Common Database Vulnerabilities: Missing Segregation

To segregate means to set apart. Segregation of duties (aka separation of duties) describes the action of defining and separating roles in a company or other group. The goal of segregation is to prevent fraud and manage conflict of interest. Segregation has been used in democratic governments for a long time and is also common in several business types like accounting and banking. For example, in the banking industry, you often find that a larger transaction needs to be initiated by one person and then approved by another person.

Segregation of Duties in IT

When dealing with sensitive data, many problems can be avoided by setting up a similar segregation of duties. For example, the person who is able to copy and decrypt data in the credit card table should not be the same person that can disable auditing. While following such a strict separation cannot prevent all fraudulent or malicious activities, it can greatly reduce the risk of them being executed by internal personnel. Remember, more than three quarters of all attacks come from or are enabled by internal sources.

Several regulatory laws like Sarbanes-Oxley do now require segregation of duties, and many external auditors will fail you if you do not have the roles in your organization clearly defined.

The Cost of Separation of Duties

Small businesses often do not have the manpower to implement strict separation of duties. At that point the security officer (or the person assuming that role, often the owner) has to balance the risk of not implementing the separation with the cost of hiring additional employees. There might be also ways to spread the different roles effectively amongst the existing work force. For example, if a database audit is set up correctly, it does not require any development skills to review it. Therefore, the role of internal auditor could fall on a person that was originally hired for a different skill set.

Collusion

Segregation of duties cannot prevent fraud if collusion is in play. In fact, if enough people in an organization collude to execute some form of fraud or other malicious activity, there is probably not a lot that can be done to prevent it. However, collusion requires significantly more criminal energy and is therefore less common than single person fraud.

Roles to Segregate

There are many ways to set up segregation, but the following common roles probably should be on your radar: Database Administrator, Server Administrator, Backup Operator and Security Administrator (especially if you are dealing with encryption keys). SQL Server does not always make it simple to set up segregation of duties correctly. For example, there are still many actions that require membership in the sysadmin fixed server role. However, Microsoft is continuously improving the situation and most segregation requirements can be implemented out of the box.

The time to act is now. Review the roles in your company and identify areas in which segregation is appropriate or required. Do not wait until someone misused inappropriate power.

The Most Common Database Problems

Backup Data Exposure is one of the most commonly encountered database vulnerabilities. In this series of posts, I discuss 10 of them. Below are the ones that are published so far: