Can Security Teams And DBAs Play Nicely?

Many organizations see database security projects arrive DOA because the DBA is not on board

By Ericka Chickowski, Contributing Editor
Dark Reading

As more organizations act to protect data at its most fundamental state, within the database, one of the biggest challenges that they run into is a people problem. In order to truly mitigate data risks, security teams need to learn to not only play nice with their database administrators, but to make them meaningful stakeholders in securing the databases they’re entrusted to manage. That takes education, respectful conversations and a willingness from both parties to open their minds a bit, experts say.”There’s a shift going on where [as an industry] we’re changing our database security practices and we’re starting to focus on that lost realm of the database security,” says Josh Shaul, CTO of Application Security Inc. “The folks who ‘own’ that database, the database administrators, are finding their worlds changing in a significant way and some of the freedoms that they’ve had are being taken away from them in order to do the security stuff. From my experience, I’ve seen that dynamic really create a gap in understanding or perspective between the DBA and security team that often has led organizations to get stuck in the muck around the area of database security.”

The perception gap stems largely from a divergence in technology backgrounds.

“Often the DBA’s focus is on performance and tuning and often many of them haven’t been trained on security. They do their best and they’re trying to learn it on the fly,” says Scott Laliberte, managing director at Protiviti. “On the flip side a lot of the security professionals out there who do not have good database skills. They tend to be operating system, network and application folks and you can get security folks providing recommendations that aren’t real practical or can introduce a problem within the database. The DBAs, therefore, fight them very hard.”

According to Larry Whiteside, CISO for Visiting Nurse Service of New York, the way a lot of security controls work necessarily require some form of performance overhead within the database. It is only natural for the kneejerk reaction from DBAs to be somewhat negative.

“Because the DBAs typically report into the operations side of the house, they always have a strong focus on the operational aspect of databases — making sure they’re working, making sure they’re efficient — and typically all of the components associated with the securing of a database tend to be things that have do the exact opposite of what a database administrator is tasked to do–we try to put an agent on it, we try to hinder something that negatively impacts performance,” Whiteside says. “That completely goes against what is ingrained in the DBA to do.” In order to get them beyond the initial distaste, DBAs need to be shown that the CISO’s team is working with them, not against them. It is something made easier by the general trend among security departments these days to move away from being the department of ‘no’ to become the department that enables secure business transactions, Whiteside says.

“Over the last three to five years the security officers role has had to change. When I came on board four years ago, the primary goal of mine was to not be an adversary of the IT team, the administrators and the business , but to become a partner with them so they understood we were working toward the same goal and that the things I wanted to do would save them time, money and resources in the long run,” he says. “[I want] to make sure I’m not degrading the business or hindering the business. And that falls more into line with what the DBA is tasked to do.”

When he started having conversations with his DBA leader, Larry Byrnes, this attitude smoothed the way toward implementing controls within the database environments.

“The discussion flowed a lot more smoothly because we were on the same page as it relates to neither of us wanted to do anything to negatively impact the applications that were touching the database or the users that needed access within the database,” says Byrnes, DBA supervisor for Visiting Nurse Service of New York. “So we decided we needed to come up with a plan together.”

Both Whiteside and Byrnes were able to implement database security from AppSec because of this strategizing. And because Byrnes was made a shot-caller in the whole process. He thinks that if security teams are to see success in database security projects, they absolutely need to put DBAs in the driver’s seat when it comes to implementation and management within the database, leaving the security folk in charge of looking at the data and monitoring audit output.

“The DBA has to have a vested interest, has to participate, has to own it to make it work,” Byrnes says. “At the end of the day you have to be sure that the database is correct and available. The DBAs have to be the ones to actually implement the agents that collect the information that [security teams] need,” Byrnes says, explaining that DBAs should look at it as a career opportunity. “If you’ve been creating databases and tables for years wouldn’t it be great to get out and do something else to become more well rounded? It opens up opportunities for people.” In order to make all of that happen, experts like Jonathan Intner, solution architect for Vormetric believe that organizations have to endeavor to better educate DBAs about security principles.

“One way IT security pros can get better buy-in from DBAs is by helping them understand basic security principles. Many DBAs do not give these much thought,” Intner says. “Here’s an example. We have seen companies that encrypt their data and then store the encryption keys in a file on the same server. They back up the file whenever backing up the database. That’s like locking the door and then taping the key to the doorknob. Storing the keys and the data together creates unnecessary risk. This is obvious to a security pro, but may not be to a DBA.”

 

Database Administrators Careers

The average value of the Bachelor degree needed to become a Database administrators is $1,480,063.00.

