Security Basics mailing list archives

Re: security against dba´s

From: "Adam Pal" <pal_adam () gmx net>
Date: Thu, 12 Feb 2009 17:11:57 +0100

Hi,


Do you have one DBA for sensitive assets? Usualy, when its about sensitive information in the DB, there are 2 DBAs, 
then you can implement a dual control with a shared password (priciple of shared knowledge).



regards,
Adam Pal


-------- Original-Nachricht --------

Datum: Thu, 12 Feb 2009 05:57:35 -0800 (PST)
Von: Andre Rodrigues <acastanheira2001 () yahoo com br>
An: security-basics () securityfocus com, rohnskii () gmail com
Betreff: Re: security against dba´s

Hi,

You said that it is natural, as a DBA, to read production in your
terminal. 
Do you really need to read the data?

Suppose it is employee´s salary data, or other sensitive data.

You can e-mail the READ data, instead of downloading to an USB device. But
I can´t prevent the DBA´s from accessing the e-mail account.

The other guys on this list replied that I should encrypt the sensible
data. Doing this, the criptgrafic keys should be managed by the security team,
correct?




Thanks,
André

--- On Wed, 2/11/09, rohnskii () gmail com <rohnskii () gmail com> wrote:

From: rohnskii () gmail com <rohnskii () gmail com>
Subject: Re: security against dba´s
To: security-basics () securityfocus com
Date: Wednesday, February 11, 2009, 1:54 PM
re your points:

1- inform all employees, not just DBA
2.1- log all access, not just DBA
2.2- what sort of access

Look, if you don't trust your DBA's, hire/promote
someone you can trust.

Another part of the access you should monitor is separate
from just the CRUD access to, and monitored by, the DB. 
Track files/data downloaded to USB devices, in other words
network endpoint control (NAC).

For example, it could be natural for me as a DBA to Read
production to my terminal.  But it is probably NOT natural
for me to download the READ data to a USB device.

Again, that type of access control should not be exclusive
to DBA, it should be corporate wide.


-- 
Jetzt 1 Monat kostenlos! GMX FreeDSL - Telefonanschluss + DSL 
für nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a

Current thread:

Re: security against dba´s, (continued)
- - Re: security against dba´s Andre Rodrigues (Feb 12)
- Re: security against dba�s rohnskii (Feb 11)
  - RE: security against dba´s Nick Vaernhoej (Feb 12)
    - RE: security against dba´s Scott Richardson (Feb 12)
    - RE: security against dba´s Nick Vaernhoej (Feb 12)
    - Re: security against dba?s Ansgar Wiechers (Feb 12)
    - Re: security against dba?s Ray Van Dolson (Feb 12)
    - Message not available
    - Re: security against dba?s Ray Van Dolson (Feb 13)
    - RE: security against dba?s Nick Vaernhoej (Feb 13)
  - Re: security against dba´s Andre Rodrigues (Feb 12)
    - Re: security against dba´s Adam Pal (Feb 12)
    - Re: security against dba´s Andre Rodrigues (Feb 12)
- Re: security against dba�s rohnskii (Feb 12)
  - Re: security against dbaŽs Ansgar Wiechers (Feb 12)
    - Re[2]: security against dbaŽs Adam Pal (Feb 13)
    - Re: security against dbaŽs Ansgar Wiechers (Feb 13)