Guarding Against the Rogue DBA

There’s a very important question that many CIOs, CFOs and CEOs of e-commerce companies should be asking and aren’t: Who controls the data? If they were, they’d realize that the person with the most unchecked power over their data integrity is probably their database administrator (DBA). By overlooking the unchecked power of the DBA, companies are unwittingly compromising their most important asset — their data.

The degree of an organization’s database vulnerability to rogue DBA activity or DBA errors is alarming, particularly as the penalty for noncompliance can mean loss of revenue, credibility or even lead to jail time. The reality is that few e-commerce companies have installed software or hardware controls that monitor DBA activity. Though the number of installs is increasing, companies without software controls provide DBAs with unfettered access to the database. As a result, DBAs have the power to change, delete and alter data — virtually unchecked.

True, our trusted auditors and accountants can help us report and validate this activity. However, who feeds them the information in the first place? In most cases, if the data is manipulated at the system level by people who have an insider’s understanding of the data models and audit trail, current reporting and validation methods are ineffectual. Manipulation aside, what about common mistakes that inevitably occur that result in misinformation? How do we know the difference between rogue activity and an honest mistake?

Unparalleled Power

DBAs typically have direct access to the innards of an application’s data repository and are tasked with keeping the motor running smoothly. When it comes to looking at data, changing data and even deleting data, in many instances, their power is unparalleled. No employee within your organization should have such unfettered abilities to compromise your organization, especially in light of the following facts:

• The number of databases and amount of data tracked is growing and growing fast.
• Database environments are getting more complex as the number of databases and amount of data within those databases continue to increase. Combined with hundreds of different patch levels, the introduction of new versions and security updates, it’s all DBAs can do to keep up with their job.
• The DBA is a high-turnover position. Nearly half of all DBAs will leave their job within 24 months. Additionally, the DBA is one of the most difficult positions for an organization to replace as the need for DBAs are growing faster than almost any other IT-related position.

Increasing complexity, rotating bodies and inadequate auditing translate into more mistakes. It’s not merely about conscious vindictive behavior. It’s about the myriad reports that ultimately feed a company’s final financial documentation — documentation upon which CFOs and CEOs are expected to put their careers on the line.

One particularly high-profile case highlighting the extensive damage a DBA can do was the widely covered Fidelity National Information Services data breach where a DBA at one of FIS’ subsidiaries, Certegy, sold 8.5 million customer names (some including checking account/credit card numbers) to a direct marketing organization.

As a provider of payment processing services to the retail and e-commerce industries, Certegy’s ability to protect its information is critical to the company’s success. One single unethical DBA has now eliminated customer confidence in the entire organization. Clearly, this was a devastating event for the company which is still recovering. While it’s easy to blame Certegy’s DBA, the company’s lack of controls is the true cause of this event.

Attacking the Problem

However, what options do we possibly have to get a handle on both the growing data beast AND its tamer? The one currently most favored within enterprises is to throw more bodies at the problem. If everyone is checking everyone, real mistakes and not-so-real mistakes can be identified. Although this certainly helps mitigate this issue, it is an incredibly expensive approach and is still error-prone.

What companies need is a centralized, automated mechanism — whether it’s hardware or software — to track DBA behavior that is both manageable and irrefutable. When DBA and database monitoring is systematized and automated, data integrity can be reliably ensured even as the IT architecture grows in size and complexity. The good news is that databases are uniquely structured to provide users with just the sort of information they need to ensure compliance and monitoring, so addressing this problem is simpler than most CIOs or even DBAs may realize.

With the help of lightweight software solutions, relevant audit information can be consolidated across the database infrastructure into a readable and reportable format and then tracked in a protected data store where transactions are signed to guarantee authenticity at the database system level, not the application level where many auditing tools live.

Keeping data secure is particularly important for e-commerce companies, but beyond the data security, database automation is becoming strategically important in other administrative areas such as patch management, configuration management and auditing/compliance.

When the DBA’s power is unchecked, mistakes can easily be made, especially in regard to patching. Patching databases may not be complicated, but when multiplied across several databases, inefficient or incorrect patching can cause companies downtime. Too many patches to track, inconsistent patch processes, large read-me files to decipher and unreliable scripts — automating this time-consuming process can not only mitigate security risks, but also significantly reduce costs and accelerate time to deployment.

A Critical Task

Managing application configuration information is a critical administrative task for enterprises looking to improve control and stability. The concept of a configuration management database (CMDB) represents the future in systems management, enabling organizations to baseline configurations, audit user activity, institute change management processes, institute security controls, and automate validation.

Database automation enables organizations to bring the benefits of CMDB to the database infrastructure management, building the foundation for a federated CMDB strategy while providing heightened control and efficiency across the database infrastructure.

The benefits of database automation span across all function of the database. Whether used to ensure compliance, efficiency or consistency, the final output is always the same — a reliable, automated source of truth at the database level. Without it, businesses are betting their futures on the competence and integrity of every DBA they employ, which is at best overly optimistic and at worst negligent.

And remember: the DBAs won’t be the only ones going to jail.