The most common question I hear about Database Accounts is, “Can your solution vault Database Service and other Privileged Database Accounts?”
Every time I hear this question, a voice in the back of my head wants to ask, “Have you implemented modern approaches to Database Authentication and Authorization Management?”
See the real problem is the majority of Databases and the hosted Database Instances still have legacy Database Authentication and Authorization methodologies applied to them, so we are trying to apply a band-aid to the issue by reaching into the databases and vault the DB local accounts.
THREE DATABASE APPROACHES
Let’s set the table for this conversation. Databases authentication and authorization have three achievable implementation approaches:
- Database Local: at the instance level
- Host Local: the Server hosting the Database
- Global: centralized LDAP
These three approaches sound a lot like how Windows Member Servers and Unix/Linux Servers can be configured, and some of the same conclusions should be made.
For example, duplicated Administrative, Service, Application, and Users Accounts magnify the attack surface. These duplicated accounts increase the costs of Identity and Access Management, account and password management, provisioning, de-provisioning, as well as reapproval reviews. This does not even consider the complexity associated with monitoring and alerting.
So why haven’t Database Administrators (DBAs), IT Leaders, and Auditors prioritized these architectural improvements? In no specific order, because of complexity, lack of understanding, and misinformation. This is not a “wink-and-a-nod” process. It will take planning, commitment, persistent execution, and project monitoring.
A BIG PROBLEM?
Many DBAs have masked these problems, because they are intelligent and well-organized people. They use automation to compensate for the cost of ownership and when that is not enough organization off-shore some of the remedial work.
How big is the problem? Find your Database Architect or DBA Lead and have them produce a report which shows how many accounts exist per database instance. The report should capture the total number of Databases, Databases Instances, and Users per Instance. Remind them not to deduplicate the report, because this will skew the number.
The numbers can be staggering, in a recent engagement I saw more than 1 million user accounts on databases for the company of less than 100,000 associates and contractors.
WHAT TO DO?
So, what should IT Leaders and Database Teams do?
- Document the scope of the problem
- Develop a strategy for externalizing authentications and authorizations for all Databases.
- Communicate the strategy to all levels of leadership, including process improvements associated with Identity and Access Management as well as Monitoring and Alerting
- Communicate the execution strategy to all levels of leadership, because this will change business process and onboarding, the level of effort associated with annual re-approvals, and include the Audit teams, as this will reduce the Audit effort and process
- You will find you end up with two clear work streams: all new deployments, and all upgrades. The latter takes considerable planning because one Database Server may contain many instances
- Create a scorecard for leaders which shows progress on a quarterly basis
- All change management processes need to clearly identify when the change is associated with strategy. This keeps the project front and center.
- Stay committed. These changes will improve not only the total cost of Database administration but also the total costs IAM and Cybersecurity processes. The business payback is a single person with a single account associated with their access. Also, vaulting any account becomes a simple process.
All the major companies who sell database products detail how to implement Global Accounts. Oracle provides the most concise advice: Reference: Oracle Security Guide for Oracle 11G Release 2. https://docs.oracle.com/cd/E18283_01/network.112/e16543/authentication.htm
Also, this is not just about vaulting privileged accounts, which is a critical component of Zero Trust Security. You will reduce the attack surface, simplify questions about who has access to what, reduce the effort of account management on the business users, and reduce the overall cost of database implementation and administration. Last but not least, have a consistent approach to introducing a new database to the community of users.
Centrify solutions can help with these architectural changes, and yes there are a lot of ways organizations can make these changes at an accelerated rate. My guidance is this: if you know your organization’s appetite for change, leverage it, and your change acceptance will improve.
Thank you for reading this blog. Your comments and feedback are welcome.