Security Basics mailing list archives
RE: Monitoring DB Admin
From: "Ackley, Alex" <aackley () epmgpc com>
Date: Tue, 29 May 2007 12:13:10 -0400
I'm not sure you'll be able to do preventive controls on a DB Admin as a role. But you can do it on a person by rotating duties and basing permissions on role not person. There are a few good apps out there to monitor database activities. So combine a good monitoring tool with role based permissions and you may be able to appease them. If you have more then one DB Admin; ask yourself if they all need the same access? Can they be segregated by database or databases? What the auditors want to see are tools in place to limit the damage any single person can cause. It's the same reason you don't want to give your developers admin access to your network. They may never do anything bad; but giving them more access then is required is asking for trouble. Alex Ackley, CISSP, GSEC Security Administrator -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI Sent: Monday, May 28, 2007 11:31 PM To: security-basics () securityfocus com Subject: Monitoring DB Admin ....And the auditors report mentions that I (the internal IT Security Admin) should have independent monitoring of DB Admin activities, the likes of DROP, ALTERS etc on an inhouse developed accounting package using Oracle 9i backened. Not only this, the crazy auditing guys want to have preventive rather than detective controls in place for DB Admin. How secure can we make an application if we start doubting the guys we trust...the next thing the auditors would want is preventive controls over me...Grrr!! But still...is this doable!!??
Current thread:
- Monitoring DB Admin WALI (May 29)
- RE: Monitoring DB Admin Ackley, Alex (May 30)
- <Possible follow-ups>
- RE: Monitoring DB Admin Craig Wright (May 29)
- Re: Monitoring DB Admin Erkan KAHRAMAN (May 30)