February 12, 2015 at 11:02 am
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?
February 12, 2015 at 11:04 am
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?
Where is it this time?
And my answer to that question: Pink Slip.
February 12, 2015 at 11:11 am
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
February 12, 2015 at 11:15 am
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
February 12, 2015 at 11:29 am
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
My 2Cents, a DBA that cannot see the data is as useless as a blind driver, alternative measures have to be in place such as
1) pay them well enough
2) keep them happy
3) audit everything
4) bullet proof NDAs
...etc....
Obviously it goes without saying that the sensitive data must be encrypted/protected as necessary. Insider threats (such as DBAs) cannot be mitigated with a technology only approach.
π
February 12, 2015 at 11:36 am
Eirikur Eiriksson (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
My 2Cents, a DBA that cannot see the data is as useless as a blind driver, alternative measures have to be in place such as
1) pay them well enough
2) keep them happy
3) audit everything
4) bullet proof NDAs
...etc....
Obviously it goes without saying that the sensitive data must be encrypted/protected as necessary. Insider threats (such as DBAs) cannot be mitigated with a technology only approach.
π
Last time I went to a security lecture, the recommendation was that the DBA should not be able to see any data except in an emergency. During said emergency a separate computer would be used by a minimum of 2 DBAs at a time, each of whom was entrusted with half the password. The password is randomly created at each use.
The dedicated machine is keystroke audited (along with other auditing).
--------------------------------------
When you encounter a problem, if the solution isn't readily evident go back to the start and check your assumptions.
--------------------------------------
Itβs unpleasantly like being drunk.
Whatβs so unpleasant about being drunk?
You ask a glass of water. -- Douglas Adams
February 12, 2015 at 11:41 am
Sioban Krzywicki (2/12/2015)
Eirikur Eiriksson (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
My 2Cents, a DBA that cannot see the data is as useless as a blind driver, alternative measures have to be in place such as
1) pay them well enough
2) keep them happy
3) audit everything
4) bullet proof NDAs
...etc....
Obviously it goes without saying that the sensitive data must be encrypted/protected as necessary. Insider threats (such as DBAs) cannot be mitigated with a technology only approach.
π
Last time I went to a security lecture, the recommendation was that the DBA should not be able to see any data except in an emergency. During said emergency a separate computer would be used by a minimum of 2 DBAs at a time, each of whom was entrusted with half the password. The password is randomly created at each use.
The dedicated machine is keystroke audited (along with other auditing).
That seems like an awful lot of pain and is riddled with holes, such as who would set the password to begin with.
Wouldn't it be easier to find a DBA that's trustworthy and implement Erikur's list above.
February 12, 2015 at 11:58 am
Ed Wagner (2/12/2015)
Sioban Krzywicki (2/12/2015)
Eirikur Eiriksson (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
My 2Cents, a DBA that cannot see the data is as useless as a blind driver, alternative measures have to be in place such as
1) pay them well enough
2) keep them happy
3) audit everything
4) bullet proof NDAs
...etc....
Obviously it goes without saying that the sensitive data must be encrypted/protected as necessary. Insider threats (such as DBAs) cannot be mitigated with a technology only approach.
π
Last time I went to a security lecture, the recommendation was that the DBA should not be able to see any data except in an emergency. During said emergency a separate computer would be used by a minimum of 2 DBAs at a time, each of whom was entrusted with half the password. The password is randomly created at each use.
The dedicated machine is keystroke audited (along with other auditing).
That seems like an awful lot of pain and is riddled with holes, such as who would set the password to begin with.
Wouldn't it be easier to find a DBA that's trustworthy and implement Erikur's list above.
It is also hard it you only have one DBA.:-)
February 12, 2015 at 12:09 pm
djj (2/12/2015)
Ed Wagner (2/12/2015)
Sioban Krzywicki (2/12/2015)
Eirikur Eiriksson (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
My 2Cents, a DBA that cannot see the data is as useless as a blind driver, alternative measures have to be in place such as
1) pay them well enough
2) keep them happy
3) audit everything
4) bullet proof NDAs
...etc....
Obviously it goes without saying that the sensitive data must be encrypted/protected as necessary. Insider threats (such as DBAs) cannot be mitigated with a technology only approach.
π
Last time I went to a security lecture, the recommendation was that the DBA should not be able to see any data except in an emergency. During said emergency a separate computer would be used by a minimum of 2 DBAs at a time, each of whom was entrusted with half the password. The password is randomly created at each use.
The dedicated machine is keystroke audited (along with other auditing).
That seems like an awful lot of pain and is riddled with holes, such as who would set the password to begin with.
Wouldn't it be easier to find a DBA that's trustworthy and implement Erikur's list above.
It is also hard it you only have one DBA.:-)
Just cut him in half :hehe:
February 12, 2015 at 12:10 pm
Ed Wagner (2/12/2015)
Sioban Krzywicki (2/12/2015)
Eirikur Eiriksson (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
My 2Cents, a DBA that cannot see the data is as useless as a blind driver, alternative measures have to be in place such as
1) pay them well enough
2) keep them happy
3) audit everything
4) bullet proof NDAs
...etc....
Obviously it goes without saying that the sensitive data must be encrypted/protected as necessary. Insider threats (such as DBAs) cannot be mitigated with a technology only approach.
π
Last time I went to a security lecture, the recommendation was that the DBA should not be able to see any data except in an emergency. During said emergency a separate computer would be used by a minimum of 2 DBAs at a time, each of whom was entrusted with half the password. The password is randomly created at each use.
The dedicated machine is keystroke audited (along with other auditing).
That seems like an awful lot of pain and is riddled with holes, such as who would set the password to begin with.
Wouldn't it be easier to find a DBA that's trustworthy and implement Erikur's list above.
Password is software generated, IIRC
It is hard enough to find a DBA that knows what they're doing, now you want trustworthy too? : -)
Seriously though, that's really hard to know from an interview.
I laughed through most of the presentation because it required so many more resources than ANY place I'd ever worked had. Not least of which: time.
I kept thinking "Yep, that sure would be secure. Good luck finding more than a handful of companies that can/would do this."
--------------------------------------
When you encounter a problem, if the solution isn't readily evident go back to the start and check your assumptions.
--------------------------------------
Itβs unpleasantly like being drunk.
Whatβs so unpleasant about being drunk?
You ask a glass of water. -- Douglas Adams
February 12, 2015 at 1:57 pm
Sioban Krzywicki (2/12/2015)
Ed Wagner (2/12/2015)
Sioban Krzywicki (2/12/2015)
Eirikur Eiriksson (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
My 2Cents, a DBA that cannot see the data is as useless as a blind driver, alternative measures have to be in place such as
1) pay them well enough
2) keep them happy
3) audit everything
4) bullet proof NDAs
...etc....
Obviously it goes without saying that the sensitive data must be encrypted/protected as necessary. Insider threats (such as DBAs) cannot be mitigated with a technology only approach.
π
Last time I went to a security lecture, the recommendation was that the DBA should not be able to see any data except in an emergency. During said emergency a separate computer would be used by a minimum of 2 DBAs at a time, each of whom was entrusted with half the password. The password is randomly created at each use.
The dedicated machine is keystroke audited (along with other auditing).
That seems like an awful lot of pain and is riddled with holes, such as who would set the password to begin with.
Wouldn't it be easier to find a DBA that's trustworthy and implement Erikur's list above.
Password is software generated, IIRC
It is hard enough to find a DBA that knows what they're doing, now you want trustworthy too? : -)
Seriously though, that's really hard to know from an interview.
I laughed through most of the presentation because it required so many more resources than ANY place I'd ever worked had. Not least of which: time.
I kept thinking "Yep, that sure would be secure. Good luck finding more than a handful of companies that can/would do this."
I recognize what you are saying and agree to the extent of WYPIWYG or What You Pay Is What You Get. There are known methods of separating the grain from the husks, applicable for DBAa too.
π
February 12, 2015 at 2:01 pm
Luis Cazares (2/12/2015)
djj (2/12/2015)
Ed Wagner (2/12/2015)
Sioban Krzywicki (2/12/2015)
Eirikur Eiriksson (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
My 2Cents, a DBA that cannot see the data is as useless as a blind driver, alternative measures have to be in place such as
1) pay them well enough
2) keep them happy
3) audit everything
4) bullet proof NDAs
...etc....
Obviously it goes without saying that the sensitive data must be encrypted/protected as necessary. Insider threats (such as DBAs) cannot be mitigated with a technology only approach.
π
Last time I went to a security lecture, the recommendation was that the DBA should not be able to see any data except in an emergency. During said emergency a separate computer would be used by a minimum of 2 DBAs at a time, each of whom was entrusted with half the password. The password is randomly created at each use.
The dedicated machine is keystroke audited (along with other auditing).
That seems like an awful lot of pain and is riddled with holes, such as who would set the password to begin with.
Wouldn't it be easier to find a DBA that's trustworthy and implement Erikur's list above.
It is also hard it you only have one DBA.:-)
Just cut him in half :hehe:
Mitad DataBase Administrator or DataBase Mitad Administrator, how would you put it?:w00t:
π
February 12, 2015 at 4:57 pm
Sioban Krzywicki (2/12/2015)
Ed Wagner (2/12/2015)
Sioban Krzywicki (2/12/2015)
Eirikur Eiriksson (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
My 2Cents, a DBA that cannot see the data is as useless as a blind driver, alternative measures have to be in place such as
1) pay them well enough
2) keep them happy
3) audit everything
4) bullet proof NDAs
...etc....
