RE: security against dba´s

["Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>]

Fair enough,

But that all sounds like management tasks. To a lesser degree headaches of the system builder/maintainer.
My thought came from seeing a builders question about system design. I assume he is not the person in a position to 
hire trusted staff.

My employer hires me trusting I will do my job without negative impact.
It is then up to me to conduct myself in a manner that ensures integrity.

I believe I can do this by removing myself from data and log any access to data because I have to assume that I can 
snap one day and perform acts of vandalism. (And by "I, me or myself" I mean any one of us, no matter how nice we are).

Anyways..... Just my thought, you can get back on topic now :)

Nick

-  -----Original Message-----
-  From: Scott Richardson [mailto:srichardson () COPIC COM]
-  Sent: Thursday, February 12, 2009 9:39 AM
-  To: Nick Vaernhoej; security-basics () securityfocus com
-  Subject: RE: security against dba´s
-
-  I believe the appropriate phrase to use here would be, "trust, but
-  verify". Meaning, yes, you should trust the people you hire into
-  positions of control such as DBA's, SA's, NA's, etc. but you shouldn't
-  trust them without verifying that a) they are doing their job
-  correctly b) they are doing their job ethically and c) they are doing
-  their job following appropriate change management procedures and
-  following any controls/processes you have in place. This usually means
-  logging access, checking change control logs, and generally keeping
-  apprised of what your DBA's are doing on your systems.
-
-  Just my two cents
-
-  SR
-
-
-  -----Original Message-----
-  From: listbounce () securityfocus com
-  [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej
-  Sent: Thursday, February 12, 2009 7:44 AM
-  To: security-basics () securityfocus com
-  Subject: RE: security against dba´s
-
-
-  I am curious about the repeated argument "if you don't trust your
-  DBA's, hire/promote someone you can trust".
-  Is that a common perception?
-  I am personally of the belief that no one is to be trusted and my
-  system designs should be reflecting this.
-
-  Nick
-
-  -  -----Original Message-----
-  -  From: rohnskii () gmail com
-  -  Subject: Re: security against dba´s
-  -
-  -  re your points:
-  -
-  -  1- inform all employees, not just DBA
-  -  2.1- log all access, not just DBA
-  -  2.2- what sort of access
-  -
-  -  Look, if you don't trust your DBA's, hire/promote someone you can
-  -  trust.
-  -
-  -  Another part of the access you should monitor is separate from just
-  -  the CRUD access to, and monitored by, the DB.  Track files/data
-  -  downloaded to USB devices, in other words network endpoint control
-  -  (NAC).
-  -
-  -  For example, it could be natural for me as a DBA to Read production
-  to
-  -  my terminal.  But it is probably NOT natural for me to download the
-  -  READ data to a USB device.
-  -
-  -  Again, that type of access control should not be exclusive to DBA,
-  it
-  -  should be corporate wide.
-
-  This electronic transmission is intended for the addressee (s) named
-  above. It contains information that is privileged, confidential, or
-  otherwise protected from use and disclosure. If you are not the
-  intended recipient you are hereby notified that any review,
-  disclosure, copy, or dissemination of this transmission or the taking
-  of any action in reliance on its contents, or other use is strictly
-  prohibited. If you have received this transmission in error, please
-  notify the sender that this message was received in error and then
-  delete this message.
-  Thank you.
-  This message is intended for the use of the Addressee(s) only and may
-  contain information that is privileged, confidential, or proprietary.
-  If you are not the intended recipient, be aware that any disclosure,
-  copying, distribution or use of the contents of this information is
-  without authorization and is prohibited.  If you have received this
-  email in error, please notify us promptly and delete the copy you
-  received.  Thank You.Logo Here

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.