RE: security against dba´s

["Scott Richardson" <srichardson () COPIC COM>]

I believe the appropriate phrase to use here would be, "trust, but verify". Meaning, yes, you should trust the people 
you hire into positions of control such as DBA's, SA's, NA's, etc. but you shouldn't trust them without verifying that 
a) they are doing their job correctly b) they are doing their job ethically and c) they are doing their job following 
appropriate change management procedures and following any controls/processes you have in place. This usually means 
logging access, checking change control logs, and generally keeping apprised of what your DBA's are doing on your 
systems. 

Just my two cents

SR


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej
Sent: Thursday, February 12, 2009 7:44 AM
To: security-basics () securityfocus com
Subject: RE: security against dba´s


I am curious about the repeated argument "if you don't trust your DBA's, hire/promote someone you can trust".
Is that a common perception?
I am personally of the belief that no one is to be trusted and my system designs should be reflecting this.

Nick

-  -----Original Message-----
-  From: rohnskii () gmail com
-  Subject: Re: security against dba´s
-  
-  re your points:
-  
-  1- inform all employees, not just DBA
-  2.1- log all access, not just DBA
-  2.2- what sort of access
-  
-  Look, if you don't trust your DBA's, hire/promote someone you can
-  trust.
-  
-  Another part of the access you should monitor is separate from just
-  the CRUD access to, and monitored by, the DB.  Track files/data
-  downloaded to USB devices, in other words network endpoint control
-  (NAC).
-  
-  For example, it could be natural for me as a DBA to Read production to
-  my terminal.  But it is probably NOT natural for me to download the
-  READ data to a USB device.
-  
-  Again, that type of access control should not be exclusive to DBA, it
-  should be corporate wide.

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.
This message is intended for the use of the Addressee(s) only and may contain information that is privileged, 
confidential, or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, 
distribution or use of the contents of this information is without authorization and is prohibited.  If you have 
received this email in error, please notify us promptly and delete the copy you received.  Thank You.Logo Here