A Matter of Trust
-
Michael Vick and the Atlanta Falcons, NBA referees, Barry Bonds, doping in the Tour de France, the world of sports is being rocked by people playing fast and loose with the rules. In some cases it's because of a lot of money, in other's it's fame, but in all the cases the public is unsure of who they can trust. Or what they can believe. I'm a sports fan, so it definitely bothers me that what I might be seeing is somehow predetermined.
So how does this relate to databases and DBAs? It's a reach, but as I've been reading about various cases and issues in sports, it struck me that the amount of trust I have in someone's words is what really makes me the most upset. And as an operations guy for much of my career, I've been counted on, trusted, to keep data and systems safe. It's been my job to be sure that files, emails, and rows in lots of tables, are secured and disclosed to only those that need to work with them.
So the question this week, which is kind of open-ended, is:
How much should you trust a DBA?
We see lots of debates and threads in our forums on security, how you lock "sa" or a sysadmin out of seeing data, what to do with data moved to test or development systems, but the trust levels that you need to maintain are still pretty high.
I also see a split among most people that chime in. Either you trust the DBA and they access everything, or you absolutely do not want them to see some data and you struggle with SQL Server as a platform.
I think it's an interesting question and I'd encourage your responses to include sysadmins as well, who might have file system or email access to data in those systems. For me, I think that you have to trust certain people. They have too much of an ability to scam the system, so I'd like to see SysAdmins, Email Admins, and DBAs bonded as a condition of employment. That would certainly bring some degree of trust to the position. After that, you definitely need to audit their activities. Microsoft needs to develop an easy way that allows an "auditor" to see the activity of a sysadmin, without creating the weak link of requiring the auditor to be a sysadmin.
PS - Support Katie and her family : Purchase a raffle ticket today for a chance to win some great prizes.
-
It is my opinion (and at this site, my manager's I'm glad to say) that there are two components to security; technical and HR. Use the technical side to limit rights those that need them but even then a number of people will get to see the data.
The DBA, the programmer who supports the Prod app, the auditor, etc will all get to see the data as a part of their job. If you do a DR test to a remote site there is possibly another DBA involved. Etc, etc. The OS admin will probably be able to open the DB file even if they do not have access to your DB (yeap, give someone a hex editor and and all your carefully crafted Db security is obsolete, unless you run encypted DB files)
We could try to limit this but someone, somewhere has to see the data or it has no value to the business. So at the least 1 business staff member and 1 IT staff memember will see the data. And this is where HR come in; Hire the right people, run ethics training within the enterprise, fire someone if they are known have talked about the data outside of their office (this includes the staff cafeteria), ensure staff know the relevant legislation (e.g. Privacy Act 1993 here in NZ, no doubt you have similar in the US), etc.
In effect this means you are using the IT security to limit the number of people that have access to the data and the HR process to manage those that have access.
Ensure your policies are up to date. Have staff review and resign them once a year, include IT in this and do not allow any God Comnplex in IT - we're just staff with a clearly defined role and some delegated rights to see the data. In fact we have less ownership of the data and only a guardianship role of it.
My 5 cents worth,
Karl
-
I would sugguest that the sensitive data thats is being restored to dev/uat should be masked or encrypted.
Also a strong level of auditing should be turned on for the production servers. Even the select on sensitive datas should be captured and reviewed. If adequate controls/policies are in place then no need to worry about trusting people.
Regards
Raj
-
As a DBA myself, and as part of a company than has very sensitive data, I do believe that a high level of trust has to be assigned to a DBA, and consequently very severe penalties if this trust is ever violated. After all, we are looking after the data for the entire company, it's lifeblood, and without it the company would lose money and fast.
We have a situation in our company where this trust is not given, and it does cause problems. Even before we had SQL Server, back in the days that the company ran Foxpro, I have always been trusted with access to all databases and all data, including very sensitive data such as salaries and income. The trust was that although this information was available to me, I never looked at it other than to review structures, backup, restore and maintain the overall health of the data and machines.
Recently, however, with changes in the HR department, a board level decision was made that the SQL Server which hosted the HR data, including salaries and bonuses as well as personal information about the employees, was to be taken out of my hands. Not a problem for me as this was now one less server to monitor. However, the server is hosted locally with no means of anyone outside the company gaining access without physically coming into the server room, also there is no on-site administrator for it who knows anything more than how to build and install the operating system.
