There is always an awkward moment whenever I’ve had to talk about database security to groups of developers. It comes when you try to explain that security applies to everyone, including developers, DBAs and other IT people. Anyone who has been involved in large-scale deployments in established organisations will smile at the remote ideal of a simple build from a single source, given the complex rules governing who has access to code in the various components and modules, and the widespread use of a mix of proprietary and open-source tools. Now, internationally-adopted legislation actually demands that, depending on the type of data held, access control applies to everyone and includes both code and data. Is all this caution really necessary?

A couple of times in my working life, I’ve seen developers in an open office area being approached by two security guards who have then escorted the developer from the site, the contents of their desk deposited into a bin-liner. Their crimes were to attempt to hack into ‘sensitive’ database systems within the corporate network that were nothing to do with their job role. They had no idea that a working development environment in government, or banking corporates was required to have sophisticated detection system that logged their activities. Why did they attempt to hack those databases? I don’t think anyone ever knew for sure, and these incidents gain little publicity, but data has a real value and is therefore a temptation. Again, I’ve witnessed deliberate sabotage against an information system by a disgruntled employee, as well as complete theft of a company’s CRM data by another. No, it is dangerous to assume that employees in IT are universally trustworthy. Estimates vary widely because it is so seldom reported, with estimates of up to half the intrusions detected being by employees or contractors. It certainly seems to be depressingly common.

Good custodianship of any corporate asset means making sure it is secure from theft or damage, and ensure that it maintains its value. For the DBA or anyone else charged with ensuring the security of data, it is an uneasy compromise between minimising the bureaucracy yet ensuring that all precautions that are required have been taken. Theft or malicious damage from within the organisation is a fact of life. If you think that your production DBA, IT Governance, or Compliance expert is being awkward or grumpy, it could just be that you’ve underestimated the task of ensuring that organisations face up to their responsibilities for the good governance of data. After all, it could be your credit card data, healthcare records or salary details.