Obviously it goes without saying that the sensitive data must be encrypted/protected as necessary. Insider threats (such as DBAs) cannot be mitigated with a technology only approach.
π
Last time I went to a security lecture, the recommendation was that the DBA should not be able to see any data except in an emergency. During said emergency a separate computer would be used by a minimum of 2 DBAs at a time, each of whom was entrusted with half the password. The password is randomly created at each use.
The dedicated machine is keystroke audited (along with other auditing).
That seems like an awful lot of pain and is riddled with holes, such as who would set the password to begin with.
Wouldn't it be easier to find a DBA that's trustworthy and implement Erikur's list above.
Password is software generated, IIRC
It is hard enough to find a DBA that knows what they're doing, now you want ...
I'd complete that sentence with "to find two DBAs to do the job of one."
I can almost see a randomly generated password reset after each use. But with two people, somebody still has to split that password in two to hand to the dbas. I would assume it is not always the same two dbas to do the work. Or that it is not always the same half of the password each person gets.
I can also see the use of a keylogger.
But seriously, vet the DBA, implement encryption where necessary, audit the database and security, and put a keylogger on it if you must.
But in the end, you still need to trust the DBA to do the job. If you can't trust your DBA, then why trust the CTO, CIO, CEO or board for that matter?
If you find the DBA can't be trusted, fire that person.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
February 12, 2015 at 7:15 pm
... Mark one off, 15 days on the calendar to go. 15 days on the calendar to go, 15 days to go, ...
February 12, 2015 at 7:32 pm
SQLRNNR (2/12/2015)
Sioban Krzywicki (2/12/2015)
Ed Wagner (2/12/2015)
Sioban Krzywicki (2/12/2015)
Eirikur Eiriksson (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Brandie Tarvin (2/12/2015)
jasona.work (2/12/2015)
Is it me, or is it at least once a week minimum someone posts a "How do I keep the DBA / Sysadmin from doing / viewing certain things" type question?Where is it this time?
And my answer to that question: Pink Slip.
Gail already took care of it, told the poster that to keep the DBA from viewing certain data, they'd need to encrypt said data.
It actually is a valid question given the amount of identity and data theft we've seen over the past decade. Especially from the disgrunted / greedy employee circuit. Somebody has to be Sysadmin, but that doesn't necessitate them being able to see bank records or tax IDs (etc.).
My 2Cents, a DBA that cannot see the data is as useless as a blind driver, alternative measures have to be in place such as
1) pay them well enough
2) keep them happy
3) audit everything
4) bullet proof NDAs
...etc....
Obviously it goes without saying that the sensitive data must be encrypted/protected as necessary. Insider threats (such as DBAs) cannot be mitigated with a technology only approach.
π
Last time I went to a security lecture, the recommendation was that the DBA should not be able to see any data except in an emergency. During said emergency a separate computer would be used by a minimum of 2 DBAs at a time, each of whom was entrusted with half the password. The password is randomly created at each use.
The dedicated machine is keystroke audited (along with other auditing).
That seems like an awful lot of pain and is riddled with holes, such as who would set the password to begin with.
Wouldn't it be easier to find a DBA that's trustworthy and implement Erikur's list above.
Password is software generated, IIRC
It is hard enough to find a DBA that knows what they're doing, now you want ...
I'd complete that sentence with "to find two DBAs to do the job of one."
I can almost see a randomly generated password reset after each use. But with two people, somebody still has to split that password in two to hand to the dbas. I would assume it is not always the same two dbas to do the work. Or that it is not always the same half of the password each person gets.
I can also see the use of a keylogger.
But seriously, vet the DBA, implement encryption where necessary, audit the database and security, and put a keylogger on it if you must.
But in the end, you still need to trust the DBA to do the job. If you can't trust your DBA, then why trust the CTO, CIO, CEO or board for that matter?
If you find the DBA can't be trusted, fire that person.
The system also splits the password.
You don't know you can't trust them until it is too late. And what about the trustworthy one who becomes disgruntled?
And yes, why would you trust any of those people? I've seen so many of them run companies into the ground.
--------------------------------------
When you encounter a problem, if the solution isn't readily evident go back to the start and check your assumptions.
--------------------------------------
Itβs unpleasantly like being drunk.
Whatβs so unpleasant about being drunk?
You ask a glass of water. -- Douglas Adams
Viewing 15 posts - 47,416 through 47,430 (of 66,000 total)
You must be logged in to reply to this topic. Login to reply