Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Securing data from internal theft Expand / Collapse
Author
Message
Posted Wednesday, February 8, 2012 12:49 PM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Thursday, July 24, 2014 11:33 AM
Points: 627, Visits: 4,975
Hi everyone,

Was just wondering how you have ensured that your company data is secure from internal theft, that someone (developers/analysts/etc.) does not run a report that generates all list of clients and then runs off with it? I had thought about using resource governor to limit the maximum number of rows that queries can return, but this plan is not bullet proof. Anyone has any ideas? Thanks.



Post #1249278
Posted Wednesday, February 8, 2012 1:07 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 4:39 PM
Points: 7,038, Visits: 12,951
As per my knowledge there's no way to "ensure data are secure". You could allow dev to only access views instead of tables and use "TOP x" inthe view definition. But then you'll run into the risk of wrong results.
Another way would be to prevent access from a removeable device such as USB stick or any CD writing device together with a strong monitoring of outgoing mails.
But this would make it only harder to steel data, not impossible.

There's only a single method I know of: trust. If there's any lost of trust, access to sensitive data should be removed immediately. But even then it might be too late. You'll never know (unless you run a permanent profiler trace and analyze the captured data.)




Lutz
A pessimist is an optimist with experience.

How to get fast answers to your question
How to post performance related questions
Links for Tally Table , Cross Tabs and Dynamic Cross Tabs , Delimited Split Function
Post #1249293
Posted Friday, February 10, 2012 3:21 PM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Thursday, July 24, 2014 11:33 AM
Points: 627, Visits: 4,975
Thanks for your response. I wonder how Banks ensure that the DBAs or developers do not walk off with their data. And health insurance companies. Anyone know?


Post #1250590
Posted Friday, February 10, 2012 3:52 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 8:11 PM
Points: 5,571, Visits: 24,767
shahgols (2/10/2012)
Thanks for your response. I wonder how Banks ensure that the DBAs or developers do not walk off with their data. And health insurance companies. Anyone know?


Why single out DBAs / Developers - how about managers / secretaries / sales people?

How about when a manger who is authorized to view the data, gives his secretary / assistant his login name and password and instructs then to run the report lets say every Friday evening at the close of business so that he can see it the first thing on the following Monday morning? And that person feels slighted / insulted or has an adverse event in their off work life, and need cash NOW.

Or the manager does it all himself, but at the end of the work week places it in his trash bin. The cleaning people who come in to work after normal business hours can then take the report or the manager leaves the report on his desk where it can be seen by anyone who has access to his office.

Its the old saying. "you can trust some of the people some of the time, but not all the people all the time"



If everything seems to be going well, you have obviously overlooked something.

Ron

Please help us, help you -before posting a question please read

Before posting a performance problem please read
Post #1250597
Posted Friday, February 10, 2012 4:26 PM


SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Wednesday, May 14, 2014 4:36 PM
Points: 494, Visits: 1,122
The bank I'm at keeps things locked down pretty tight electronically. There are no external drives on my desktop machine, and I can't open any web email programs on my desktop. There's nothing however to prevent me from printing a big list and walking out with it, other than my abhorance of paper.

Looking for a Deadlock Victim Support Group..
Post #1250608
Posted Friday, February 10, 2012 5:11 PM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Thursday, July 24, 2014 11:33 AM
Points: 627, Visits: 4,975
You got great points Rob, thanks for that!

And thanks for your response Burninator. Are you guys allowed to use USB or connect your cell phones to your PCs?



Post #1250625
Posted Saturday, February 11, 2012 2:34 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 4:39 PM
Points: 7,038, Visits: 12,951
shahgols (2/10/2012)
You got great points Rob, thanks for that!

And thanks for your response Burninator. Are you guys allowed to use USB or connect your cell phones to your PCs?


USB storage devices are disabled, Cell Phone connection not allowed. Remote access only via secure VPN including special software on the laptops needed to connect to the production system. Locked down firewall between production network and office network.

Limited acces to the file systems of db server for DBAs.

But: there are still a few people with an access level that would allow to steal data.




Lutz
A pessimist is an optimist with experience.

How to get fast answers to your question
How to post performance related questions
Links for Tally Table , Cross Tabs and Dynamic Cross Tabs , Delimited Split Function
Post #1250682
Posted Saturday, February 11, 2012 4:13 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Tuesday, July 22, 2014 5:56 AM
Points: 2,013, Visits: 1,584
That’s it???

In my organizations, I don’t have access to any software (in fact very basic like notepad) which is not required for DEV & DBA work. No USBs, no cell phones, no paper printouts, 24*7 monitored (CC TV) development where manager / security (third party) guys can count when we sneeze (and lock the user account on more than 3... LOL )

The biggest drawback, very limited internet access... I am not able to give sufficient time to SSC nowadays.


Dev

Devendra Shirbad | BIG Data Architect / DBA | Ex-Microsoft CSS (SQL 3T) | Open Network for Data Professionals...
LinkedIn: http://www.linkedin.com/in/devendrashirbad
Post #1250710
Posted Saturday, February 11, 2012 5:17 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 8:11 PM
Points: 5,571, Visits: 24,767
LutzM (2/11/2012)
shahgols (2/10/2012)
You got great points Rob, thanks for that!

And thanks for your response Burninator. Are you guys allowed to use USB or connect your cell phones to your PCs?


USB storage devices are disabled, Cell Phone connection not allowed. Remote access only via secure VPN including special software on the laptops needed to connect to the production system. Locked down firewall between production network and office network.

Limited acces to the file systems of db server for DBAs.

But: there are still a few people with an access level that would allow to steal data.


Somewhat similar NO cell phones allowed into building, USB port hardware removed from desk tops, desk top outer case has seals to front case, so if outer case was removed the security seal is broken. As far as paper reports, unannounced departure from office security checks, where every package an individual is carrying out, everything removed and inspected. During work day have some classified / sensitive paper work you are authorized to view on your desk, leave desk to get a cup of coffee, all sensitive material must be placed in a desk drawer and said draw locked. Communications to other company building was via fiber optic cable strung in a metallic tube which was filled with pressurized gas and the tube had pressure sensors. Drop in gas pressure - alarm sounded.

This was not in a bank / insurance company but was construction of military equipment.
In prior answer I pointed out possible loss via cleaning crews. In this instance cleaning crews placed all combustible material in burn bags, which were sealed, and when a sufficient number filled the burn bags were taken to an incinerator, under guard, and burned both the bag and its contents, with the guards observing the process and remaining there until they could verify every last bit was ash.


If everything seems to be going well, you have obviously overlooked something.

Ron

Please help us, help you -before posting a question please read

Before posting a performance problem please read
Post #1250725
Posted Saturday, February 11, 2012 9:28 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Thursday, May 15, 2014 5:11 PM
Points: 6,067, Visits: 5,283
Having worked in a BIG bank IT dept and the Department of Defense they certainly did take steps, like limiting access to backups outside of the data center. Policies against plugging in non-company owned devices. Every desktop and laptop has whole drive encryption, so if it is lost, misplaced, stolen, etc whatever data there is not available without significant effort. But even with all the steps taken I certainly could have pulled down propoprietary, protected data as a DBA and gotten it out of the office. The point being you have to have a certain level of trust of your people in trusted postions.

If you have information that you absolutely don't want to be able to be siphoned off there are steps that can be taken, BUT those steps are trade-offs to usability, ease of use, and cost. Such things as Citrix and Remote Desktops let you SEE the data but the data doesn't get pulled outside the datacenter, but you have to be connected to the datacenter, no offline access.

You can disable the USB ports and only buy DVD readers. As a case-in-point highlighted by the WikiLeaks thing, why did classified machines have DVD writers AND the software to use them? Why were the USB ports not disabled?

If you want to learn immense amounts about security, study for and take the Security+ exam. If nothing else it gets you thinking about security and its MANY aspects.

CEWII
Post #1250766
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse