Security Basics mailing list archives
Re: security against dba´s
From: Andre Rodrigues <acastanheira2001 () yahoo com br>
Date: Thu, 12 Feb 2009 09:18:44 -0800 (PST)
Adam, There´s no particular duties, the dba mates do all the related job. Maybe I will sugest an audit loging of production data access. In the near future I will try to implement a cryptographic infra structure to deal with sensible data. What else? Thanks, André --- On Thu, 2/12/09, Adam Pal <pal_adam () gmx net> wrote:
From: Adam Pal <pal_adam () gmx net> Subject: Re: security against dba´s To: acastanheira2001 () yahoo com br, rohnskii () gmail com, security-basics () securityfocus com Date: Thursday, February 12, 2009, 8:11 AM Hi, Do you have one DBA for sensitive assets? Usualy, when its about sensitive information in the DB, there are 2 DBAs, then you can implement a dual control with a shared password (priciple of shared knowledge). regards, Adam Pal -------- Original-Nachricht --------Datum: Thu, 12 Feb 2009 05:57:35 -0800 (PST) Von: Andre Rodrigues<acastanheira2001 () yahoo com br>An: security-basics () securityfocus com,rohnskii () gmail comBetreff: Re: security against dba´sHi, You said that it is natural, as a DBA, to readproduction in yourterminal. Do you really need to read the data? Suppose it is employee´s salary data, or othersensitive data.You can e-mail the READ data, instead of downloadingto an USB device. ButI can´t prevent the DBA´s from accessing the e-mailaccount.The other guys on this list replied that I shouldencrypt the sensibledata. Doing this, the criptgrafic keys should bemanaged by the security team,correct? Thanks, André --- On Wed, 2/11/09, rohnskii () gmail com<rohnskii () gmail com> wrote:From: rohnskii () gmail com<rohnskii () gmail com>Subject: Re: security against dba´s To: security-basics () securityfocus com Date: Wednesday, February 11, 2009, 1:54 PM re your points: 1- inform all employees, not just DBA 2.1- log all access, not just DBA 2.2- what sort of access Look, if you don't trust your DBA's,hire/promotesomeone you can trust. Another part of the access you should monitor isseparatefrom just the CRUD access to, and monitored by,the DB.Track files/data downloaded to USB devices, inother wordsnetwork endpoint control (NAC). For example, it could be natural for me as a DBAto Readproduction to my terminal. But it is probablyNOT naturalfor me to download the READ data to a USB device. Again, that type of access control should not beexclusiveto DBA, it should be corporate wide.
Current thread:
- Re: security against dba´s, (continued)
- Re: security against dba´s rohnskii (Feb 11)
- RE: security against dba´s Nick Vaernhoej (Feb 12)
- RE: security against dba´s Scott Richardson (Feb 12)
- RE: security against dba´s Nick Vaernhoej (Feb 12)
- Re: security against dba?s Ansgar Wiechers (Feb 12)
- Re: security against dba?s Ray Van Dolson (Feb 12)
- Message not available
- Re: security against dba?s Ray Van Dolson (Feb 13)
- RE: security against dba?s Nick Vaernhoej (Feb 13)
- RE: security against dba´s Nick Vaernhoej (Feb 12)
- Re: security against dba´s rohnskii (Feb 11)
- Re: security against dba´s Adam Pal (Feb 12)
- Re: security against dba´s Andre Rodrigues (Feb 12)
- Re: security against dbaŽs Ansgar Wiechers (Feb 12)
- Re[2]: security against dbaŽs Adam Pal (Feb 13)
- Re: security against dbaŽs Ansgar Wiechers (Feb 13)