Home page logo
/

basics logo Security Basics mailing list archives

Re: security against dba´s
From: Andre Rodrigues <acastanheira2001 () yahoo com br>
Date: Thu, 12 Feb 2009 10:36:02 -0800 (PST)

I agree with you,

We have almost no turnover. The enterprise trust the dba´s, me too.

But it´s necessary to improve the controls in our environment, and we should avoid some personal disagreement.

Thanks,
André


--- On Tue, 2/10/09, dan.crowley () gmail com <dan.crowley () gmail com> wrote:

From: dan.crowley () gmail com <dan.crowley () gmail com>
Subject: Re: security against dba´s
To: security-basics () securityfocus com
Date: Tuesday, February 10, 2009, 3:21 PM
I used to have a professor who was a DBA for a long time.
She said: Be a DBA. The closer you are to the data, the more
dangerous you are, and the more they'll pay you.

While that's funny, it's also kinda scary and true.
Whoever is administrating your database will actually need
access to your database. In this case, the security measures
you need probably aren't ones that will protect your
database from your DBA. That's only going to make their
job harder, and consequently, they'll find some way to
circumvent the measures so that they can do their job
easier.

Instead, you need auditing measures and access
restrictions, if possible. Have systems in place that will
log database transactions. This way, the DBA can access the
data, but it will always be known what data is being
accessed, and by whom. Secondly, deny read access to the
data your DBA can't see if you REALLY must.

Finally, I hope you trust your DBA and have done some
background checks, but based on your post I have a feeling
this isn't the case.

Hope this helps!





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]