Database Patching

Don’t forget about Databases!

Since SQL server was affected by the recent patch Tuesday, I realized that databases are a large space in the Enterprise that may have not been getting the focus they need.

In many large companies a separate team (or teams) own and manage the database engine, whether that is SQL server, DB2, Oracle, etc..  How much time has been spent on making sure that there is a solid patching plan for operating systems and networking equipment compared to major “infrastructure applications” like database engines?

Sure, you have to secure the system to have any hope of securing data and applications, but database engines are almost their own little world that ride on top of the operating system.    Here’s why.. Databases…

1) have their own ports they open up,

2) often have their own user management systems that may or may not tie in to your authentication directory,

3) have their own security vulnerabilities that are widely publicized,

4) Are a #1 target for hackers.

Do I really need to give any more reasons that a solid lifecycle management and patching program for database engines is as critical as your patching and lifecycle management for your operating systems and networking equipment?

Surprisingly, your database engineers may be happy to get extra push for upgrades and patches. They often want to apply them but can’t get the cooperation of their customers for testing etc..