The life of a database administrator is not exactly a stroll in the park. After all, being responsible for systems that are often mission critical presents challenges at many levels.
As if that isn’t enough for the DBAs to ponder, they also know that, sometimes, the databases under their watch are likely to hold some of their organizations’ most sensitive data, which if compromised, could have dire consequences not only for their jobs, but for the entire organization on which their friends, colleagues and families depend.
As organizations find themselves having to comply with contractual obligations such as PCI DSS and regulatory mandates such as HIPAA, Sarbanes-Oxley, GLBA and more, the information security space has grown dramatically. More frequently, organizations are training and aligning technicians to have a specific focus on security, rather than treating security as secondary skill set. Where a solution architect or engineer brings strong skills in a particular technology, the security technician brings expertise in security. The security technician integrates with the systems architects and engineers as they develop solutions, providing valuable input during design decisions so that security is embedded within the solution where possible. Together, they develop state of the art, secure IT solutions. Or, at least that it is how it is supposed to work.
When it comes to databases, many security technicians do not necessarily have the understanding that they might have with other technologies. “This, many times, places an additional burden on the DBA,” said Frank Carter of Cyntegrity Resources, which performs security assessments and provides training and consulting services. “Database concepts are complex, and if you are not living and breathing them each and every day, it might be difficult to offer security advice at the more technical level.”
While a good security technician can certainly add value, Carter has found that when a DBA knows more about security, not only does the organization benefit, but the DBA also is building a critical skill set that positions him or her very nicely in the marketplace. According to Carter, if you are a DBA and want to enhance your security knowledge, here are a few good places to start:
Understand General Security Principles
General security understanding is an essential skill set of any technologist. Yet those who are not responsible for security often believe that general security knowledge doesn’t do them any good. “That is nonsense,” Carter said. “The way organizations are looking at security, every technologist benefits by having a broad security understanding.” He recommended the knowledge base taught and tested by the CISSP exam.
Technical Certifications or Training
As DBAs know, not all databases are created equal. There are Oracle, Microsoft SQL, MySQL, etc. And though technical database certifications might not focus on security, often they do have a security component to them. If you don’t want to concentrate on the certification, focus on the security portion of the certification. Any security knowledge that you can harvest is well worth the investment.
Let’s face it: Security is a hot topic these days. It doesn’t take long to find technical security training by book, online or in the classroom. As this space grows, so does the need to secure databases and the sensitive information that lives in them. Organizations such as CSI and SANS offer a wide variety of technical security programs that are well worth the investment.
Partner up with an information security expert and make a pact: you help him or her learn about databases and he or she helps you learn about information security. The truth is that many of these information security experts would be just as excited to have a DBA as a mentor so they can expand their knowledge of databases as you might be to have them as a mentor so that you can learn more about security. Don’t take this lightly. Be picky and select quality individuals who are proven in the field. You will find that not only will you gain a friend, you will gain knowledge that will be very valuable to your organization and your career.
Security Is the Future
We’ve all read about the data breaches that occur on what seems to be a daily basis — millions of people having their personally identifiable information stolen or otherwise compromised. And we see firsthand the struggle that organizations face in complying with the regulatory and contractual mandates that often spawn from such breaches. So let’s face it; security is here for the long haul. It’s not going away, and it is going to be an important skill set for the foreseeable future.
Meanwhile, the skill sets of a good DBA are sought after and likely will be for some time. Add to it a good understanding of security, and you position yourself for a bright, and perhaps even lucrative, future.
Brian Koerner is a chief security engineer for a Fortune 500 computer services firm and author of Windows Vista Security for Dummies. He can be reached at editor (at) certmag (dot) com.