Shooting the DBA isn’t a Silver Bullet to the Cloud
We’ve all been watching numerous companies view value in bypassing the Database Administrator and other critical IT roles in an effort to get IT faster to the cloud. It may look incredibly attractive to sales, but the truth of it is, it can be like setting up land mines in your own yard.
Having the right people in the right roles, doing the right tasks is essential to having a complete cloud deployment. Easy access without any checks and balances is just asking for trouble, which I am quickly realizing as I discuss this topic with more folks on my travels. One company, who originally just sold cloud solutions, started offering audits of cloud environments. They have experienced and incredible demand for this type of review and upon inspection, discovered over 80% of existing cloud projects they audited, failed many basic security and standard environment requirements that having a Database Administrator’s involvement would have assisted in avoiding.
Some of the most common failures?
- Common best practice for multifactor authentication, often embedding credentials into the application or database layer. They often found the developers expected to address it at a later time and then never doing so due to time limitations or missing review steps.
- Weak or missing encryption at the production layer and access to critical data in non-production. This is a sore point for me, as no one needs access to critical data in a non-production environment with the number of advanced masking tools available on the market. Some will complain about the cost, but what is the cost to your company with one breach. Out of business anyone?
- APIs are often the most exposed layer of any multi-tier environment and if you’ve skipped deep penetration testing of this layer, you’re just asking to be some hacker’s weekend project.
- Account hijacking is all too common these days. There are advanced database, as well as application monitoring systems that will note potential fraudulent activity and notify those responsible. DBAs understand this responsibility, where developers goal is to build out functionality. Understand the difference in goals.
The expense of putting IT processes in place to discover and repair vulnerabilities is small compared to the potential damage and understanding why different mindsets and roles are designated for a reason is important to the success of the cloud. Even if sales is focused on getting the people who will use the product without much scrutiny doesn’t mean that IT should stop taking full advantage of the DBA role which may be standing between them and the cloud to stay in business for the long run.
Originally published at DBA Kevlar.