As a result, recently, immediately before salaries were due to be paid, an upgrade was recieved by the HR department for the payroll software. They installed it and then discovered that until the SQL Server was brought up to patch level and the databases upgraded via a script supplied with the software, the payroll system refused to run.
This was when the fun started, our company hadn't paid for same day support from the company supplying the software and administering the database, instead it was a 3 day lead time. HR told the networking team to run the scripts and apply the patches, but they didn't know how, so they asked me to run the scripts to upgrade the database and the server (easily enough from the server console - which bizzarely was always left logged in, but locked, as administrator), but the HR department refused the request in case I looked at the data. As a result, the salaries nearly didn't get paid on time, and we literally had to set guards on the stairwells and entrance doors to stall the HR manager or Directors in case they decided to show a face whilst I locked myself in the server room to run the upgrades at the request of the network staff (BOFH eat your heart out).
As was expected, a huge row resulted, my Director and boss backed me up to the hilt, but the policy has never changed. I have since told them that if this occurs again then my hands are tied, though I just know what will be happening again.
Personally, I did feel quite offended that after over 10 years of absolute trust I was suddenly told that I wasn't to be trusted.
---------------------------------------
It is by caffeine alone I set my mind in motion.
It is by the Beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine alone I set my mind in motion. -
A general point that affects everyone in a position of trust although DBA's have, by virtue of the value of the data frequently entrusted to them, a requirement to be particularly trustworthy, is whether they are motivated to look after the best interests of their employer.
Many employers treat staff really rather badly as a matter of course, which can lead to resentment and, ultimately, betrayal to a greater or lesser degree.
I was struck by the actions of the US TSA, when they found that many "security" staff at airports had ambitions to get a job pushing burgers because it paid better. Even more surprising was that they actually did something about it and employed many (possibly all? - I live in the UK) of these staff directly so they could monitor their activities and motivations.
Contrast this with the UK where some journalists recently made a film about our version of the same people. They were caught on film bragging about importing heroin from India, consuming both alcohol and drugs whilst at work, engaging in petty theft, sleeping away the boring working hours, not checking aircraft properly, or even at all - The list goes on and on. Some of the people featured talked about their criminal records which included convictions for serious offences, so the employer had at least one way of knowing that these staff were unsuitable for the job in the first place.
When you're reading about some person who has done something stupid and/or illegal, make sure to read all of the article. I've noticed that there's often a real or perceived grievance behind it which really should have been taken more seriously before things got silly.
There used to be a saying in the UK: "Management get the unions that they deserve." Is it also possible that they get the staff behaviour that they deserve as well?
-
Does anyone know a tool to audit database activity? Im testing dbaudit.
-
You can use the SQL Audit guard.
Regards
Rajkumar
-
As was mentioned by a few others... You have to trust someone, somehow to do certain things. If it's not the DBA and Sys Admins, and/or auditors, then who do you trust? Management needs to hire the right people, bonding might help I suppose because that would limit someone the people who have already done "very bad things" because they would no longer be bondable. More than that though, it's probably more likely that you just need to look a bit harder to find the correct people. If you can't at the salary yoiu are offering, perhaps the salary or benefits package is too low. Perhaps you need to step up and get your potential new hire a bit better package.
Once you hire the correct people, you need to keep them happy. Don't treat them like crap. Give them appropriate raises, don't work them into the ground, etc, etc, ad nauseam. Remember that people are people, not just resources to be used, abused and replaced.
-
As the experiences of DBAs in this thread reflect, someone has to be trusted in the enterprise. I fully understand and relate to the experience of DBAs who suddenly find themselves "not trusted" and even treated as suspect because of the intentional criminal and unethical actions of others.
I experienced a Sarbanes-Oxley audit as manager of the SQL Server DBA team for a Fortune 500 company. A person who usually loves his job, I found myself driving to work every morning for a couple months thinking "I could just quit my job and this would stop." Not a happy place - not at all.
I understand why we have the current laws in the US and elsewhere. It's because unethical people abused the public trust. What I do not understand is why we believe another law will stop them. These folks broke plenty of existing laws when they did their deeds - do we think for a minute they would've hesitated at yet another?
There are two myths about the legislation in the US: 1) The laws will catch people attempting to violate public trust; and 2) It's possible to legislate behavior.
What amazes me most is the amount of trust the investing public places in legislation. In my opinion, Sarbanes-Oxley (and similar legislation) hasn't prevented a single crime, it has only made it more difficult to commit. And when you think about it, the folks that committed the crimes that inspired the legislation were of the persistent sort. They set out to perpetrate a fraud and then continued defrauding to cover their tracks until the truth could no longer be hidden.
In practice, all Sarbanes-Oxley accomplished was additional expense to honest corporations.
I think there was a need for additional legislation, but at the other end of the pipe: I think we should require investor education and certification before allowing participation in the US stock markets. That way, no one would be able to claim they "didn't know" they could lose money in the market.
:{| Andy
Andy Leonard, Chief Data Engineer, Enterprise Data & Analytics
-
I think the recent convictions in the Enron and Qwest cases have done more to help prevent fraud. Enron was an anomoly. A big CPA firm colluding to the extent with a relatively small energy firm that made huge money movements. I'm sure CPAs cheat with companies they're auditing all the time, but not to the extent of Enron. At least I hope not. SOX was intended to try and bring those C-levels in line with penalties directly tied to their positions. I'm not entirely sure how to got pushed down to us. AFAIK, no IT guys were fudging numbers. It was the penguin suits up top.
My vote is that the compensation for C-levels needs to be reigned in. NONE of these guys provides 20, 30, 40million in value to a company. They just don't. You might argue there are anomolies (Ellison, Gates, Jobs, Buffet), but the vast, overwhelming majority of CEOs that didn't start the companies don't bring that much value. Stockholders don't care who runs the company as long as it's run well. We should require CEO compensation to be some xx multiple of the lowest white collar job or something. And a reasonable amount. I'd also limit the stock options they can get and use existing laws to remove ALL gains if the options get backdated. No more loans, a few other things would help them focus on running the company and not get so caught up in enjoying their golden parachutes.
-
While I do believe that trust is a huge part of this discussion, as Jerry Weinberg says "trust everyone, but always cut the deck".
I have worked with some really talented, brilliant DBAs and DAs, but sometimes they are so close to the data that they forget what it really is. So we put controls in place to try to minimize damage to customers and the company, but someone is always going to feel that the controls are there to just hassle them.
I had one DBA, who was frustrated that he wasn't allowed to send production data offshore to a developer he'd never met that he managed to get it on to a thumbdrive (yes, a hole in the controls), send it via his Hotmail account and then have that fail due to the size of the attachment. So he uploaded to an open and completely unsecured ftp server he ran at home, then send the guy a link via Hotmail to the developer's Reddiff (Indian version of Hotmail) account.
The DBA was so proud of himself for figuring out how to do this that he came to work the next day and bragged to a bunch of people that he'd managed to figure out how to do something that he wasn't allowed to do -- something that he had been told not to do. He'd actually been told to mangle sensitive data like SSNs, Credit Card and Bank Card numbers prior to sending any data anywhere in the company and to never send any data outside the company.
When I asked him about what he'd done, he went up to the whiteboard and drew it all out, very proudly. When I asked him why he thought we had all those controls and rules in place, he said it was because a manager (mine) was trying to sabotage the offshore company and he was just trying to keep that from happening. When asked why he thought that, he said that's what the developer told him. I asked him how did he know that the reddiff account he sent the data to was actually on our project, he said "because he told me he was".
My head was spinning. How could someone be so gullible? How could someone be so proud of being gullible? How could he not see what risk he was taking? His response? "But no one would be interested in that data -- plus they'd have to have SQL Server in order to see it".
I thought the CIO and the Director we both reported to were going to actually bust a vein in the meeting. I know I was going crazy trying not to lose my temper.
Funny, though, that the DBA was not fired, but managed to do a similar data sharing incident one more time before he was finally let go.
So while the guy had a good heart, he had absolutely no sense of security or risk. It was like dealing with a teenager who can't make reasonable decisions about risk.
For the most part, I trust people (unless they've shown me that I can't) to not be evil about their work. I don't, however, trust most people to care about data. That goes for users, IT pros, and most people I work with. People just don't care about protecting it. That goes for quality and disclosure.
At another company, I would go into the stores and see that a huge binder, used to store customer membership applications, being used to prop open the doors at the front of the store. It is clearly labeled, in 3 inch letters "Membership Applications" and has all kinds of handwritten sensitive data like SSNs, Bank account data, CC info, DL info, etc. And staff in the the stores love to use it as a door prop or paper weight all the time due to its size.
There are far more data breaches going on that anyone in the public realizes. And for the most part, it is because virtually no one cares about protecting it...no matter how many people are financially harmed or killed when it goes out the door.
-
Karen I would say that is anamoly in DBA's you describe though. At least those among us that has been doing this for a while. If I was the boss for that one he would have been guided out the door that day.
In most companies I have worked, I'm the one pushing for more security (both data and physical).
I also question having USB ports on our desktops (I work at a financial company at the moment), yet they make the use of Hotmail etc illegal, and blocked. None seems to care. I'm not sure how the CIA etc deals with this since it is almost impossible to get desktops without USB ports. And yes I realize you could use the other ports for ZIP drives, or even floppy disks, but the USB ports make it soooo easy to take data with you.
-
I tend to agree with Anders. Most DBAs I know hate sending data out the door, even when the manager is complaining you need to do it. I'd require an email trail before I sent production data anywhere.
USB ports? Superglue
I felt the same way. Much as I like my iPod and stuff, it's a hole. Heck most phones, my last Razr and the current Dash use USB ports, easy to move data onto my phone. These days it's not even USB, but bluetooth. I could send 40-50MB of data to my phone through the real Ether-net.
No idea how to handle stuff like this. Bond people, background check (with finances), drug test, etc. and then check up on them. Random checks of phone/iPod/flash drives.
It's a cost and the onerous security probably doesn't work for most companies. Easier to bond someone and pay insurance against data loss. Prosecute people criminally. Not sure what else to do.
-
"But no one would be interested in that data -- plus they'd have to have SQL Server in order to see it". I have not laughed that loud in days!! In my desk drawer I have the SQL 2000 Developer Edition. I restore very large production databases to my Virtual PC all the time. 50 dollars US and I'm in.I needed a laugh this morning. Thanks.
ATBCharles Kincaid
-
The "World of Sports" is just a microcosm of the "World at Large" and both exhibit and reflect the same basic values, morals and ethics.
We notice the "World of Sports" for the same reasons we notice the "World of Hollywood," the "World of Large Corporate Executives" and the "World of Politics," namely lots of money and fame. These are the two things that most of us do not have, but that most of us would like to have; thus the reason why most of us pay attention to these arenas of life.
I say "most of us" because it is a true statement. If the vast majority of people were not consumed with living vicariously through famous sports figures and Hollywood celebs, these two "worlds" would not exist.
The "World of DBAs" should be considered no different than any other "world." It is made up of the same species of creature as all of the other "worlds" - homo sapiens. Humans are notoriously capable of being tempted, and of falling prey to temptation. That is our history.
Our Western culture has effectively removed many of the internal religious and moral controls that guided us in the past and helped to make us appear, at least on a public level, a moral and ethical people.
We now live in a time when Self reigns supreme, and the number one goal of most people is to get the most for themselves in this life. For them, this life is all there is. "Eat, drink and be merry, for tomorrow we die."
Most people used to think, "...for tomorrow we die, and then the Judgment," which tempered the "Eat, drink and be merry..." part. Most people today simply do not believe in life after death, much less a Last Judgment after death, thus that internal control is gone.
My advice to anyone needing to place large amounts of power and money (read: corporate data) into the hands of one or more human beings is to examine their internal controlling factors. What are their worldviews, what moral and ethical system to they subscribe to, and do they really believe what they claim to believe? Do they live them out on a daily basis?
No matter how many external controls you place on a person, unless he or she has a set of internal controls (morals, ethics, religion), that person will try to find a way to exploit their power position for their own gain. The smarter the person, the more need for internal controls.
Viewing 15 posts - 1 through 15 (of 29 total)
You must be logged in to reply to this topic. Login to reply