Tuesday, June 28th, 2011
The TeamWork security mechanism enables changes to Oracle databases objects to be controlled at the Windows account and group levels. TeamWork enables you to define your organization’s database change policy in order to prevent undocumented database changes and to control who can do what, to control when they can do it, and to see why they did it.
When people talk about database change control, they usually mean having an accurate audit trail of database changes. However, another factor that is often even more important is the ability to prevent anyone from making unauthorized changes. TeamWork provides both change control and prevents unauthorized changes by the DBA and IT teams.
We have found that in many of the organizations that have implemented TeamWork, developers are allowed to change database objects including packages, procedures, functions, and the content of lookup tables, but DBAs are permitted to change all objects including table structures. Likewise, QA users are only permitted to make changes in the QA environment and not in the development environment.
But, as a practical matter, all developers and all DBAs usually work with a single Oracle user account – the owner of the database objects. As a result, without TeamWork, every developer, every QA user and every DBA actually can change any object in the database at any time. TeamWork provides the ability to prevent unauthorized changes to the database structure and the data it contains, including unauthorized changes by users who do have authorization to access the database.
It is also not rare to find organizations that have the same password for the Oracle user account in all database environments: Development, Integration, QA, Pre-production and sometimes even in the Production environment. When using TeamWork, the administrator can give developers access to change packages, procedures, and functions in the Development and QA environments while restricting their access to the Production environment by only giving them access to review history.
Of course, most of our customers implement TeamWork in their Development environment before implementing it in any other environment. But we recently had one customer that had such a serious database security problem in their Production environment that they installed TeamWork in their Production environment before beginning to use it in other environments.
TeamWork provides advanced permission management capabilities that give you full control over who makes changes to your databases. This enables you to proactively prevent unauthorized modifications to database schemas and their related objects. TeamWork enables you to implement very granular access settings, giving users the right to modify only certain portions of each schema, based on their role and their responsibilities.
TeamWork not only controls the permission to make changes, it produces an audit trail of changes to the database, correlating each change (What) with the person who made it (Who), the date and time of the change (When), and the business reason for the change (Why).
For more information on these topics, see these useful links:
Posted in General | No Comments »
Thursday, April 28th, 2011
In our previous How TeamWork Can Prevent Human Error in Production we discussed on the new feature of dbMaestro TeamWork for Oracle™ – Access Roles.
This new feature enables organization to add another layer of security on top Oracle. Usually when developers, DBA connect to oracle database if it the development, test or even production environments, they connect with the owner of the objects. During this connection any object can be changed since the owner has full permissions on its objects.
The organization needs another layer of security and this can be done using TeamWork for Oracle Access Roles. With this the organization can give specific permission to Active Directory account or group.
We recommend using Active Directory groups, assign them the right privileges in TeamWork and add the right members to this group.
Here is an example from real customer implementation:
This customer manages three environments: development, test and pre-production. They created the following Active Directory groups:
- DBA – Will be able check-out/check-in any object
- Developers – Can check-out/check-in only PL/SQL code (packages, functions, procedures)
- Read-Only – Can view object history but not change
- Release Managers – Can save version, freeze schema, remove and add objects from source control
People were assigned in Active Directory to the relevant group and each group was assigned with the right privileges based on the environment.
For example: Developers can check-out/check-in only PL/SQL code (packages, functions, procedures) in development and test environment, but in production they have Read-Only permissions.
You are welcome to contact us to hear how you can add another layer of security in your organization, just send us an email to sales@dbmaestro.com.
Posted in General | No Comments »
Tuesday, April 5th, 2011
We are proud to release a new version of dbMaestro Teamwork™. Some of the exciting new features include:
- TeamWork SideBar will remember its setting (location and size) on exit.
- Adding new schema to TeamWork on a new database allows you to choose the tablespace for dbMaestro_TeamWork schema.
- Adding support for managing table content with more than 32 columns.
- Access role supports Active Directory groups.
Additional fixes in this new version include:
- Improvements of the deployment script and supporting values that contain the NUL value.
- Supporting saving password with special characters.
- Performance improvements across the product.
- Identifying the difference between unique and non unique index and create the correct DDL commands to reflect the change
Posted in General, Release Updates | No Comments »
Thursday, March 31st, 2011
Compliance audit – a veritable nightmare. No one loves an audit; no one wants to be in the hot seat. But compliance is a major issue, and it continues to be one of the topmost priorities for IT organizations. And there is no end in sight for the foreseeable future.
Hopefully, you will not face an audit. But if and when you do, you had better be able to account for your data, including what changes were made to the database, when and by whom they were made, and for what reason.
Given the fact that SCM solutions do not track, or provide audit trails for database changes, this can be a real problem. Just where will the needed details come from? And audit is not the time that you want to rely completely on memory to explain database changes.
The solution? dbMaestro TeamWork for Oracle™.
TeamWork enables IT organizations to meet their compliance requirements for their Oracle databases, including COBIT (Control Objectives for Information and related Technology) and Gramm-Leach-Bliley Act (GLBA) compliance requirements.
Does the auditor want to know what changes were made to the database? TeamWork’s database version control and auditing saves and tracks all database change versions.
Does the auditor want to know the reason for the change and/or who made the changes? TeamWork integrates with major software configuration management products, such as IBM Rational Team Concert® and Microsoft Team Foundation Server®. Through this integration, changes to an application’s database can be linked to a work item or change set, which identify the reason for the change and the person responsible.
TeamWork provides you access to a reliable audit trail for the managed database object definitions as well as the ability to manage content. In fact, using proven change management methodologies at the database level, TeamWork becomes an integral part of the development process.
It enforces compliance with change policy through all stages of the development process, from development through testing to production:
* Changes to database objects must be documented and approved
* The audit trail of object changes must be reviewed
* Database changes made in development must be deployed to testing and production
So before you face a compliance audit, implement dbMaestro TeamWork for Oracle™. And then relax. And breeze through the audit.
Posted in General | No Comments »
Tuesday, February 15th, 2011
SCM repository solutions are designed to provide versioning of application code, security against out-of-process changes to applications and facilitate the deployment of changes to testing environments and to production. Most SCM repositories can be used for versioning of database code using scripts. The problem with this approach is that, unlike the application code where the repository is the only source of the code, database code can be retrieved and changed at any time directly from the database system, bypassing the SCM repository and it’s controls.
The only way to have a secure, process controlled versioning and deployment of database changes is to have the control and versioning done within the database itself. If this database change control approach is used AND integrated into the SCM repository, you achieve the same level of control for application source code changes and the related database changes. You are also able to promote changes for both code and database to a testing environment and ultimately to production in the same well controlled process.
Until recently, there were no solutions available to support this more complete overall SCM process. But now there is a solution from dbMaestro for Oracle databases. dbMaestro TeamWork now provides complete SCM control to the database changes AND integrates to application code SCM solutions for better overall control of an organization’s application changes.
To read more about this, please see a white paper discussing Traditional SCM and the database dilemma.
Posted in General | 1 Comment »
Thursday, January 13th, 2011
Users of all types interact with a database, and each kind of user poses different and specific risks. Gartner believes that database developers, system administrators, and system analyst post the greatest threats, because “these technically skilled individuals often have the ability to access or change systems that are in live production, which can result in poor performance, system crashes and, in some cases, security vulnerabilities.”
Companies need to be concerned about access to live production systems, according to Gartner, who recommends that access to these environments be conducted only via standard user accounts. But, the analyst firm claims, many users of this type frequently violate this rule by using two accounts. The risks associated with this include system instability and a higher potential for crashes, as well as ineffective permission control which could result in unauthorized access to sensitive or confidential information.
A comprehensive, next-generation database change management environment, like dbMaestro TeamWork™, is the ideal solution for this potential problem. By incorporating locking functionality directly into the database itself, TeamWork delivers maximum security that cannot be bypassed under any circumstances. No matter what type of connection is used, which program is being utilized to retrieve the information, or who is attempting to update the data, TeamWork can help provide greater control over access to live production systems.
Want to learn about other areas of database administration that need to be carefully tracked? Read our past posts on changes to database information, use of unapproved channels by privileged users, modification of database schemas, addition or alteration of user accounts, and retrieval of data via unauthorized channels.
Posted in General | No Comments »
Wednesday, January 12th, 2011
When it comes to database security, it is not only the actions of DBAs and super-users that must be watched. Companies must also closely monitor how end users leverage the database. This is particularly important when it comes to the retrieval of the data contained within that repository.
Gartner is particularly concerned about end users who access data through inappropriate or unapproved channels. The analyst states that, “This problem is similar to that for privileged users, but the risk is somewhat different. End users sometimes access data directly, without using the approved applications or channels. They sometimes do this simply for convenience. But the result may be undetected changes to data that seriously impacts availability and data integrity.”
What do they recommend? That organizations implement “detective security measures to determine whether end users are trying to bypass proper channels”. For example, are end users attempting to go directly to the database, to either view, add, or alter database information, without going through existing application-level controls?
dbMaestro TeamWork™ can help. As we discussed in prior posts, our powerful database version control solution includes a unique locking capability that it an inherent part of the database itself, so it cannot be overridden or bypassed in any way. Therefore, it can optimize security by capturing details about how data is retrieved or altered, regardless of the connection type, the application, or the client.
Refer to earlier posts in the series, where we highlighted other areas of database administration that need to be closely monitored, including changes to database information, use of unapproved channels by privileged users, modification of database schemas, and addition or alteration of user accounts.
Posted in General | 2 Comments »
Thursday, January 6th, 2011
While the majority of database administrators and other privileged users are good, honest professionals, a company still needs to protect itself. For example, according to Gartner, “a DBA or other privileged user who knows his own activities are audited and logged could create an account in a fictitious name, use a dormant account, or change a valid account to give it higher levels of access. The new or altered account could then be used to access or change data, and then be deleted so that no one knows the inappropriate activity has taken place.”
Techniques like these are no secret to savvy DBAs, who are well aware of the potential security access holes in today’s RDBMS systems. Businesses need to watch closely, and put the appropriate mechanisms in place, to ensure the proactive prevention of breaches, identity theft, and similar problems.
But, in order to perform the proper monitoring, companies need a solution that seamlessly integrates with the database engine, so it cannot be bypassed in any way. This will ensure that all update activities are always captured, regardless of which user account is being utilized to make the changes.
dbMaestro TeamWork™ is a robust, next-generation Oracle database change management solution that provides a powerful locking facility. Because this locking feature is not affected by the level of security permission of the user making the alterations, it can capture any change, made by any user. Therefore, inappropriate or unauthorized actions are always immediately detected, before they create problems with database performance.
Read our previous posts to learn more about other areas of database administration that need to be closely monitored, including changes to database information, use of unapproved channels, and modification of database schemas.
Posted in General | 4 Comments »
Thursday, November 4th, 2010
Organizations have gotten quite proficient at ensuring compliance in their application development activities. With one exception – the underlying database. Few companies really consider their databases when automating key activities in the application creation process. For example, they haven’t implemented a comprehensive next-generation database deployment solution. Therefore, their Oracle database change management procedures are often non-compliant.
This approach, however, can create many problems. First, it places an unnecessary burden on database administrators (DBAs), who are often called on to produce compliance reports for both internal and external audits. Because database version control has not been effectively incorporated into compliance procedures for software development, they must scramble to gather the needed information for compliance reporting purposes, often collecting and compiling it by hand, or by manually triggering a series of semi-automated routines.
Second, it indirectly impacts compliance in a negative way. For example, Sarbanes Oxley (SOX) is all about ensuring the integrity and consistency of the information contained in financial reports. While applications, such as the reporting tools that gather, aggregate, and display those reports are an important part of SOX adherence – the data itself, and thus, the database that houses it, is just as critical. An inability to track and manage changes made to database structures and other objects, or a lack of control over who accesses database elements, can lead to non-adherence.
The key to extending formal compliance to not only your applications, but the associated databases, is through the use of an innovative, next-generation Oracle db change management solution, like dbMaestro TeamWork™, that leverages the proven principles of software change management, and applies them to the database.
Posted in General | No Comments »
Monday, October 25th, 2010
An Oracle database change management solution, dbMaestro TeamWork™, provides database administrators (DBAs) and developers with the ability to create a comprehensive audit trail of their changes. They can instantly capture and maintain critical details about database configuration management activities. For example, they can track what modifications were made, why they were made (i.e. the business reason behind the alteration), when they were made, and who they were made by.
The audit capabilities delivered by Oracle db change management solution – dbMaestro TeamWork™, offers many significant benefits. First, it enable all key stakeholders to track important activities. This is important for ensuring that all internal policies and procedures are followed when making changes to databases, and that all conflicts and other issues are addressed appropriately. It also help to preserve the performance and integrity of production databases, letting DBAs and other stakeholders see – before changes are deployed – what problems may exist that can negatively impact the live application.
But, perhaps most importantly, these audit trails help to facilitate compliance with such important regulatory guidelines as Sarbanes Oxley. By keeping an in-depth record of all alterations and modifications, companies can adhere to even the most rigid standards and laws.
But while this functionality is quite important, it alone is often not enough. In order to deliver true value, a database version control solution must not only collect knowledge, it must fully leverage the insight that has been captured. This is particularly important when it comes to such critical tasks as building the database deployment script.
Advanced, next generation Oracle db change management solutions, dbMaestro TeamWork™, can automatically convert that change information into a tangible asset – a complete deployment script. Cumbersome, error-prone manual work is eliminated, and replaced with rapid, dynamic, and accurate script generation. This not only ensures consistency and quality across databases as alterations and modifications are implemented, it increases the productivity of database teams and accelerates deployments.
Posted in General | No Comments »
|
|
|
|
Loading...