Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 1234»»»

Who Watches the Watchers? Expand / Collapse
Author
Message
Posted Wednesday, December 02, 2009 9:04 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 12:24 PM
Points: 7,074, Visits: 6,235
Comments posted to this topic are about the item Who Watches the Watchers?

Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #827917
Posted Wednesday, December 02, 2009 9:22 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Friday, January 03, 2014 3:52 PM
Points: 6,066, Visits: 5,277
On one side I somewhat agree with the concept of seperation of duties, the problem is that I have seen it taken WAY too far, particularly in big companies and not far enough in little ones. The big companies tend to be risk adverse so they throw money, people, policy, and tech at it, especially if they are in a regulated industry. But the problem is that all these systems really do is keep honest people honest, the guy who is coming in with the plan to steal from you is not going to be deterred and in most cases you aren't going to know what hit you until later. Also in big companies, the DBA isn't the watcher, there is often a group (or two) above them that watches, they often go by names like Compliance and they tend to watch the whole infrastructure as well, from the network switch to the machine, to the database..

CEWII
Post #827922
Posted Thursday, December 03, 2009 5:31 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: 2 days ago @ 3:39 AM
Points: 41, Visits: 889
Of course, separating duties can help a lot by decreasing the opportunity for, and temptation to, wrongdoing. But regulations don't, and can't, solve the basic problem.

If one defines "human nature" as "what humans do naturally, i.e. when they think no-one is looking / in private / anonymously / if they think there will be no inconvenient consequences", the need for allegiance to a higher ideal than mere self is obvious.

And regarding the Romans, it wasn't as if they weren't aware of the problem. As Juvenal remarked: Quis custodiet ipsos custodes?

Who, indeed?

Mark Dalley
Post #828073
Posted Thursday, December 03, 2009 5:47 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Monday, December 09, 2013 6:07 AM
Points: 23, Visits: 151

Who watches the Watcher who watches..... How many levels can one go to?

History has shown that a person who is determined to steal will steal. IT has made it even more easier to steal data, instead of stealing physical documents which would consumes lots of space, a pen drive can be used to steal large amounts of data.

I agree human nature is such that what we do when no one is looking is different than when someone is looking.
Post #828084
Posted Thursday, December 03, 2009 5:52 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Yesterday @ 2:42 PM
Points: 14,840, Visits: 27,315
What, no video?

Excellent editorial. The link seems to be missing to the T-Mobile story in the UK. Any chance of posting it?

We're working with a tough piece of software. SQL Server has made so much of the basic parts of database administration blindingly easy. So it doesn't appear that it needs the kind of specialist that's just assumed with an Oracle or DB2 database. The fact is, it needs a gate-keeper just as much as it needs someone who knows how it works to make sure everything is working correctly.

Oh, and nice draw on the Roman Empire collapse. Some mention of Vercingetorix was in order though.


----------------------------------------------------
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood..." Theodore Roosevelt
The Scary DBA
Author of: SQL Server 2012 Query Performance Tuning
SQL Server 2008 Query Performance Tuning Distilled
and
SQL Server Execution Plans

Product Evangelist for Red Gate Software
Post #828086
Posted Thursday, December 03, 2009 6:02 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, May 07, 2012 9:23 AM
Points: 304, Visits: 716
Excellent editorial Brandie and right on the mark!

The problem really, is that data is an asset to any company and yet decades into the computer revolution most executives and managers don't think of it that way. Sure, company higher ups will give speeches about the importance and value of data, but they do not know let alone understand the particulars of managing and if you will, sheparding data.

I saw this time and time again during my days in the technical trenches and then when I rose through the management ranks, frankly, it only got worse. For example, I remember in one job I worked the DBA quit and the company directors kept pushing to move one of the younger, (very much) less experienced guys into the position. When I argued that data was an important asset and we needed an experienced, qualified DBA, well, I was shot down. Directors saw it as merely filling a role, or in the vernacular, getting a warm backside into an empty chair.

If you look deeper into some of the recent data theft incidents such as the hijacking of TJX Corporation's data, what you find is just that. Someone is acting as the DBA when really, they are not a DBA and lack the vital skills necessary to protect data.

For years I have whined on about some definitive measure of what a DBA is, and as your editorial assists in pointing out, that measure is still remains decades overdue.




There's no such thing as dumb questions, only poorly thought-out answers...
Post #828089
Posted Thursday, December 03, 2009 6:03 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Friday, May 24, 2013 12:06 PM
Points: 104, Visits: 155
Great editorial. I had been trying to make the same argument at a "smaller" company (that I left) - we need safeguards in place. As a DBA, I *want* those. I do have the keys to the kingdom, in a way, but there should be some checks and balances. I would tell my managers and IT security folks what I was doing and why, and they would look at me as though I had two heads. I view checks/balances as my safety net too.
Here is the link for the TMobile security breach:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374722,00.html#
Post #828090
Posted Thursday, December 03, 2009 6:08 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 12:24 PM
Points: 7,074, Visits: 6,235
Grant Fritchey (12/3/2009)
Excellent editorial. The link seems to be missing to the T-Mobile story in the UK. Any chance of posting it?


Sorry about that. This is the same link Steve posted in an editorial a week or two ago:
The T-Mobile Article



Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #828091
Posted Thursday, December 03, 2009 6:23 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 12:24 PM
Points: 7,074, Visits: 6,235
laurav (12/3/2009)
I would tell my managers and IT security folks what I was doing and why, and they would look at me as though I had two heads. I view checks/balances as my safety net too.


There's something to be said about CYA. But it's not just you you're covering when you do that sort of thing. I think the problem is that corporate officials don't always realize (until you get to the stratospheric heights of management) that data loss and data theft is a monetary issue. 1s and 0s don't count for much. It's *just* information.

But if you start putting a dollar amount on the issue, it might help draw attention to your plight.

Here are the things I would start adding monetary values to: bad publicity, legal fees, paying for the customer's credit monitoring for the next X number of years, losing market share, re-training employees (or getting new ones) and the possible cost of hardware improvements (wireless credit card machines broadcasting in the clear, anyone?).

Hand them that invoice, and I guarantee they'll either think you're crazy or finally sit up and take notice.


Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #828100
Posted Thursday, December 03, 2009 6:24 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Yesterday @ 2:42 PM
Points: 14,840, Visits: 27,315
laurav (12/3/2009)
Great editorial. I had been trying to make the same argument at a "smaller" company (that I left) - we need safeguards in place. As a DBA, I *want* those. I do have the keys to the kingdom, in a way, but there should be some checks and balances. I would tell my managers and IT security folks what I was doing and why, and they would look at me as though I had two heads. I view checks/balances as my safety net too.
Here is the link for the TMobile security breach:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374722,00.html#


Thanks again. I missed that article. Man, that's messed up. No details though. Was the guy in IT or just some sales puke with WAY too much access? Perfect example for your editorial though.


----------------------------------------------------
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood..." Theodore Roosevelt
The Scary DBA
Author of: SQL Server 2012 Query Performance Tuning
SQL Server 2008 Query Performance Tuning Distilled
and
SQL Server Execution Plans

Product Evangelist for Red Gate Software
Post #828102
« Prev Topic | Next Topic »

Add to briefcase 1234»»»

Permissions Expand / Collapse