Database security

To paraphrase a saying “There are no old, bold, DBA’s”.  That’s “database administrators” in case you were wondering, and one might go even further to say that there may not even be any DBA’s before too long.  Demonstrably secure relational databases should be a thing of wonder; users who can ‘write down’ but not ‘write up’ should be revelling in the knowledge that they will never accidentally overwrite the major donor address records, let lone be able to access them; and information security officers should be rejoicing in the knowledge that their corporate databases embody the only ACID test that matters.  But all this database stuff seems to have been a bit too complicated. Codd and Date must be weeping.

Our trendy web developer colleagues seem to treat the database (if we really must have one at all) as a bucket of bits to be hooked up to some web front-end, and off we go.  Hey presto! Instant access via the internet to that particular piece of precious data.  And what of SQL injection attacks, what of transactional integrity, and what of security?

If a security model is too complex then there is every chance that folks will work a way around it; or worse, they might ditch it completely in favour of a system that doesn’t have any security to get in the way of ‘progress’.  Keep your data safe – it’s why we invented databases.