SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Securing data from internal theft


Securing data from internal theft

Author
Message
shahgols
shahgols
Hall of Fame
Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)

Group: General Forum Members
Points: 3881 Visits: 5738
Hi everyone,

Was just wondering how you have ensured that your company data is secure from internal theft, that someone (developers/analysts/etc.) does not run a report that generates all list of clients and then runs off with it? I had thought about using resource governor to limit the maximum number of rows that queries can return, but this plan is not bullet proof. Anyone has any ideas? Thanks.



LutzM
LutzM
SSC-Forever
SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)

Group: General Forum Members
Points: 42693 Visits: 13559
As per my knowledge there's no way to "ensure data are secure". You could allow dev to only access views instead of tables and use "TOP x" inthe view definition. But then you'll run into the risk of wrong results.
Another way would be to prevent access from a removeable device such as USB stick or any CD writing device together with a strong monitoring of outgoing mails.
But this would make it only harder to steel data, not impossible.

There's only a single method I know of: trust. If there's any lost of trust, access to sensitive data should be removed immediately. But even then it might be too late. You'll never know (unless you run a permanent profiler trace and analyze the captured data.)



Lutz
A pessimist is an optimist with experience.

How to get fast answers to your question
How to post performance related questions
Links for Tally Table , Cross Tabs and Dynamic Cross Tabs , Delimited Split Function
shahgols
shahgols
Hall of Fame
Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)

Group: General Forum Members
Points: 3881 Visits: 5738
Thanks for your response. I wonder how Banks ensure that the DBAs or developers do not walk off with their data. And health insurance companies. Anyone know?



bitbucket-25253
bitbucket-25253
One Orange Chip
One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)

Group: General Forum Members
Points: 26785 Visits: 25280
shahgols (2/10/2012)
Thanks for your response. I wonder how Banks ensure that the DBAs or developers do not walk off with their data. And health insurance companies. Anyone know?


Why single out DBAs / Developers - how about managers / secretaries / sales people?

How about when a manger who is authorized to view the data, gives his secretary / assistant his login name and password and instructs then to run the report lets say every Friday evening at the close of business so that he can see it the first thing on the following Monday morning? And that person feels slighted / insulted or has an adverse event in their off work life, and need cash NOW.

Or the manager does it all himself, but at the end of the work week places it in his trash bin. The cleaning people who come in to work after normal business hours can then take the report or the manager leaves the report on his desk where it can be seen by anyone who has access to his office.

Its the old saying. "you can trust some of the people some of the time, but not all the people all the time"

If everything seems to be going well, you have obviously overlooked something.

Ron

Please help us, help you -before posting a question please read

Before posting a performance problem please read
Possinator
Possinator
SSCommitted
SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)

Group: General Forum Members
Points: 1518 Visits: 1123
The bank I'm at keeps things locked down pretty tight electronically. There are no external drives on my desktop machine, and I can't open any web email programs on my desktop. There's nothing however to prevent me from printing a big list and walking out with it, other than my abhorance of paper.

Looking for a Deadlock Victim Support Group..
shahgols
shahgols
Hall of Fame
Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)Hall of Fame (3.9K reputation)

Group: General Forum Members
Points: 3881 Visits: 5738
You got great points Rob, thanks for that!

And thanks for your response Burninator. Are you guys allowed to use USB or connect your cell phones to your PCs?



LutzM
LutzM
SSC-Forever
SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)

Group: General Forum Members
Points: 42693 Visits: 13559
shahgols (2/10/2012)
You got great points Rob, thanks for that!

And thanks for your response Burninator. Are you guys allowed to use USB or connect your cell phones to your PCs?


USB storage devices are disabled, Cell Phone connection not allowed. Remote access only via secure VPN including special software on the laptops needed to connect to the production system. Locked down firewall between production network and office network.

Limited acces to the file systems of db server for DBAs.

But: there are still a few people with an access level that would allow to steal data.



Lutz
A pessimist is an optimist with experience.

How to get fast answers to your question
How to post performance related questions
Links for Tally Table , Cross Tabs and Dynamic Cross Tabs , Delimited Split Function
Dev
Dev
SSCoach
SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)

Group: General Forum Members
Points: 17756 Visits: 1603
That’s it???

In my organizations, I don’t have access to any software (in fact very basic like notepad) which is not required for DEV & DBA work. No USBs, no cell phones, no paper printouts, 24*7 monitored (CC TV) development where manager / security (third party) guys can count when we sneeze (and lock the user account on more than 3... LOL :heheSmile

The biggest drawback, very limited internet access... I am not able to give sufficient time to SSC nowadays.
bitbucket-25253
bitbucket-25253
One Orange Chip
One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)

Group: General Forum Members
Points: 26785 Visits: 25280
LutzM (2/11/2012)
shahgols (2/10/2012)
You got great points Rob, thanks for that!

And thanks for your response Burninator. Are you guys allowed to use USB or connect your cell phones to your PCs?


USB storage devices are disabled, Cell Phone connection not allowed. Remote access only via secure VPN including special software on the laptops needed to connect to the production system. Locked down firewall between production network and office network.

Limited acces to the file systems of db server for DBAs.

But: there are still a few people with an access level that would allow to steal data.


Somewhat similar NO cell phones allowed into building, USB port hardware removed from desk tops, desk top outer case has seals to front case, so if outer case was removed the security seal is broken. As far as paper reports, unannounced departure from office security checks, where every package an individual is carrying out, everything removed and inspected. During work day have some classified / sensitive paper work you are authorized to view on your desk, leave desk to get a cup of coffee, all sensitive material must be placed in a desk drawer and said draw locked. Communications to other company building was via fiber optic cable strung in a metallic tube which was filled with pressurized gas and the tube had pressure sensors. Drop in gas pressure - alarm sounded.

This was not in a bank / insurance company but was construction of military equipment.
In prior answer I pointed out possible loss via cleaning crews. In this instance cleaning crews placed all combustible material in burn bags, which were sealed, and when a sufficient number filled the burn bags were taken to an incinerator, under guard, and burned both the bag and its contents, with the guards observing the process and remaining there until they could verify every last bit was ash.

If everything seems to be going well, you have obviously overlooked something.

Ron

Please help us, help you -before posting a question please read

Before posting a performance problem please read
Elliott Whitlow
Elliott Whitlow
SSC-Forever
SSC-Forever (43K reputation)SSC-Forever (43K reputation)SSC-Forever (43K reputation)SSC-Forever (43K reputation)SSC-Forever (43K reputation)SSC-Forever (43K reputation)SSC-Forever (43K reputation)SSC-Forever (43K reputation)

Group: General Forum Members
Points: 43874 Visits: 5314
Having worked in a BIG bank IT dept and the Department of Defense they certainly did take steps, like limiting access to backups outside of the data center. Policies against plugging in non-company owned devices. Every desktop and laptop has whole drive encryption, so if it is lost, misplaced, stolen, etc whatever data there is not available without significant effort. But even with all the steps taken I certainly could have pulled down propoprietary, protected data as a DBA and gotten it out of the office. The point being you have to have a certain level of trust of your people in trusted postions.

If you have information that you absolutely don't want to be able to be siphoned off there are steps that can be taken, BUT those steps are trade-offs to usability, ease of use, and cost. Such things as Citrix and Remote Desktops let you SEE the data but the data doesn't get pulled outside the datacenter, but you have to be connected to the datacenter, no offline access.

You can disable the USB ports and only buy DVD readers. As a case-in-point highlighted by the WikiLeaks thing, why did classified machines have DVD writers AND the software to use them? Why were the USB ports not disabled?

If you want to learn immense amounts about security, study for and take the Security+ exam. If nothing else it gets you thinking about security and its MANY aspects.

CEWII
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum







































































































































































SQLServerCentral


Search