February 8, 2012 at 12:49 pm
Hi everyone,
Was just wondering how you have ensured that your company data is secure from internal theft, that someone (developers/analysts/etc.) does not run a report that generates all list of clients and then runs off with it? I had thought about using resource governor to limit the maximum number of rows that queries can return, but this plan is not bullet proof. Anyone has any ideas? Thanks.
February 8, 2012 at 1:07 pm
As per my knowledge there's no way to "ensure data are secure". You could allow dev to only access views instead of tables and use "TOP x" inthe view definition. But then you'll run into the risk of wrong results.
Another way would be to prevent access from a removeable device such as USB stick or any CD writing device together with a strong monitoring of outgoing mails.
But this would make it only harder to steel data, not impossible.
There's only a single method I know of: trust. If there's any lost of trust, access to sensitive data should be removed immediately. But even then it might be too late. You'll never know (unless you run a permanent profiler trace and analyze the captured data.)
February 10, 2012 at 3:21 pm
Thanks for your response. I wonder how Banks ensure that the DBAs or developers do not walk off with their data. And health insurance companies. Anyone know?
February 10, 2012 at 3:52 pm
shahgols (2/10/2012)
Thanks for your response. I wonder how Banks ensure that the DBAs or developers do not walk off with their data. And health insurance companies. Anyone know?
Why single out DBAs / Developers - how about managers / secretaries / sales people?
How about when a manger who is authorized to view the data, gives his secretary / assistant his login name and password and instructs then to run the report lets say every Friday evening at the close of business so that he can see it the first thing on the following Monday morning? And that person feels slighted / insulted or has an adverse event in their off work life, and need cash NOW.
Or the manager does it all himself, but at the end of the work week places it in his trash bin. The cleaning people who come in to work after normal business hours can then take the report or the manager leaves the report on his desk where it can be seen by anyone who has access to his office.
Its the old saying. "you can trust some of the people some of the time, but not all the people all the time"
February 10, 2012 at 4:26 pm
The bank I'm at keeps things locked down pretty tight electronically. There are no external drives on my desktop machine, and I can't open any web email programs on my desktop. There's nothing however to prevent me from printing a big list and walking out with it, other than my abhorance of paper.
February 10, 2012 at 5:11 pm
You got great points Rob, thanks for that!
And thanks for your response Burninator. Are you guys allowed to use USB or connect your cell phones to your PCs?
February 11, 2012 at 2:34 am
shahgols (2/10/2012)
You got great points Rob, thanks for that!And thanks for your response Burninator. Are you guys allowed to use USB or connect your cell phones to your PCs?
USB storage devices are disabled, Cell Phone connection not allowed. Remote access only via secure VPN including special software on the laptops needed to connect to the production system. Locked down firewall between production network and office network.
Limited acces to the file systems of db server for DBAs.
But: there are still a few people with an access level that would allow to steal data.
February 11, 2012 at 4:13 am
That’s it???
In my organizations, I don’t have access to any software (in fact very basic like notepad) which is not required for DEV & DBA work. No USBs, no cell phones, no paper printouts, 24*7 monitored (CC TV) development where manager / security (third party) guys can count when we sneeze (and lock the user account on more than 3... LOL :hehe:)
The biggest drawback, very limited internet access... I am not able to give sufficient time to SSC nowadays.
February 11, 2012 at 5:17 am
LutzM (2/11/2012)
shahgols (2/10/2012)
You got great points Rob, thanks for that!And thanks for your response Burninator. Are you guys allowed to use USB or connect your cell phones to your PCs?
USB storage devices are disabled, Cell Phone connection not allowed. Remote access only via secure VPN including special software on the laptops needed to connect to the production system. Locked down firewall between production network and office network.
Limited acces to the file systems of db server for DBAs.
But: there are still a few people with an access level that would allow to steal data.
Somewhat similar NO cell phones allowed into building, USB port hardware removed from desk tops, desk top outer case has seals to front case, so if outer case was removed the security seal is broken. As far as paper reports, unannounced departure from office security checks, where every package an individual is carrying out, everything removed and inspected. During work day have some classified / sensitive paper work you are authorized to view on your desk, leave desk to get a cup of coffee, all sensitive material must be placed in a desk drawer and said draw locked. Communications to other company building was via fiber optic cable strung in a metallic tube which was filled with pressurized gas and the tube had pressure sensors. Drop in gas pressure - alarm sounded.
This was not in a bank / insurance company but was construction of military equipment.
In prior answer I pointed out possible loss via cleaning crews. In this instance cleaning crews placed all combustible material in burn bags, which were sealed, and when a sufficient number filled the burn bags were taken to an incinerator, under guard, and burned both the bag and its contents, with the guards observing the process and remaining there until they could verify every last bit was ash.
February 11, 2012 at 9:28 am
Having worked in a BIG bank IT dept and the Department of Defense they certainly did take steps, like limiting access to backups outside of the data center. Policies against plugging in non-company owned devices. Every desktop and laptop has whole drive encryption, so if it is lost, misplaced, stolen, etc whatever data there is not available without significant effort. But even with all the steps taken I certainly could have pulled down propoprietary, protected data as a DBA and gotten it out of the office. The point being you have to have a certain level of trust of your people in trusted postions.
If you have information that you absolutely don't want to be able to be siphoned off there are steps that can be taken, BUT those steps are trade-offs to usability, ease of use, and cost. Such things as Citrix and Remote Desktops let you SEE the data but the data doesn't get pulled outside the datacenter, but you have to be connected to the datacenter, no offline access.
You can disable the USB ports and only buy DVD readers. As a case-in-point highlighted by the WikiLeaks thing, why did classified machines have DVD writers AND the software to use them? Why were the USB ports not disabled?
If you want to learn immense amounts about security, study for and take the Security+ exam. If nothing else it gets you thinking about security and its MANY aspects.
CEWII
February 11, 2012 at 10:24 pm
No one get's an internet connection, all USB ports are phyiscally removed as are all other ports that could be used for memory such as flash cards, all media drives such as CDs and DVDs are physically remove, drives are fully encrypted such as Elliot suggests, keyboards, mice, and monitors are all soldered in place instead of simply being plugged in, all rooms are radio shrouded using fine mesh grounded copper screening, no electronic devices are allowed such as calculators, cell phones, no one can bring in or out a pencil, etc, no one is allowed to talk, and cavity searchs for everyone! 😀
--Jeff Moden
Change is inevitable... Change for the better is not.
February 11, 2012 at 10:46 pm
At a certain point, you have to look at security vs. utility. The safest airplane is one that never leaves the ground, but it's not very useful.
There is no perfect security, unless you delete all your data. There is always some way around it, and often very low tech. Like putting a computer in a box and giving it to the mailroom to ship somewhere.
February 13, 2012 at 3:37 am
There are also legal issues surrounding this. Certainly in the UK you would normally have watertight clauses in your employment contract regarding data theft, non-disclosure.
There was a data leak incident last year at a UK bank and all employees privy to the leaked data were reminded strongly about the terms covering this and the consequences if they also leaked the data.
Probably also covered by civil if not criminal law?
February 13, 2012 at 4:05 am
Your data security is good as is your staff.
Take your security measures, keep the data access to a minimum and don't forget to make a good investment in HR.
February 13, 2012 at 8:54 am
david.gray 17570 (2/13/2012)
There are also legal issues surrounding this. Certainly in the UK you would normally have watertight clauses in your employment contract regarding data theft, non-disclosure.There was a data leak incident last year at a UK bank and all employees privy to the leaked data were reminded strongly about the terms covering this and the consequences if they also leaked the data.
Probably also covered by civil if not criminal law?
Such things are very common in employee handbooks here. However the policy is only as good as people WILLING to follow it. In most cases data leaks are not criminal only civil matters. If you take client data with you and use it to build your business you haven't really committed a crime but you have probably violated your employment agreement and they can sue, but you aren't going to jail (which is pretty much how I define whether its really a crime, no jail - no crime) doesn't mean what ya did was right or that you couldn't get whacked civilly..
On military installations, when you are dealing with classified information the network wiring goes into a secure wiring closet. You aren't allowed to take ANYTHING electronic in there, about the only thing would be a watch, even then not a REALLY high tech one. PDA, nope, phone, nope, computer, nope, thumb drive, nope, etc.. If you do, it stays in there.. More than a few people have lost new phones that way.
There is always a trade-off, another poster mentioned that as well. There has to be a balance and some trust, you can never be 100% safe.
There is a book called "Beyond Fear" by Bruce Schneier (sp?) that talks alot about risk, I highly recommend it.
One thing to avoid is security theater, things that make you look safer without actually MAKING you safer. I would categorize airline security largely this way here in the states.
CEWII
Viewing 15 posts - 1 through 15 (of 15 total)
You must be logged in to reply to this topic. Login to reply