Points of Interest

• According to the Bureau of Labor, in 2008 there were approximately 120,000 database administrators
• Database administrators are generally known in the field as DBA’s
• DBA’s are needed in virtually every job industry
• By 2018, the Department of Labor expects that the job market for DBA’s will have grown 20%
• A bachelor’s degree or better, strong computer and analytic skills, and IT experience are usually the core requirements for a DBA—as it is a highly specialized, highly skilled profession.
• The growing number of e-commerce sites on the internet and demand for more robust database systems will mandate more DBA’s and similar professionals in the next eight to ten years.

Nature of the Work

Database administrators work in tandem with DB management software (DBMS, or database management software) to store, categorize, interpret, manipulate, and present large quantities of data. DBA’s responsibilities range widely from organization to organization, but essential duties often include: migrating data from older database systems to new ones, conceiving and implementing strong security measures, install and configure (and sometimes even design) new programs and applications that clients and their organization needs, troubleshooting, maximizing the database’s performance and efficiency, ensuring accessibility and ease-of-use for non-database personnel, and managing permissions.

In short, enterprise and corporate level databases are incredibly complex creatures. This especially true today with the most popular form of database–the RDBMS, or relational database management system. This is the reason that bigger organizations have several (or even dozens) of database administrators. And because Microsoft and Oracle SQL’s are extremely comprehensive (and not to mention the fact that they’re from two different competing companies), specialists often have a background in one or the other (i.e. they’re either Microsoft- or Oracle-oriented).

Training, Qualifications, and Advancement

Database administration is a highly skilled career that requires exceptionally trained, motivated, educated, and experienced professionals. A bachelor’s degree in technology-related field (e.g. DB administration, network admin, computer science, etc.) is usually the bare minimum a candidate pursuing a database manager position should have. 2-3 years of experience in the field is usually required, and sometimes certifications (e.g. CCNP, CCNE, etc.) are required—or in the least, highly preferable to many employers.

Additionally, it isn’t uncommon for employers to ask for a candidate with a master’s degree in a computer science-related field or a M.I.S (Management Information Systems). Employers sometimes but not always like candidates with a master’s in business administration concentrated in information systems technology. Having such a specialized degree or two, training and experience greatly increase both the chances of getting hired and being able to negotiate a much higher salary.

Furthermore, database administrators who have the most potential for getting hired and advancing keep abreast of current events and trends in the IT industry—particularly related to database admin, development, or design.

Additional skills that may or may not be required—but usually give the candidate a competitive edge among other applicants—include:

• Microsoft or Oracle SQL training, experience, and or certification
• Programming—e.g. C++, JAVA, SQL, Perl, VB, etc.
• Strong abilities in math, especially statistics and calculus
• Various administrative/clerical skills like stenography and form design
• A fundamental comprehension of various network topographies (such as Windows Server, Internet/Intranet, Enterprise-level)
• Database warehousing and/or mining

It varies from company to company and industry to industry, but database administrators usually either have a particular set of functions within an organization or a diverse range in them—often IT-related but not necessarily database admin. The essential job of a DBA, though, consists of many tasks and responsibilities, and generally DBA’s have to be on-call 24/7. He or she may be required to:

• Perform analysis of the database and ensure proper replication and redundancy
• Perform table maintenance and deal with capacity problems or issues
• Make the database readily accessible, comprehensive, and easy-to-use to authorized individuals and secure from unauthorized access
• Work with a number of operating systems (e.g. SQL, Windows NT, TMS, DB2, Informix, Unix, and so forth)
• Understand and work well with one or more programming language such as Ruby, RPG, Perl, and/or Python.
• Have a good knowledge of Oracle RDBMS’s(relational database management system) and apply that vast body of knowledge to Oracle databases, if applicable.

Personal Attributes

Database administration candidates are all-around well rounded individuals. They can multitask effectively, perform mathematical and statistical operations and apply them to their work, have a positive family life at home, and have excellent written/verbal communication skills. Furthermore, they possess very good leadership skills, plus project management experience or training. DBA’s are critical thinkers; that means they’re neutral fact-finders, explorers, and creators in the IT world as well as in the personal one.

Common Career Paths

Many DBA’s s begin their careers in the technical field, but not in the database sector. Many were previously network or systems administrators, help-desk staff, entry-level programmers, project managers, interns, and many other kinds of professionals. Common positions that fully-fledged database administrators have the opportunity to move up to, with several years experience, include Chief Technology Officer (CTO), Chief Information Officer (CIO), Information Systems Manager, and other senior management roles.

Employment

There were approximately 120,000 DBA’s in 2008, via Bureau of Labor statistics. There are no concrete numbers for 2010, but it the field is widely-known to be growing consistently. DBA’s work in many different capacities and in many different industries.

Some of the industries that database and systems administrators are found in include: financial organizations, insurance firms, education, telecommunication organizations, business and project management, and governmental affairs. Approximately 6% of DBA’s work for themselves—more or less on a contractual basis.

Job Outlook

The Bureau of Labor cites that database administration careers will grow by up to 20% by 2018. That’s roughly 6% greater than the average career in IT through 2018. Why? Because thousands of databases are being added monthly to both the internet (mainly for e-commerce sites) and to organizations’ IT infrastructure. And as previously mentioned, candidates with a wide range of skills, certifications, and training will be far more hirable and far less dispensable.

Projections

From the Bureau of Labor’s Occupational Outlook Handbook 2010-2011 edition: “much faster than average.” Database administrators made up about 120,400 people in the U.S. workforce in 2008. The Bureau of Labor projects, through a rigorous study of industry trends and historical data, that by 2018 there will be over 144,000. That’s a growth of 24,000 (20%) and is substantially higher than other fields in IT.

It is worth noting, while database professionals will enjoy a continually growing workforce, that many of the lower and entry-level jobs are expected to be shipped overseas. Positions that focus mainly on automation or routine administration (non-creative roles, essentially) are continually being shipped to Asia due to downsizing of workforces and capitalizing on cheaper labor by many U.S. organizations and corporations. This information is also courtesy of the Bureau of Labor and Department of Labor estimates. That’s why candidates need a strong educational and work portfolio as well as a professionally—crafted resume.

Earnings

In 2008 the most recent year that the Bureau of Labor has published occupation statistics, the average database administrator made between $50k-$91k. Many subjects in entry-level and some in intermediate positions eared at the bottom10% , or about $40,000 per year, and those are earned the highest (top 10%) made $111,000 and above. Thus, the combined average of all database administrators is almost exactly $90,000 a year.

It’s of particular interest that people with certain skills regularly bring home six-figure salaries. DBA’s that specialize in Oracle products are among those and some of the highest paid IT technicians in the world. Also, database professionals with a diverse range of skills in computers and networks—such as in programming, network administration, network security, IT project management, and/or emerging technologies engineering, for example, routinely make over $100,000 per year; plus, they typically enjoy a great sense of job security because of their diverse skill sets.

Wages

Database and systems administrators made an average of $34.40 hourly in 2008, netting $71,550 per annum. Those with higher degrees and more experience often enjoy up to and beyond $100,000 a year.

Database administrators average salary and salary data for other jobs by Online Degrees

 

Top 99 Responsibilities of a DBA

Database administrators average salary and salary data for other jobs by Online Degrees

Database Architecture Duties

1. Planning for the database’s future storage requirements
2. Defining database availability and fault management architecture
3. Defining and creating environments for development and new release installation
4. Creating physical database storage structures after developers have designed an application
5. Constructing the database
6. Determining and setting the size and physical locations of datafiles
7. Evaluating new hardware and software purchase
8. Researching, testing, and recommending tools for Oracle development, modeling, database administration, and backup and recovery implementation, as well as planning for the future
9. Providing database design and implementation
10. Understanding and employing the optimal flexible architecture to ease administration, allow flexibility in managing I/O, and to increase the capability to scale the system
11. Working with application developers to determine and define proper partitioning

Backup and Recovery

12. Determining and implementing the backup/recovery plan for each database while in development and as the application moves through test and onto production
13. Establishing and maintaining sound backup and recovery policies and procedures
14. Having knowledge and practice of Oracle backup and recovery scenarios
15. Performing Oracle cold backups when the database is shut down to ensure consistency of the data
16. Performing Oracle hot backups while the database is operational
17. Performing Oracle import/export as a method of recovering data or individual objects
18. Providing retention of data to satisfy legal responsibilities of the company
19. Restoring database services for disaster recovery
20. Recovering the database in the event of a hardware or software failure
21. Using partitioning and transportable tablespaces to reduce downtime, when appropriate

Maintenance and Daily Tasks

22. Providing adjustment and configuration management of INIT.ORA
23. Adjusting extent size of rapidly growing tables and indexes
24. Administering database-management software and related utilities
25. Automating database startup and shutdown
26. Automating repetitive operations
27. Determining and setting critical thresholds for disk, tablespaces, extents, and fragmentation
28. Enrolling new users while maintaining system security
29. Filtering database alarm and alert information
30. Installing, configuring, and upgrading Oracle server software and related products installation
31. Logging Technical Action Reports (TARs); applying patches
32. Maintaining the “Database Administrator’s Handbook”
33. Maintaining an ongoing configuration for database links to other databases
34. Maintaining archived Oracle data
35. Managing contractual agreements with providers of database-management software
36. Managing service level agreements with Oracle consultants or vendors
37. Monitoring and advising management on licensing issues while ensuring compliance with Oracle license agreements
38. Monitoring and coordinating the update of the database recovery plan with the site’s disaster recovery plan
39. Monitoring and optimizing the performance of the database
40. Monitoring rollback segment and temporary tablespace use
41. Monitoring the status of database instances
42. Performing housekeeping tasks as required; purging old files from the Oracle database
43. Performing database troubleshooting
44. Performing modifications of the database structure from information provided by application developers
45. Performing monthly and annual performance reports for trend analysis and capacity planning
46. Installing new and maintaining existing client configurations
47. Performing ongoing configuration management
48. Performing ongoing Oracle security management
49. Performing routine audits of user and developer accounts
50. Performing translation of developer modeled designs for managing data into physical implementation
51. Performing correlation of database errors, alerts, and events
52. Planning and coordinating the testing of the new database, software, and application releases
53. Providing a focal point on calls to Oracle for technical support
54. Working as part of a team and providing 24×7 support when required

Methodology and Business Process

55. Coordinating and executing database upgrades
56. Coordinating upgrades of system software products to resolve any Oracle/operating system issues/conflicts
57. Creating error and alert processes and procedures
58. Creating standard entry formats for SQLNet files
59. Creating processes and procedures for functional and stress testing of database applications
60. Creating processes and procedures of application transport from DEV, to TEST, to PROD
61. Defining and maintaining database standards for the organization to ensure consistency in database creation
62. Defining database standards and procedures to cover the instance parameters, object sizing, storage, and naming. The procedures define the process for install/upgrade, corporate database requirements, security, backup/recovery, applications environment, source code control, change control, naming conventions, and table/index creation.
63. Defining the database service levels necessary for application availability
64. Defining methodology tasks for database software integration
65. Defining a methodology for developing and improving business applications
66. Creating a process to determine whether a new release is “stable” enough to be placed on the development system
67. Developing data-conversion processes for customization, testing, and production
68. Developing database test plans
69. Developing database administration procedures and responsibilities for production systems
70. Developing production migration procedures
71. Establishing and providing schema definitions, as well as tablespace, table, constraint, trigger, package, procedure, and index naming conventions
72. Facilitating design sessions for requirements gathering and defining system requirements
73. Providing database problem reporting, management, and resolution
74. Providing final approval for all technical architecture components that manage and exchange data, including database management software, serve hardware, data distribution management software, server hardware, data distribution management software, transaction processing monitors, and connecting client applications software
75. Providing processes for the setup of new database environments
76. Providing risk and impact analysis of maintenance or new releases of code
77. Providing standards and methods for database software purchasing
78. Providing standards and naming conventions
79. Handling multiple projects and deadlines

Education and Training

80. Attending training classes and user group conferences
81. Evaluating Oracle features and Oracle-related products
82. Understanding the Oracle database, related utilities, and tools
83. Understanding the underlying operating system as well as the design of the physical database
84. Understanding Oracle data integrity
85. Knowing the organization’s applications and how they map to the business requirements
86. Knowing how Oracle acquires and manages resources
87. Knowing enough about the Oracle tool’s normal functional behavior to be able to determine whether a problem lies with the tool or the database
88. Processing sound knowledge in database and system performance tuning
89. Providing in-house technical consulting and training
90. Staying abreast of the most current release of Oracle software and compatibility issues
91. Subscribing to database trade journals and web sources

Communication

92. Interfacing with vendors
93. Disseminating Oracle information to the developers, users, and staff
94. Training application developers to understand and use Oracle concepts, techniques, and tools that model and access managed data
95. Assisting developers with database design issues and problem resolutions, including how to run and understand the output from both TKProf and the Explain Plan utilities
96. Training interim DBAs and junior-level DBAs

Documentation

97. Creating and maintaining a database operations handbook for frequently performed tasks
98. Defining standards for database documentation
99. Creating documentation of the database environment

(Follow http://appsdbaportal.blogspot.com/)

Oracle Database 11g: The Top New Features for DBAs & Developers

Oracle Database 11g: The Top New Features for DBAs and Developers by Arup Nanda – ORACLE Copr

<!–

Download Oracle Database 11g

–>In this multipart series, learn how important new features such as Database Replay, Flashback Data Archive, and SecureFiles work via simple, actionable how-to’s and sample code.

Change, although constantly present, is seldom risk-free. Even if the change is relatively minor (creating an index for example), your goal is probably to predict its precise impact as accurately as possible and then take appropriate action

Many new change assurance (or “Real Application Testing,” as Oracle calls it) features in Oracle Database 11g bring that dream closer to reality. The Database Replay tool, for example, allows you to capture production database workload and replay it in a test (or even the same) database to assess the impact of change. Or consider SQL Performance Analyzer, which predicts the performance impact of changes to SQL before they are made. In my opinion, this Real Application Testing functionality alone justifies the upgrade.

Overall, Oracle Database 11g makes database infrastructure far more efficient, resilient, and manageable. For example, very compelling new features in the realm of partitioning ease the design and management of partitioned tables immensely.

In this series (as in the previous series focusing on Oracle Database 10g), you will learn how these new features work via simple, actionable how-to’s and sample code.

Enjoy the series, and the release!

Download series as PDF (4.35MB zip)

---

<!– = indicates accompanying screencast –>

Subscribe to this series via

Database Replay Explore Database Replay, the new tool that captures SQL statements and lets you replay them at will. <!––>	Partitioning Learn about Referential, Internal, and Virtual Column partitioning; new sub-partitioning options; and more.
Transaction Management Get an introduction to Flashback Data Archive and explore Enterprise Manager’s LogMiner interface.	Schema Management Add columns with a default value easily and explore invisible indexes, virtual columns, and read only tables.
SQL Plan Management Use bind variables that pick the right plan every time and ensure a new execution plan is perfect before it’s used. <!––>	SQL Performance Analyzer Accurately assess the impact of rewriting of SQL statements and get suggested improvements. <!– –> <!– –>
SQL Access Advisor Get advice about optimal table design based on actual use of the table, not just data.<!––>	PL/SQL: Efficient Coding Triggers that fire several times at different events and ability to force triggers of the same type to follow a sequence are some new gems.
RMAN Explore Data Recovery Advisor, do parallel backup of the same file, and create and manage virtual catalogs.	Security Learn about Tablespace Encryption, case-sensitive passwords, data masking, and other features.
Automatic Storage Management Learn about new SYSASM role, variable extent sizes, and other ASM improvements.	Manageability Explore automatic memory management, multicolumn statistics, online patching, and more features.
Caching and Pooling Explore SQL Result Cache, PL/SQL Function Cache, and Database Resident Connection Pooling.	SQL Operations: Pivot and Unpivot Present information in a spreadsheet-type crosstab report from any relational table using simple SQL, and store any data from a crosstab table to a relational table.
SecureFiles Explore next-generation LOBs: LOB encryption, compression, deduplication, and asynchronicity.	Resiliency Explore Automatic Health Monitor, Automatic Diagnostic Repository, and other new resiliency features.
Data Guard Query the physical standby database in real time without shutting down recovery, just for starters.	PL/SQL Performance Explore in-lining of code, “real” native compilation, PLS timer, use of simple integer, and more.
Data Warehousing and OLAP Get a tour of new features in these areas, including Cube Organized MVs.	And Don’t Forget… COPY command, Export/Imports, Data Pump improvements, and more.

What do you have to do to be a good DBA ?

From time to time, people on the Oracle forum, or comp.databases.oracle.server newsgroup ask the question: “What do you have to do to be a good DBA ?”

Joel Goodman and Harald van Breederode – a pair of highly skilled and very experienced instructors at Oracle University – recently asked themselves a slightly different question: “How do you have to change to stay a good DBA in the modern environment ?”

Historically, the Oracle DBA skill set was database-centric, usually limited to software installation, database creation, day-to-day maintenance, performance monitoring, tuning and most of all, backup and  recovery. Since  the arrival of Oracle 10g,  the  technology within  the DBA arena has changed, due to the increase in automated monitoring, tuning and manageability
features within  the Oracle  kernel,  and  also expanded  into  areas  that were  formerly  the  responsibility of OS, storage, and network administrators. Due to these changes, the knowledge required by the typical Oracle DBA has increased, requiring additional skills and in some cases job responsibilities. This shift from the traditional DBA, which we call DBA 1.0, toward the mod-
ern, post Oracle 9i DBA, which we call DBA 2.0, has occurred gradually over the past two major releases of the Oracle Database Server.

This expansion of the multi-skilled roles, DBA or otherwise, is countered by the ever-increasing strict partitioning of job roles and access restrictions in financial environments. It’s been two years since I was at a client or on a job where I had actually had any access to the OS for example or had any dba level access to the database (in theory at least). ..