GridApp Systems -- Automating Database Operations

Media Coverages

Information Week

Databases: The Overlooked Piece Of Compliance

With the database administrator having absolute control, who's watching the watcher to ensure the database is really secure?

By Robert Gardos, Compliance Pipeline

Most IT managers do what they can to stay on top of compliance, security and best practices, but despite all their efforts, chances are there is one thing they've overlooked -- securing the database.

At the center of this issue is a critical question: Who controls the data? Databases remain of the last frontiers of manual operation, requiring database administrators (DBAs) to engage in a number of hands-on processes in order to execute core management duties. Under most circumstances, the DBA has full and unobstructed influence over the databases they oversee -- unaccountable and detectable to no one. As a result, even the most rigorous compliance controls in use today can be circumvented by the DBA.

One case that illustrates this problem quite clearly involved a pharmaceutical company based in Colorado. During a recent Sarbanes-Oxley audit, their auditors requested a detailed inventory of all changes made to a particular subset of databases over a specified period of time. In response, the company's IT management instructed the DBA in charge of administering these databases to run a report. When the auditors received the report, they asked a series of questions about how the databases were administered. It was soon revealed that the company's DBA had the power to alter any of the information documented in the report at any time without leaving a record. Understandably, the company's IT security controls were deemed not in compliance.

Another significant compliance challenge facing even the most capable database teams is increased complexity. Most organizations are currently running more than one type of database, with the average Fortune 1000 organization running at least four relational database management systems (RDBMS) simultaneously according to research firm, Gartner, Inc. Oracle DBAs work with Oracle databases - period. Sybase administrators work on Sybase, and so on. There is no way to have complete visibility across a heterogeneous database landscape.

As a result, implementing standard operating procedures across the entire organization is extremely challenging, and keeping databases up-to-date with new patches is practically impossible. For example, one of the largest financial institutions in the world was having trouble rectifying the gross inefficiencies in managing its Oracle database infrastructure. While it had over 500 DBAs managing its 30,000 Oracle databases, it found that over 80 percent of its administrators' time, on average, was spent fixing and managing problems.

Many of these problems stemmed from an overwhelming number of patching requirements. With Oracle recommending an average of two patches per month per database, even their large team experienced challenges keeping up with the 720,000 patches that needed to be installed yearly -" many of which required downtime.

Because of the complexity and time associated with this task, many patches simply didn't get installed. This not only contributed to an increase in database "firefighting," but potentially compromised the security and stability of their entire system. With database instances growing at a rate of 50 percent per year, these problems are set to get significantly worse over the next 36 months, further stretching the already thin DBA resources within most IT departments and further compromising security. So, what options are available to help get a handle on this growing data monster? The most common solution is to dedicate more man-hours to the problem. The thinking is that if everyone serves as a watch-dog, legitimate and illegitimate mistakes can be identified and averted. Unfortunately, this is still an increasingly error-prone and expensive approach.

One emerging solution that is both manageable and irrefutable is the use of a centralized, automated mechanism to track DBA behavior. When DBA and database monitoring is automated and systematized, data integrity can be reliably ensured even as the IT architecture grows in size and complexity. The good news is that databases are already capable of providing users with just the sort of information they need to ensure compliance and monitoring, so addressing this problem is simpler than most CIOs -- or even DBAs -- may realize.

Proper management of the auditing information data is paramount, since simply gathering information is really just the tip of the iceberg. The real work lies in processing it and making it into a powerful tool that can be effectively monitored and audited. In many cases, too much unstructured information is worse than no information at all.

Since the institution of HIPAA and other data protection requirements, hospitals are under greater pressure than ever to not only protect their patient data, but to institute demonstrable controls over the dissemination of sensitive patient information. In response to HIPAA, one large California-based hospital instituted procedures for gathering information on any alteration made to its systems, including records of any and all modifications to its IT infrastructure.

Over the course of just a few months, the hospital accumulated terabytes of data, the weight and complexity of which was so hard to manage and analyze that the entire auditing exercise was rendered futile. Further exacerbating the audit aggregation problem was the fact that the databases were configured to store their auditing records on the database itself, leaving the audit trail stranded within each host.

So, how did they resolve the situation? According to their IT executives, they didn't. They simply didn't know where to begin. In the end, there was simply too much data to prioritize or analyze.

However, had this hospital utilized an overarching database automation solution, it could have taken this useless data and used it not only for compliance, but to enhance the efficiency of its operations. There is great value in cross-referencing configuration, patching, monitoring and auditing. If a database appears buggy or sluggish, information about who did what to it, and when, can be called up in a matter of seconds.

Through automation, that information cannot be erased or compromised. Manual operating policies can simply be tracked by associating a user and a set of objects, then specifying what actions should be logged. As a result, the DBA continues to have the power to do his or her job, but there is also a mechanism in place to enforce best practices for the company -- and to watch the watcher.

At the end of the day, it comes down to the fact that organizations must have one reliable and automated source of irrefutable truth at the database level to ensure compliance, security and efficiency. Without it, true compliance is close to impossible, effective auditing is elusive and security will be forever compromised.

Robert Gardos is CEO of GridApp Systems, a leading provider of database automation and management solutions that help simplify and manage critical database operational tasks such as deployment, patch management, auditing and replication.