The Changing Role of the Modern DBA – New Skills for Security

    By: Michelle Malcher on Jan 22, 2018

    monday inspo (7).png

     

    This article is part two of a six-part series by editors of IOUG SELECT and Big Data Quarterly on 'The Changing Role of the Modern DBA'. This six-part series will be running over the course of the next three months, with three articles appearing on SELECT and three articles appearing on Big Data Quarterly. 

    Don't miss part one, authored by Joyce Wells with Big Data Quarterly. 

     

    Security is nothing new to the DBA. Granting privileges, creating roles and auditing logons have been part of the DBA task list since the beginning. However, the security role is changing and the protection of the data is more than just creating users and managing permissions. Data security is a growing concern in all enterprises, and since the DBAs have been guardians of the data, their skillset can be utilized in moving forward to combat the new risks and threats.

    As the DBA is approaching these new challenges and transitions into new roles and tasks, the existing skills are leveraged. The DBA skillset is very strong because of the knowledge of data, business processes and maintaining reliable stable environments to support several areas of the enterprise.

    Database security requires paying attention to several areas instead of just users. Authentication and authorization of those users is a key area and first step, and the DBAs need to re-examine the processes and policies around this. But we will look at the steps and new skills in a minute. The changes are in data and around the depth of security.

    Changes in Data

    Data is not just in the databases, and protecting the data is not just securing the databases. Data is everywhere and needed by the business and data flow processes. The data is integrated with other systems, and is pulled in from other sources in-house, devices and from third parties. Data is in the cloud along with other databases. It does add complexity to the environment with sources of data needing protection as if it were in the database.

    The modern DBA is involved in the data integrations and understanding of data use, which is extremely important when protecting the data and validating the required authorizations. With knowledge of the classification of the data, different policies and regulations can apply. The DBA skills are working with authorizations, compliance and reporting of how the data is secured with integrations and in the various sources.

    Depth of Security

    Security is not just at the perimeter and network security. As already stated, the data that we are protecting is not all within the “secured zone”. Instead, there are IoT devices, public cloud databases and other integrations that need to have the proper encryption, authorizations and monitoring in place as well. The database needs different levels of security, which assumes that there is possibility of threats both inside and outside. DBAs need to plan for a big picture of security that recognizes the different layers of security and levels of database security to reduce risk and unauthorized access to the data.

    Changes for the DBA become looking past the permissions to capturing abnormal activity, verifying that users are only performing the proper tasks either based on policies or roles. Being able to monitor and report on these details is a great first step and can continue as additional controls are put into place to restrict activity and access.

    Working on the layers of security in the environment opens new opportunities to work closely with security teams. Communication is an important part to understanding if something is a gap, providing additional protection or even overkill. A DBA is a valuable resource to the security teams because of the depth of understanding of the data, process and data movement. It is a logical transformation for a DBA to move to a security team or develop a database or data protection team within the security side of the enterprise. The knowledge of how to permission, provide roles and audit the database is a fantastic focus area to provide security in depth.

    Changes in Skills

    In the opening paragraphs we started down the path of first steps in securing the environment and how the DBA has already been performing the tasks of managing data access and authorizations. Now let’s add a couple new skills that the DBA must possess in order to take the next step to reduce risk and protect against malicious behaviors. The following are areas that match up to cybersecurity frameworks to protect data assets:

    • Authentication and authorization

    • Encryption of data at rest and in-transit

    • Reduce unauthorized access from administrators

    • Monitoring, capturing, reporting and blocking activity

    Authentication can add skills for multi-factor authentication and how administrators and direct database requires additional validation to gain access. This removes access by just a password and there are tools that can help implement or options on the database that must be understood to provide multi-factor.

    Encryption of data and files are available in several database platforms. Key management will require additional skills to look at appliances or ways to centralize key management. Storage encryption is another layer of security that is available, and working with the appropriate teams to making sure that there are no gaps for access where the data is in plain text at rest or in-transit.

    DBA and administrator access to data is a difficult process as parts of their job require the direct database access. Options such as Oracle Database Vault provide ways to restrict this access to data and perform regular DBA tasks. Other options come from monitoring tools and separation of roles from systems DBAs and application DBAs. There are so many additional DBA skills that can be developed here to design protecting systems and implement the needed tools.

    Monitoring and reporting tools are being used by DBAs. However, most of the time they are used for performance tuning. Now, these tools have additional options for blocking and gathering of entitlements for reporting. The skills are to understand how to use these database firewall, auditing and monitoring tools for security collection and then report for compliance and abnormal behavior. The logs, audits and activity details can be fed into SIEM tools for analytics on security data. The modern DBAs need to develop and understand the analytics and use of SIEM tools.

    Knowledge of these areas are available in the Oracle User Community with conferences such as Collaborate IOUG Forum. There is an advantage to learn from other users that have faced these challenges and can assist in getting the information to catapult your skillset as a modern DBA for security.

     

    Be sure to check out these sessions at COLLABORATE 2018 

    Come to the Security Side, We have Access

    Oracle Database Security in the Cloud

    Getting Over Cloud Insecurities

     

    Additional Resources:

    https://blogs.oracle.com/oraclesecurity/

    https://www.amazon.com/DBA-Transformations-Transition-Demand-Automation/dp/1484232429

    https://blogs.oracle.com/profit/automatic-secure-integrated

     

     

     

    This article is part two of a six-part series by editors of IOUG SELECT and Big Data Quarterly on 'The Changing Role of the Modern DBA'. This six-part series will be running over the course of the next three months, with three articles appearing on SELECT and three articles appearing on Big Data Quarterly. 

    Don't miss part one, authored by Joyce Wells with Big Data Quarterly. 

     

    Released: January 22, 2018, 12:08 am | Updated: January 22, 2018, 2:19 pm
    Keywords: Feature | database | Security


    Copyright © 2018 Communication Center. All Rights Reserved
    All material, files, logos and trademarks within this site are properties of their respective organizations.
    Terms of Service - Privacy Policy - Contact

    Independent Oracle Users Group
    330 N. Wabash Ave., Suite 2000, Chicago, IL 60611
    phone: 312-245-1579 | email: ioug@ioug.org

    IOUG Logo

    Copyright © 1993-2018 by the Independent Oracle Users Group
    Terms of Use | Privacy Policy