Login  |  Register  |  Contact

Follow Up: DBAs Should *Not* Own Database Activity Monitoring

Based on the comments in my last post on DAM, especially the one from Mike Spiers, I want to make it clear that if you are performing Database Activity Monitoring it should be owned and managed by security.

It's fine for DBAs to manage regular database auditing (unless they're the auditing target), but DAM is a security-specific tool whose primary benefits are to create separation of duties (from the DBAs) and to give security insight into the database.

You might need DBAs to get it integrated with the database and confirm performance, but that's where their involvement stops.

—Rich

Posted at Wednesday 21st November 2007 5:43 am Filed under: non-geek

Previous entry: Should EMC Buy Neoscale? | | Next entry: In San Mateo/Palo Alto Area Next Week

Comments:

By Richard Bejtlich  on  11/23  at  06:58 AM

This is a perfect example why security should never be totally "integrated" into another group’s functions, like development, operations, and so on.  Without a separate security group there’s no way to perform separation of duties.  Good point RM.

By Leandro Cino  on  11/24  at  07:58 PM

Hi, do you know what kind of companies are using DAM tools?

And why those companies are using the DAM tools?

Thanks

By Rani  on  11/25  at  06:53 PM

Hi Rich,

Thanks for the elaborate post and the follow up… I’‘ve just come back from a week in Europe where neither DBAs nor CISOs own database security just like their American counterparts wink

Another way of looking at the problem (and the solution) is that security pros are in charge of creating policy and enforcing it. DBAs are not, but in order to translate policies into procedures, rules and choices that are relevant and applicable to the database, they must be involved.

I’‘m glad you took a prescriptive, actionable approach to the present situation, because I think that’s where a lot of companies are stumped. They know there’s a problem, but they’‘re not sure how to approach it. They’‘re looking for best practices. The fact that you needed to point out 6 areas of responsibility underscores the complexity of the current situation, but I don’‘t see a better or simpler short-term approach.

Rani

By rmogull  on  11/25  at  07:07 PM

@Leandro- there is a variety of companies using it. The two biggest groups are public companies using it to help with SOX compliance, and retail using it to help with internal security and PCI compliance.

They use them to reduce the cost of compliance and to improve their database security.

By Leandro Cino  on  11/25  at  07:27 PM

Thanks rmogull. It is interesting to us to understand who is buying or how the market will move into DAM.

We are a company that has special technology to do DAM (in this moment with MsSQL Server and Oracle).

We are experiencing some delays addressing the Argentinean and the Chilean market.

Do you know where is that technology HOT? I mean, which markets do you think we have to focus in to succeed the next year?

Thanks!!!

By Proactivity vs. Reactivity » Musings on Data  on  03/16  at  03:57 PM

[...] further… it’s not just DBAs (and I’m not going to get into the whole issue of who owns database activity monitoring…) but companies in general are too reactive when it comes to database [...]

Page 1 of 1 pages

Name:

Email:

Location:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: