I was just catching up on some reading and came across this article about securing the database in eWeek.
Now as I read this i have to shake my head and wonder why all they mention is the DBA that is in charge of this. In my experience the DBA usually has the database pretty secure. It is when you introduce the applications that will use the database that it becomes insecure. For those who do not know in an Oracle database the one of the highest permissions to grant is DBA in SQL Server it is SA and in DB2 it is Sysadm. Now for quite a few installs that I have been involved with using Oracle and SQL Server datbases the installation needs either and account created with DBA or SA or they need the actual SA account. Now as far as I am concerned this is just pure laziness on the application side, I know it is easier to just grant DBA/SA as you do your development, which is fine because that is usually a test/development environment, but before you release it to prime time take the 10-15 minutes to figure out the access you actually need. I just love it when the user actually has access to drop and create users, tables, tablespaces, etc.. becuase the application says they need the access.
The next thing I really love is all the applications that leave user names and passwords in plain text in there configuration files. Talk about insecure what is better then having a web server out on the DMZ that has a user name/password in plain text in an XML configuration file. Now if the DBA was involved in the installation of this and is aware of this then something can be done to minimize the impact of this, (figuring out the maximum access that is actually needed and only granting that access) but usually the application folks are in charge of this so the DBA does not know that the account that has DBA rights is sitting out on the DMZ in plain site.
Now the last thing I really love is when you get those application developers demanding DBA access. Now I don't know if it is because they can't have that access that they want it or what but they always want it. Here is a conversation between myself and a developer about this:
Developer: I need DBA access.
Mark: Why do you need DBA access.
Developer: Becuase I need to access things.
Mark: What things? Do you need to create tablespaces?
Developer: No I don't need to create tablespaces, but I need DBA Access.
Mark: Do you need to create users, profiles, switch log files, create rollback segments, etc....
Developer: No, No nothing like that but I need DBA access.
Mark: Well why don't you figure you the actual access you need and I will grant it to you, I don't have a problem granting access to you if you need it but you do not need DBA.
Manager: Well isn't it just easier to grant DBA then figure out the access.
Now this is where the conversation just went over the cliff, along with the manager and the developer.
So now that I am done ranting about this Thoughts/Questions/Comments?
Wednesday, October 3, 2007
Database Security.....
Subscribe to:
Post Comments (Atom)
1 comment:
Rarely would a person key in a word that is not related to Viagra if he's planning to buy buy Viagra . Would you? So, what does a Buy Viagra Online vendor do, keeping in mind this particular psychological aspect of the buyers? He would try to inculcate in the content of his site.
Post a Comment