so, a recent study finds.

New survey results suggest database managers and administrators are fighting a losing battle, trying to secure their systems with little or no budget for tools and equally little support from senior management.

Despite the organisations suffering breaches, they still seem to have no coherent programme of database security best practices for protecting information.


Thom VanHorn,
VP of marketingApplication Security Inc.

The survey, conducted in September 2010 by Unisphere Research of the US and sponsored by Application Security Inc., polled opinions from 761 members of PASS, the Professional Association for SQL Server. The majority of members were based in the US, but 20% of the participants were based in Europe.

The survey found that, while respondents were generally given responsibility for ensuring that data held on their systems is safe, they were given little access to budget information and felt security was not given a high enough priority by top-level management.

A report based on the findings, entitled Data In The Dark: Organizational Disconnect Hampers Information Security, reveals that 75% of respondents said they had prime responsibility for safeguarding personally identifiable information (PII), but 40% of them had no idea whether their organizations' security budgets were rising or falling.

Where data breaches had occurred, 57% did not know the total cost of the breach.

Only 7% of respondents said they had suffered a confidential data breach in the past year, although 18% said they were unsure or didn't know. However, the group seemed to think data security would likely get worse, with 20% saying a breach was likely or inevitable in the next 12 months, and only 31% saying it was highly unlikely.

When asked about their greatest challenges or risks, 65% chose human error, followed by insider abuse (including contractors) at 44%. Other challenges or risks included accidental loss of devices (36%), abuse of privileges by IT staff (31%), external hackers (27%), malware (20%) and unprotected Web applications (16%).

Although 44% said most databases were protected, only 25% felt their databases were protected adequately, while 18% said database protection was deficient and 6% didn't know.

Uncontrolled copying of databases also raised serious security questions: 18% said there were three copies of production data in their organisations, while 7% said they had four copies; 15% had five or more and 18% were unsure how many copies existed.

When asked whether non-production data copies were under the organisation's direct control for security and monitoring purposes, only 46% answered that all were under control, 34% said some copies were under control, 10% said there was no control, and 10% were unsure.

"Despite the organisations suffering breaches, they still seem to have no coherent programme of database security best practices for protecting information," said Thom VanHorn, VP of marketing for New York-based Application Security Inc. "There seems to be a lack of cross-organisation communication."

Report author Joe McKendrick, a research analyst with Unisphere in Chatham, N.J., said the findings also show that companies place too much responsibility on -- and trust in -- administrators and IT staff, even while there are no mechanisms in place to keep database copies under control."Companies entrust a lot of confidential information to individuals such as database administrators and software developers, and expect them to do the right thing. They also trust offsite partners," he said.

McKendrick added that development teams often make copies of databases to use for their tests, or some well-meaning employees may make copies of files to work on at home.

"Security can't stop at the production data, it has to encompass the whole organisation," McKendrick said. His advice is to spend money on automation tools to help manage the process, and to educate employees about the dangers of copying databases.

Read more on Application security and coding requirements