The DBA and the Battle for Reputations

Richard Morris comments on the perception amongst some DBAs that the reputation of their profession is declining. In today's world of burgeoning information theft, are DBAs part of the problem or part of the solution?

“You can’t blame the consultants wanting to drum up business but I resent my job being looked down upon. Our work demands certain inherent qualities. The top one is discretion. Half the time the business media wants critiques of what is happening to an individual businesses data. But they often don’t know what they are providing a critique of, or what they are attacking”
Dan Ford. Consultant DBA

‘Public enemy number one’?

A brief Internet search reveals the rapidly advancing belief that the reputation of the profession of DBA is in deep decline. On the Computerworld website is a rather sad blog written by security analyst Eric Ogren. He makes the claim that the DBA is fast becoming ‘public enemy number one’?

What, you may ask, has brought on this air of resignation?

The database administrator, Ogren claims, was once among the most trusted, valued and honourable members of a corporation.

These were the people who could once be trusted to bond business demands with technical know-how. In those halcyon days, they were cosseted and looked after, brought regular trays of coffee and biscuits, given a hamper at Christmas and invited out to dinner with the boss.

Not any longer, it seems.

DBAs work above the security grid

The 21st century’s reliance on digital technology has introduced the DBA, along with other IT workers, to a previously unimagined universe of electronic loathing.

Wherever you look on the net there seem to be accusations that IT workers (and particularly DBAs) are the people most likely to steal information, foul files, deliberately erase confidential data by order and thieve other people’s sexual partners. Okay the last accusation is fantasy but you get the drift …

Many websites, mostly those run by IT security firms, are setting about telling chief executives and chairmen of boards that their IT staff can not be trusted.

The average careless, guiltless and Godless DBA, they say, will go to any lengths to steal corporate secrets and sell their booty on an ever increasing, bustling information black market.

Regardless of motivation, it’s no secret that a database analyst would make the perfect industrial saboteur, petty pilferer or spy. Why? Simply because most DBAs work above the security grid; few others in any IT led business have such unfettered access to data of all kinds.

DBAs spend most of their day working and tweaking files and could, if the mood grabbed them, easily copy or, perhaps worse, change sensitive data. This easy worked theory hasn’t been lost on companies who’d rather keep their secrets to themselves.

In fact, the paranoia in some corporations is now so rampant that many CIOs are employing eager and expensive IT security firms to install covert software out of hours so they can track and supervise all computer keystrokes made during the working day.

So just where has this distrust come from, when did it happen and, more importantly, is any of it justified ?

Stopping the database thieves.

Some years ago, when the digital revolution was a just a small surge on the electric grid, un-trustworthy employees may have mocked the dozy e-coppers who studied abandoned chewing gum or half a sherry trifle for clues when a major data theft had taken place.

Others though were taking a keen interest in their activities. Firms of security analysts (of whatever shade or purpose) were formed in backrooms of small, airless pubs.

After a few days of communal living, all sorts of unlikely anti-geeks headed towards the stationery suppliers to get their business cards printed up.

Included among their number was a shadowy ex-soldier, former-DBA and erstwhile hacker called Jeff Rogers.

‘Where there’s money, there’s crime. Or should I say where there’s data, there’s money. I changed my business overnight when I realised employees in big business discovered they could make a fast buck or two out of other people’s information,” says Rogers.

Many would think him an unlikely entry to the world of IT security but Rogers is like any other self-saved obsessive, and his personal appearance (a tall, spare man, with bloodshot green eyes and hollow cheeks, streaked with broken red veins) amply reflects the stress of his job.

He confesses that he was once torm between the egotism of theft from databases (‘well I thought it was cool’) and websites and the morality of realising he was doing something wrong. He was ‘fighting against himself.’

Then Rogers says he realised he must consider other people and he found that the guilt of continuing to defraud companies very difficult to face up to.

Oh, and he was offered a cushy security job by a boss who was impressed when Rogers was caught with hard-to-come-by commercially sensitive data on his person.

‘I eventually decided that my personal life was more important than making money from dishonest means.’ He says this with a pained expression on his face, then launches into his present day upright obsession. Stopping the database thieves.

‘Detecting activities such as data break-ins is getting increasing chaotic and difficult. At least when an outside hacker exploits a few flaws, the people in IT usually know something criminal is happening.

With insider attacks it can be very tricky indeed especially when a big corporation is processing thousands of pieces of data a day, or even per minute. The chances of the human eye detecting the problem is pretty much nil, especially when the culprits are covering their tracks.’

‘In today’s world of rampant theft only the paranoid survive’

But surely, I ask, isn’t all this singling out of employees and accusing people with certain job titles getting a little bit ridiculous? Not every DBA for instance has a powerful urge to intimately avail themselves of lots of unearned cash and anyway since encryption and access controls can easily be dodged by anyone who has the right credentials, what’s the point of blaming someone that is usually the most reliable of employees?

I also point out to Rogers that the problem of corporate theft is often compounded by an organization’s bad habits. For the sake of convenience, many ignore the strictures of a rigorous authentication and access control plan and share IDs and passwords among any number of users or DBAs.

