Moore's Law has afforded IT shops many benefits. Through strategies such as virtualization and consolidation, the cost of many things can now be lowered -- server hardware, software licenses and even labor -- but those benefits have led to an increasing cost of incident, possibly making privileged user management more important now than ever.
The idea was brought to me when I was in Denver last month at the Collaborate conference for Oracle user groups. Paul Vallée, founder of Ottawa, Ontario, Canada-based database consultancy Pythian, spoke with Pythian Chief Technology Officer Alex Gorbachev at a session on the topic. Vallée explained that when a company's database infrastructure is spread out across dozens of server nodes, if one goes down, it represents just a fraction of the total infrastructure. But since Moore's Law allows organizations to cram more into their servers, downtime can be more costly.
"Whereas you may have needed 30 DBAs [database administrators] before, you might only need three now," Vallée said. "But they have to be really great DBAs, not just in terms of being technically brilliant, but also being really well organized."
Vallée said organizations should follow the precept that former President Ronald Reagan made popular when talking about the former Soviet Union -- "doveryai, no proveryai"; trust, but verify. That is, trust your highest DBAs with responsibility, but make sure they don't abuse it.
According to Gartner, privileged user management is one of nine critical capabilities of database audit and protection. In a March report, Gartner wrote that access by highly privileged users such as DBAs is a major concern for auditors.
"Privileged accounts are a prime source for misuse, fraud or targeted attacks," the report said. "Therefore, regulators will require detailed monitoring and auditing of these user accounts."
The report added that preventing or blocking privileged users is difficult because it can be hard to tell the difference between legitimate access from malicious or mistaken activity, and therefore recommended strict privileged user management and monitoring.
And it's an issue companies are concerned about. A Forrester survey at the end of last year showed 42% of organizations have implemented or plan to implement privileged user identity management in the next year.
This was the issue Pythian was running into head on, and not just recently. It started working on the problem back in 2006. Vallée said the company delivers almost a "person-year of DBA work" every day. Its employees have root/DBA access to several thousands of systems for several hundreds of customers for which it does remote DBA work. So privileged user management is crucial, not only to protect its clients, but to protect Pythian itself.
While there is database audit software out there -- Oracle Audit Vault, for example -- those with root access can still hide malicious activities. So Pythian started building something it now calls Adminiscope. The basics of how it works are: a Pythian DBA engineer connects to a customer's database through virtual desktop infrastructure with an authentication gateway. Everything that DBA does from then on is video recorded and can be watched by a security admin live, who can pause or stop a session if the DBA does something he shouldn't, or after the fact to perform root cause analysis.
"Ultimately it's about accountability and transparency," Vallée said. "You can't deny that you did something, but at the same time, you can also prove that you didn't do something."
In today's age of big data and advanced analytics, companies can take measures beyond passive privilege user management and surveillance, moving into active intrusion and error prevention based on the recording of video and keystrokes. Pythian now runs Adminiscope for its clients, and will offer it as a standalone product later this year. In the meantime, what are you doing to handle privileged user management for your DBAs?