Security Basics mailing list archives
Re: security against dba´s
From: "Adam Pal" <pal_adam () gmx net>
Date: Thu, 12 Feb 2009 17:11:57 +0100
Hi, Do you have one DBA for sensitive assets? Usualy, when its about sensitive information in the DB, there are 2 DBAs, then you can implement a dual control with a shared password (priciple of shared knowledge). regards, Adam Pal -------- Original-Nachricht --------
Datum: Thu, 12 Feb 2009 05:57:35 -0800 (PST) Von: Andre Rodrigues <acastanheira2001 () yahoo com br> An: security-basics () securityfocus com, rohnskii () gmail com Betreff: Re: security against dba´s
Hi, You said that it is natural, as a DBA, to read production in your terminal. Do you really need to read the data? Suppose it is employee´s salary data, or other sensitive data. You can e-mail the READ data, instead of downloading to an USB device. But I can´t prevent the DBA´s from accessing the e-mail account. The other guys on this list replied that I should encrypt the sensible data. Doing this, the criptgrafic keys should be managed by the security team, correct? Thanks, André --- On Wed, 2/11/09, rohnskii () gmail com <rohnskii () gmail com> wrote:From: rohnskii () gmail com <rohnskii () gmail com> Subject: Re: security against dba´s To: security-basics () securityfocus com Date: Wednesday, February 11, 2009, 1:54 PM re your points: 1- inform all employees, not just DBA 2.1- log all access, not just DBA 2.2- what sort of access Look, if you don't trust your DBA's, hire/promote someone you can trust. Another part of the access you should monitor is separate from just the CRUD access to, and monitored by, the DB. Track files/data downloaded to USB devices, in other words network endpoint control (NAC). For example, it could be natural for me as a DBA to Read production to my terminal. But it is probably NOT natural for me to download the READ data to a USB device. Again, that type of access control should not be exclusive to DBA, it should be corporate wide.
-- Jetzt 1 Monat kostenlos! GMX FreeDSL - Telefonanschluss + DSL für nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a
Current thread:
- Re: security against dba´s, (continued)
- Re: security against dba´s Andre Rodrigues (Feb 12)
- Re: security against dba´s rohnskii (Feb 11)
- RE: security against dba´s Nick Vaernhoej (Feb 12)
- RE: security against dba´s Scott Richardson (Feb 12)
- RE: security against dba´s Nick Vaernhoej (Feb 12)
- Re: security against dba?s Ansgar Wiechers (Feb 12)
- Re: security against dba?s Ray Van Dolson (Feb 12)
- Message not available
- Re: security against dba?s Ray Van Dolson (Feb 13)
- RE: security against dba?s Nick Vaernhoej (Feb 13)
- RE: security against dba´s Nick Vaernhoej (Feb 12)
- Re: security against dba´s Adam Pal (Feb 12)
- Re: security against dba´s Andre Rodrigues (Feb 12)
- Re: security against dbaŽs Ansgar Wiechers (Feb 12)
- Re[2]: security against dbaŽs Adam Pal (Feb 13)
- Re: security against dbaŽs Ansgar Wiechers (Feb 13)