Insiders can also take advantage of the fact that colleagues, managers, and even the hard-pressed execs have a hard time mistrusting their own employees.

The impudence of it all takes Rogers by surprise and for a moment I feel he might just faint or deliver me a right hook. But then, in a great gravelly Northern Irish brogue, this former skilled teacher of practical sabotage breaks the silence.

‘Sir, employee theft is huge and most incidents are discovered almost by accident. Do you really think that there are just a couple of incidents each year? What assurances can you give me that our critical data is being protected by the people we trust, like banks, insurance firms or the government, for example?

‘You can’t! Most firms would receive an E minus if they were to sit an exam on digital security and the hiring of employees in sensitive positions. Most human resource people are jerks. In today’s world of rampant theft only the paranoid survive,’ he counters and happily admits he’d like to splay fraudulent employees across his car bonnet.

The corrosive atmosphere of distrust

The Rogers view of the IT world is neither subtle nor balanced, and perhaps it is not surprising since neither have really warmed to one another. But it is truthful.

You only have to look at the figures to show this. In America the 2006 Computer Security Institute (CSI) Computer Crime and Security Survey revealed that over half of the country’s databases have some kind of breach on a yearly basis and the average violation is close to $3 million in losses.

This percentage is staggeringly high given that these are only the security problems that companies are reporting. Of course this number may be a great deal higher given that the fear of negative publicity might be putting off some businesses reporting IT related crime to the police.

Yet alongside the corrosive atmosphere of distrust there exists an equally powerful (if not more so) lobby that believes that the fixation on DBAs as villains is way out of proportion to both business and security needs – it is a fledgling campaign, which will pull the skills of the DBA into sharper focus.

‘… to drum up business for security consultants’

Dan Ford is a 29 year-old consultant DBA. Some would say he was born to the role. A thin-faced man with a spindly moustache, glasses, he has a penchant for wearing ripped T-shirts and supping real ale. He looks, and lives like an archetypal geek.

Ford is so incensed by what he sees as the remorseless anti-DBA sentiment on the net and in the press, that he’s begun planning an offensive – a website that will be dedicated to the indispensable work database analysts do.

It may sound boring to some, but he thinks his crusade is vital in recovering a DBAs good-standing.

‘I think all this bad press is a smear campaign to discredit some of us. It’s a campaign that has come out of petty politicking and malice and one that was started to drum up business for security consultants.

‘They in turn have loaded the media against us and now it’s getting out of control. Nearly every piece you read about how to guard against security breaches, targets the DBA first. It’s bloody unfair.

‘Sure there are bent DBAs as there are bent security analysts but the media haven’t picked up on that.

‘People outside the IT industry would be surprised at just how sectarian it’s becoming. You can’t blame the consultants wanting to drum up business but I resent my job being looked down upon. Our work demands certain inherent qualities. The top one is discretion. Half the time the business media wants critiques of what is happening to an individual businesses data. But they often don’t know what they are providing a critique of, or what they are attacking. It’s blind faith and poor reporting, ‘ says an angry Ford.

His website will give tips to employers on how they should employ the best DBA. In short he suggests corporations should:

Screen employees to ensure they are honest and after they’ve employed someone to pay attention to what the DBAs are doing.

‘This means reviewing log files for suspicious activities. If a DBA is doing a lot of seeks at a regular time of the day then I would wonder what is going on.

‘Businesses tend to focus on restricting access to the corporate network from
exploitations coming in but they also need to pay attention to what is going out as well.

‘Extrusion solutions intercept sensitive data on its way out of a business network and either prevent it from crossing the accepted corporate boundaries or notify a designated person.

“Best practice is to look at the total life cycle of the data, who has created it, where it’s stored who uses it and how it is used. The reality is there is no one secret method for data protection.

‘It’s one thing to expect IT professionals to adhere to good data protection and quite another to try to get every end-user to line up behind security policy.’

That then is Ford’s view.

He’ll get around to placing these and sundry other tips to running a safe business in a couple of months time and hopes his ‘immensely and solidly serious’ website will be up and running by late summer.

‘Enterprises need help mapping database security issues to business risk’

And so we end this tussle about the probity of the typical DBA by returning to the words of Eric Ogren.

He claims that there is a large amount of unproductive time and a large of cash spent on monitoring DBA activity because of compliance mandates.

These diktats are fine but ”enterprises need help mapping database security issues to business risk, regularly scanning application environments for vulnerabilities, and even discovering where all of their databases are.’

‘Then the IT,’ continues Eric, ‘can move on to such things as tightening up access paths to the database, removing passwords hard coded into applications, auditing for unauthorized privilege escalation, or even patching in a virtual data center.’

‘ There are many security tasks to tackle that actually deliver greater business and security benefits. I understand the need for a technical audit function, but organizations should be able to prioritize according to business needs. Isolating the DBAs is not the most pressing security risk in any organization. The DBAs have to be part of the solution to a more secure business; they are not the problem, ‘ maintains Ogren

Life is cruel and often life as a DBA is not easy. But the grievances put out by Ogren, Ford and others, is a good reminder of the rifts that can tear apart an industry. There is nothing to be gained out of it, especially when you remember that there is a severe IT skills shortage.