Security Outside the Database

  • Comments posted to this topic are about the item Security Outside the Database

  • The problem lies with management. Without their insistance and proper allocation of resources, security and education will not be a priority. Security costs $$$. Lack of security costs more. But try explaining that to the CFO or clients that only look at the immediate bottom line.

  • I think what is so wonderful about databases and data as a profession is that we oftentimes are the JOIN (if you will) between the high-level software (applications, code, etc.) and the low-level hardware (storage, etc.). Knowing nothing about either is just a time-bomb waiting to happen.

    I find it interesting that you explicitly stated networking as something we should know relatively well. I definitely tend to agree with that. Do you feel that structured network learning (i.e. CCNA) is a benefit to a database administrator?



    Twitter: @SQLife
    Email: sqlsalt(at)outlook(dot)com

  • Unfortunately given the small size of a lot of companies these suggestions are just impractical. What we need is software and hardware that takes care of this for us. SQL Server, Windows, Firewalls, etc should have intelligent default configurations that are secure by default.

    IT workers at small businesses often wear multiple hats and as such can't humanly be expected to master the intricacies of of every specific discipline such as firewall administration when they only deal with this area once a month at most.

  • I think half the issue is that we've got lazy developers who circumvent security in the name of repid development. I can't tell you how many developers I've worked with who run code as a user with sysadmin rights and when we, as DBA's, try to deny this, they go around and over our heads and get some high manager to bypass the best practices. I've even seen this from purchased applications.

  • Thomas Stringer (4/26/2012)


    I think what is so wonderful about databases and data as a profession is that we oftentimes are the JOIN (if you will) between the high-level software (applications, code, etc.) and the low-level hardware (storage, etc.). Knowing nothing about either is just a time-bomb waiting to happen.

    I find it interesting that you explicitly stated networking as something we should know relatively well. I definitely tend to agree with that. Do you feel that structured network learning (i.e. CCNA) is a benefit to a database administrator?

    I think it's good for many people to be IT generalists, outside of their specialty. Over the years knowing networking, AD, mail, etc. has helped me solve DB issues, or even helped me get applications to integrate well.

    However I wasn't implying in the piece that DBAs should learn about IP networking. If you have people doing those jobs, inspire/motivate/ping them to learn more about their craft and better secure your systems.

  • chrisn-585491 (4/26/2012)


    The problem lies with management. Without their insistance and proper allocation of resources, security and education will not be a priority. Security costs $$$. Lack of security costs more. But try explaining that to the CFO or clients that only look at the immediate bottom line.

    Now there is a man that knows the "real" world and how it works.:-D

    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"

  • However I wasn't implying in the piece that DBAs should learn about IP networking. If you have people doing those jobs, inspire/motivate/ping them to learn more about their craft and better secure your systems.

    I agree, because in the end it makes you more marketable in the work place. However, in todays work place SARBOX standards tends to demarcate job descriptions a lot more, and when you deal with companies that come under SARBOX standards you have to be very aware of this or otherwise you could find yourself in some trouble with auditors learning/doing someone elses job description.:-D

    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"

  • I agree that we should all learn about technologies that relate to our core technologies even though they are technically "not our job". Knowing VMWare, AD, and development(C#, C++, VB.NET) helps me a lot as a DBA.

  • TravisDBA (4/26/2012)


    I agree, because in the end it makes you more marketable in the work place. However, in todays work place SARBOX standards tends to demarcate job descriptions a lot more, and when you deal with companies that come under SARBOX standards you have to be very aware of this or otherwise you could find yourself in some trouble with auditors learning/doing someone elses job description.:-D

    Not true. You cannot do someone else's job. That's where you get into trouble. Understanding their job, providing advice, is fine. What you can't do is actually do the work or have access.

  • Steve Jones - SSC Editor (4/26/2012)


    TravisDBA (4/26/2012)


    I agree, because in the end it makes you more marketable in the work place. However, in todays work place SARBOX standards tends to demarcate job descriptions a lot more, and when you deal with companies that come under SARBOX standards you have to be very aware of this or otherwise you could find yourself in some trouble with auditors learning/doing someone elses job description.:-D

    Not true. You cannot do someone else's job. That's where you get into trouble. Understanding their job, providing advice, is fine. What you can't do is actually do the work or have access.

    Agreed, but learning and doing can be a fuzzy line sometimes for a lot of people just trying to help, and that is where they get into trouble.:-D

    "Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"

Viewing 11 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic. Login to reply