Behind the Numbers: Database Authentication and Authorization

Earlier this month, I posted a blog about how most companies I speak with have not implemented a modern database authentication and authorization approach. I also recommended 8 steps IT leaders can take to modernize their database management operations.

Upon reflection, I think an interesting follow up would be to take a look at some numbers that further illustrate the need to put effective database authentication and authorization practices in place to secure the enterprise.

LOOK AT THE NUMBERS

Let’s create a fictitious sample company to examine, called Company X.

At the DB Survival Blog site, the accepted high-end number of instances per database server (Oracle) seems to be around 130. That is 130 unique database instances per database host.

For our sample use case below we will use just 25 instances per database server.

  • Company X provides commercial services to a national base of 30 million customers.
  • Company X has 10 core DBAs and 25 Line of Business Application DBAs.
  • Company X has 50,000 employees of which 30,000 have 3-5 database accounts.
  • Company X has 100 Database Servers each hosting 25 instances.
  • Company X is using Database Local Account for their IAM Approach to Databases.

Based on this breakdown Company X has:

  • 100 Shared DBA-Admin accounts on the host of the 100 Servers
  • 2,500 DB Instances
  • 25,000 Accounts dedicated to the 10 Core DBAs
  • 62,500 Accounts dedicated to 25 Line of Business Application DBAs
  • 90,000-150,000 Accounts dedicated to the employees across the 2,500 instances.

Company X has between 180,100 and 240,100 accounts which must be managed like unique accounts because they are DB Local accounts.

MODERNIZING THE APPROACH

If Company X would move to Global DB Accounts in their LDAP, they would have:

  • 1 Shared DBA-Admin account with 10 authorized users
  • 10 Accounts dedicated to the 10 Core DBAs
  • 25 Line of Business Application DBAs
  • 30,000 User Accounts

This would result in a 60% reduction in User Account Management, Privileged Access Management would be very clear, and account housekeeping would be fully automated.

Modernizing the approach to enterprise database authentication and authorization not only reduces clutter and optimizes the IT operation, it also significantly reduces the attack surface. These simple steps will then position any enterprise to better harden its security posture with Zero Trust Security.