Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: security against dba´s

From: Andre Rodrigues <acastanheira2001 () yahoo com br>
Date: Thu, 12 Feb 2009 05:57:35 -0800 (PST)
Hi,

You said that it is natural, as a DBA, to read production in your terminal. 
Do you really need to read the data?

Suppose it is employee´s salary data, or other sensitive data.

You can e-mail the READ data, instead of downloading to an USB device. But I can´t prevent the DBA´s from accessing the 
e-mail account.

The other guys on this list replied that I should encrypt the sensible data. Doing this, the criptgrafic keys should be 
managed by the security team, correct?




Thanks,
André

--- On Wed, 2/11/09, rohnskii () gmail com <rohnskii () gmail com> wrote:


From: rohnskii () gmail com <rohnskii () gmail com>
Subject: Re: security against dba´s
To: security-basics () securityfocus com
Date: Wednesday, February 11, 2009, 1:54 PM
re your points:

1- inform all employees, not just DBA
2.1- log all access, not just DBA
2.2- what sort of access

Look, if you don't trust your DBA's, hire/promote
someone you can trust.

Another part of the access you should monitor is separate
from just the CRUD access to, and monitored by, the DB. 
Track files/data downloaded to USB devices, in other words
network endpoint control (NAC).

For example, it could be natural for me as a DBA to Read
production to my terminal.  But it is probably NOT natural
for me to download the READ data to a USB device.

Again, that type of access control should not be exclusive
to DBA, it should be corporate wide.
Previous By Date Next
Previous By Thread Next

Current thread: