Database security often feels like a shadowy corner of IT, requiring arcane knowledge that many security teams feel ill-equipped to handle. The question of “Whose job is it?” and “How do we even begin?” loom large, sometimes leading to a sense of paralysis. The analogy of the fox guarding the hens perfectly captures the understandable hesitation around solely relying on DBAs without proper oversight or separation of duties.

But here’s the empowering truth: securing your databases is not an insurmountable task, and is absolutely within your reach. While specialized knowledge is undoubtedly valuable, there are practical, phased approaches that allow security teams to take crucial meaningful steps toward robust database protection, often with less database expertise than they might imagine.

Let’s break down the landscape of how other organizations are tackling this challenge, highlighting the viability of each approach:

1. Integrating Database Expertise into the Security Team

The Approach: Hiring DBAs or individuals with sufficient database knowledge directly into the security team.

The Reality: This can be a significant investment, but it’s a powerful one. Databases are the most critical assets you need to secure and these individuals empower your team to do that. They can proactively identify vulnerabilities, implement tailored security controls, and educate the wider security team. They act as bridges connecting your security with database technology.

Why it Works: It fosters a dedicated focus on data and database security within the security team. It ensures security considerations are always baked into database management, and that data is always protected at the source.

For Security Professionals: Think of these hires as force multipliers. They bring specialized skills that enhance your team’s overall capabilities and allow for more proactive and targeted security measures.

2. Implementing Separation of Duties Within the DBA Team

The Approach: Designating specific individuals or sub-teams within the DBA department with primary responsibility for security.

The Reality: This is a pragmatic and often effective way to mitigate the “fox and hens” concern. By separating administrative privileges from security responsibilities, you introduce a system of checks and balances.

Why it Works: It leverages existing database expertise in a team that knows how to manage databases while ensuring that security isn’t solely managed by those with broad administrative access.

For Security Professionals: Collaborate closely with the DBA team and management to define clear roles, responsibilities, communication channels, and escalation paths. This is not just about reporting structures, transparency, and accountability. The security team must regularly work with DBAs to investigate the database side of security events, and the DBA team must regularly raise potential problems with their counterparts on the security side.

3. Charging the DBA Manager with Oversight

The Approach: The DBA manager takes on the responsibility of monitoring the security activities of individual DBAs who are securing their respective databases.

The Reality: While the DBA manager might not be in the weeds of every security event, their oversight is crucial to prevent abuse of privilege. Beyond establishing security guidelines and ensuring compliance across all databases, they must also define reports and alerts that allow them to monitor their teams.

Why it Works: It provides a centralized point of accountability for database security within the database administration group.

For Security Professionals: Work with the DBA manager to define clear security expectations, reporting metrics, and escalation paths. Establish regular communication discussing security events, current threats, security training for DBAs, and more.

4. Leveraging External Expertise

The Approach: Partnering with external consultants or managed service providers specializing in database security.

The Reality: This can be a cost-effective way to quickly ramp up your database security accessing specialized skills on an as-needed basis. Partners can conduct security assessments such as proactive forensics reviews, implement security solutions configuring reports and alerts, help investigate security events, provide support, and, if needed, perform ongoing monitoring.

Why it Works: It provides immediate access to expertise without the time, expense, and overhead of permanent hires. It can be particularly beneficial for organizations lacking in-house database security knowledge. It lets you hit the ground running.

For Security Professionals: Find the partner that works for you. Talk to us and we can recommend some of our partners. It can be valuable to define requirements and expectations though not always possible when dealing with a new domain. We can make some suggestions about realistic goals.

5. Starting Slow and Collaborate with DBAs

The Approach: Implement database security measures the security team can manage with minimal database-specific knowledge while fostering a collaborative relationship with the DBA team for specific queries and assistance.

The Reality: This is often the most accessible and realistic starting point. Many essential security controls like monitoring accounts and permissions, reviewing activity sources and activity volumes, and reviewing certain anomaly alerts, can be managed by the security team with their existing expertise.

Why it Works: It allows for immediate progress on database security without requiring changes to team structures or investment in specialized hires. It fosters a culture of collaboration and knowledge sharing between security and database teams that will, over time, empower both with a better understanding and richer skill sets.

For Security Professionals: First focus on identifying changes and understanding activity sources. Look at data flows and access patterns. Don’t hesitate to ask DBAs about your observations – they are valuable resources.

The Path Forward: Empowerment Through Action

The key takeaway is that database security isn’t an all-or-nothing endeavor. By understanding these different approaches, you can identify the most viable path in your organization. Often, it’s a hybrid approach that relies on the skills and relationships of particular individuals.

But you must take action and secure your databases. These are the most critical assets in your organization and if you don’t protect them, you know the outcome – a data breach.

Start Empowering your Security Team Today

• Educate and Upskill: Provide basic database security training to your security team. Focus on fundamental concepts relating to access control, change control, and activity monitoring. Explain database security threats, what they look like, and how to detect them.
• Inventory & Status: Work with the DBA team to gain a clear understanding of your database landscape – what databases exist, where they reside, what sensitive data they hold, and how they are secured. What data exists outside of production and is it secured or masked?
• Collaborate with DBAs: Build bridges with your DBA team. Foster open communication and a shared understanding of security goals. Work together to define security standards for all databases and build a plan to implement those.
• Leverage Tools: Explore if your current security tools can be extended to provide some level of database monitoring or vulnerability scanning, identify the gaps, and start searching for the solutions you need to achieve your goals. We recommend the different levels of Core Audit as key components in a robust database security posture.
• Start Small, Iterate, and Improve: Don’t aim for perfect security overnight. Begin with manageable steps, learn from your experiences, and continuously refine your approach. Get advice from experienced professionals, and define the next step in your path. Talk to us today for a free consultation.

Securing databases is a critical component of security. After all, they hold the data. While the specialized nature of databases might seem daunting, remember that you don’t have to become a database expert overnight. By adopting a strategic and collaborative approach, leveraging the right resources, and starting with achievable steps, your security team will rise to the challenge and effectively protect your organization’s valuable data. The perception of database security as an untouchable niche is ready to be shattered.