The Changing Role of the Modern DBA - Part 2: New Skills for Security
-
Posted by Harry E Fowler
- Last updated 6/26/19
- Share
This article is part one of a six-part series: “The Changing Role of the Modern DBA,” developed as a collaborative effort between IOUG SELECT and Big Data Quarterly.
Security is nothing new to the DBA. Granting privileges, creating roles and auditing logons have been part of the DBA task list since the beginning. However, the security role is changing and the protection of the data is more than just creating users and managing permissions. Data security is a growing concern in all enterprises, and since the DBAs have been guardians of the data, their skillset can be utilized in moving forward to combat the new risks and threats.
As the DBA is approaching these new challenges and transitions into new roles and tasks, the existing skills are leveraged. The DBA skillset is very strong because of the knowledge of data, business processes and maintaining reliable stable environments to support several areas of the enterprise.
Database security requires paying attention to several areas instead of just users. Authentication and authorization of those users is a key area and first step, and the DBAs need to re-examine the processes and policies around this. But we will look at the steps and new skills in a minute. The changes are in data and around the depth of security.
Changes in Data
Data is not just in the databases, and protecting the data is not just securing the databases. Data is everywhere and needed by the business and data flow processes. The data is integrated with other systems and is pulled in from other sources in-house, devices and from third parties. Data is in the cloud along with other databases. It does add complexity to the environment with sources of data needing protection as if it were in the database.
The modern DBA is involved in the data integrations and understanding of data use, which is extremely important when protecting the data and validating the required authorizations. With knowledge of the classification of the data, different policies and regulations can apply. The DBA skills are working with authorizations, compliance, and reporting of how the data is secured with integrations and in the various sources.
Depth of Security
Security is not just at the perimeter and network security. As already stated, the data that we are protecting is not all within the “secured zone”. Instead, there are IoT devices, public cloud databases and other integrations that need to have the proper encryption, authorizations, and monitoring in place as well. The database needs different levels of security, which assumes that there is a possibility of threats both inside and outside. DBAs need to plan for a big picture of security that recognizes the different layers of security and levels of database security to reduce risk and unauthorized access to the data.
Changes for the DBA become looking past the permissions to capturing abnormal activity, verifying that users are only performing the proper tasks either based on policies or roles. Being able to monitor and report on these details is a great first step and can continue as additional controls are put into place to restrict activity and access.
Working on the layers of security in the environment opens new opportunities to work closely with security teams. Communication is an important part of understanding if something is a gap, providing additional protection or even overkill. A DBA is a valuable resource to the security teams because of the depth of understanding of the data, process and data movement. It is a logical transformation for a DBA to move to a security team or develop a database or data protection team within the security side of the enterprise. The knowledge of how to permission, provide roles and audit the database is a fantastic focus area to provide security in depth.
Changes in Skills
In the opening paragraphs, we started down the path of first steps in securing the environment and how the DBA has already been performing the tasks of managing data access and authorizations. Now let’s add a couple of new skills that the DBA must possess in order to take the next step to reduce risk and protect against malicious behaviors. The following are areas that match up to cybersecurity frameworks to protect data assets:
- Authentication and authorization
- Encryption of data at rest and in-transit
- Reduce unauthorized access from administrators
- Monitoring, capturing, reporting and blocking activity
Authentication can add skills for multi-factor authentication and how administrators and direct database requires additional validation to gain access. This removes access by just a password and there are tools that can help implement or options on the database that must be understood to provide multi-factor.
Encryption of data and files are available in several database platforms. Key management will require additional skills to look at appliances or ways to centralize key management. Storage encryption is another layer of security that is available, and working with the appropriate teams to making sure that there are no gaps for access where the data is in plain text at rest or in-transit.
DBA and administrator access to data is a difficult process as parts of their job require direct database access. Options such as Oracle Database Vault provide ways to restrict this access to data and perform regular DBA tasks. Other options come from monitoring tools and separation of roles from systems DBAs and application DBAs. There are so many additional DBA skills that can be developed here to design protecting systems and implement the needed tools.
Monitoring and reporting tools are being used by DBAs. However, most of the time they are used for performance tuning. Now, these tools have additional options for blocking and gathering of entitlements for reporting. The skills are to understand how to use these database firewall, auditing, and monitoring tools for security collection and then report for compliance and abnormal behavior. The logs, audits and activity details can be fed into SIEM tools for analytics on security data. The modern DBAs need to develop and understand the analytics and use of SIEM tools.
Knowledge of these areas is available in the Oracle User Community with conferences such as COLLABORATE IOUG Forum. There is an advantage to learn from other users that have faced these challenges and can assist in getting the information to catapult your skillset as a modern DBA for security.
Be sure to check out these sessions at COLLABORATE 2018:
- Come to the Security Side, We have Access
- Oracle Database Security in the Cloud
- Getting Over Cloud Insecurities
Additional Resources:
- https://blogs.oracle.com/oraclesecurity/
- https://www.amazon.com/DBA-Transformations-Transition-Demand-Automation/dp/1484232429
- https://blogs.oracle.com/profit/automatic-secure-integrated
Check out the other parts of the series attached below.