Re: security against dba´s

[Andre Rodrigues <acastanheira2001 () yahoo com br>]

I agree with you,

We have almost no turnover. The enterprise trust the dba´s, me too.

But it´s necessary to improve the controls in our environment, and we should avoid some personal disagreement.

Thanks,
André


--- On Tue, 2/10/09, dan.crowley () gmail com <dan.crowley () gmail com> wrote:

> From: dan.crowley () gmail com <dan.crowley () gmail com>
> Subject: Re: security against dba´s
> To: security-basics () securityfocus com
> Date: Tuesday, February 10, 2009, 3:21 PM
> I used to have a professor who was a DBA for a long time.
> She said: Be a DBA. The closer you are to the data, the more
> dangerous you are, and the more they'll pay you.
>
> While that's funny, it's also kinda scary and true.
> Whoever is administrating your database will actually need
> access to your database. In this case, the security measures
> you need probably aren't ones that will protect your
> database from your DBA. That's only going to make their
> job harder, and consequently, they'll find some way to
> circumvent the measures so that they can do their job
> easier.
>
> Instead, you need auditing measures and access
> restrictions, if possible. Have systems in place that will
> log database transactions. This way, the DBA can access the
> data, but it will always be known what data is being
> accessed, and by whom. Secondly, deny read access to the
> data your DBA can't see if you REALLY must.
>
> Finally, I hope you trust your DBA and have done some
> background checks, but based on your post I have a feeling
> this isn't the case.
>
> Hope this helps!