You might think that IT departments are not doing a good job since it's employees that seem to lose more data than hackers get, but I'm not sure that's true. On one hand the report mentioned in the link shows that hackers don't get into a lot of systems and that IT people generally seem to be doing a good job of securing systems. On the other hand is says lots of data is still being lost, and it's employees that are doing the losing!
As long as people have been involved with information and data, the information gets leaked. It's human nature to want to share and want to help others with their jobs. And we tend to trust people, so we tend to get fooled often through social engineering. That likely will never change as we have plenty of rules, but people still break them regularly to help friends or themselves. It's not usually malicious; it's often just to make their jobs easier.
One of the things that we often do is automate most of the protections and controls of the data in our systems, but eventually we have to let a human see data and when we do, there's the potential for them to release it. And anytime we allow someone to work offline, we make them more productive, but our system is less secure. It's a balancing act that we have to achieve to ensure people can get work done securely.
That doesn't mean that we've solved the problems we have of securing our systems. In fact, it seems more and more that administrators are confused about how to set up security, or how the model actually works. It's a problem with Active Directory, and Exchange as well as SQL Server. With so many accidental DBAs working on SQL Server, it seems that this is a bigger and bigger problem all the time.
There are really two problems that need to be solved with security in computer systems. The first is making systems more secure with stronger tools and techniques for preventing hackers or even employees, from disclosing data. The second is that we need to make it easy for people to understand the security model and how to set it up. This means that more people can actually apply the security they need to systems.
With SQL Server 2008, Policy Based Management (PBM) seems like it has the chance to help with issues here, but as of yet it's still a raw tool built more for management of servers and DBAs rather than other administrators and developers. Time will determine how this tool evolves and if it provides better security over time.
Steve Jones
The Voice of the DBA Podcasts
The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there.
You can also follow Steve Jones on Twitter:
Overall RSS Feed:
or now on iTunes!
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.
