Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


More Data Security Issues


More Data Security Issues

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36375 Visits: 18759
Comments posted to this topic are about the item More Data Security Issues

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
David.Poole
David.Poole
Hall of Fame
Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)

Group: General Forum Members
Points: 3710 Visits: 3121
Its a sad fact that a percentage of any population will be morally challenged.

Another percentage will be opportunistic. If you had a piece of software and a licence key would you install it on your home kit. How about an illicit MP3, CD or DVD? For those of you who are legitimately outraged and indignant at the aspersion you are in a worrying small minority.

Then there is the behaviour that manifests when a relationship breaks down.

Years back I did a module on employee relations and a story (hopefully an urban legend/myth) was told about a dispute at a steel works. Apparently cyanide is routinely used in some processes and because of the dangers involved flasks of a liquid to counteract the effects of cyanide poisoning were within easy reach.

In the event of cyanide poisoning speed is of the essence so the idea was that the liquid was drunk but the inevitable consequence was that the human body would expel whatever it could by whatever method it could via every pore and orrifice it could. During an acrimonious industrial dispute management learnt to fear the coffee urn, canteen food and the drinking fountain.

LinkedIn Profile

Newbie on www.simple-talk.com
chrisn-585491
chrisn-585491
SSC Eights!
SSC Eights! (980 reputation)SSC Eights! (980 reputation)SSC Eights! (980 reputation)SSC Eights! (980 reputation)SSC Eights! (980 reputation)SSC Eights! (980 reputation)SSC Eights! (980 reputation)SSC Eights! (980 reputation)

Group: General Forum Members
Points: 980 Visits: 2323
There has been a large decline in ethical leadership worldwide and a growing lack of loyalty towards employees and citizens. Considering this environment, it's pretty much a given that theft and breaches will happen. It doesn't help that our government discourages accountability and massively funds data theft.

The problem with encryption and other measures is that people are lazy and management doesn't want to spend money on tools and training. When a large percentage of technical professionals I met don't even understand the basics of PKI and topics of that ilk, it's evident that the industry as a whole is only pay lip service to security and is cargo-culting on a minimal as needed basis.
IMHO
IMHO
Old Hand
Old Hand (307 reputation)Old Hand (307 reputation)Old Hand (307 reputation)Old Hand (307 reputation)Old Hand (307 reputation)Old Hand (307 reputation)Old Hand (307 reputation)Old Hand (307 reputation)

Group: General Forum Members
Points: 307 Visits: 276
I'd be interested to know what the main motivation is for insider data breaches. Is it random vandalism, retaliation, greed, a sense that something the company is doing is wrong and needs to be exposed. Something else?
I would also like to know how much data is secured that doesn't really need to be secured. I've met many people who seem to have a fixation on securing things that don't really need to be. Some DBAs tend to have a warrior mentality when there may not be any actual war.
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36375 Visits: 18759
IMHO (6/25/2013)
I'd be interested to know what the main motivation is for insider data breaches. Is it random vandalism, retaliation, greed, a sense that something the company is doing is wrong and needs to be exposed. Something else?
I would also like to know how much data is secured that doesn't really need to be secured. I've met many people who seem to have a fixation on securing things that don't really need to be. Some DBAs tend to have a warrior mentality when there may not be any actual war.


I doubt it's one thing. In the restaurant business, we'd see lots of inside issues, and it ranged from vandalism (throwing things away) to theft/greed (stealing money or alcohol), but the latter might be because someone needs money (not making enough), or they feel entitled (they're not paying me enough) to fun (my friends and I want free drinks).

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Eric M Russell
Eric M Russell
SSCarpal Tunnel
SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)

Group: General Forum Members
Points: 4661 Visits: 9582
By and large, employees are granted more access to data than they really need to perform their job functions. I'm surprised when people talk about a database with dozens or hundreds of users. Do individual users really need access to the database?
All you need are a handful of service accounts, one for each security role. Users should access data via the application, and auditing is used to keep track of what requests users make.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Gary Varga
Gary Varga
SSCrazy Eights
SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)SSCrazy Eights (8.4K reputation)

Group: General Forum Members
Points: 8429 Visits: 6180
Eric M Russell (6/25/2013)
By and large, employees are granted more access to data than they really need to perform their job functions. I'm surprised when people talk about a database with dozens or hundreds of users. Do individual users really need access to the database?
All you need are a handful of service accounts, one for each security role. Users should access data via the application, and auditing is used to keep track of what requests users make.


This is another cost of the departmental Access/Excel application.

Also a cost of the lack of ethics in business from top to bottom. I particularly see people being forced (or pressured is probably more fair) to stay longer than both necessary to perform their job and longer than agreed (by employment contract). This results in people using some of their time at their desks for their own purposes, if only training.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Eric M Russell
Eric M Russell
SSCarpal Tunnel
SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)

Group: General Forum Members
Points: 4661 Visits: 9582
Gary Varga (6/25/2013)
Eric M Russell (6/25/2013)
By and large, employees are granted more access to data than they really need to perform their job functions. I'm surprised when people talk about a database with dozens or hundreds of users. Do individual users really need access to the database?
All you need are a handful of service accounts, one for each security role. Users should access data via the application, and auditing is used to keep track of what requests users make.


This is another cost of the departmental Access/Excel application.

Also a cost of the lack of ethics in business from top to bottom. I particularly see people being forced (or pressured is probably more fair) to stay longer than both necessary to perform their job and longer than agreed (by employment contract). This results in people using some of their time at their desks for their own purposes, if only training.

It's late in the evening, an employee is disgruntled about being asked to work overtime, and they have an open query window with select permission on every table in the database, if not full sysadmin privillage. It's a bad scenario, and employee training won't fix it. It's management and sysadmins who need to be trained on how to avoid this.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
djackson 22568
djackson 22568
Right there with Babe
Right there with Babe (751 reputation)Right there with Babe (751 reputation)Right there with Babe (751 reputation)Right there with Babe (751 reputation)Right there with Babe (751 reputation)Right there with Babe (751 reputation)Right there with Babe (751 reputation)Right there with Babe (751 reputation)

Group: General Forum Members
Points: 751 Visits: 1180
I agree that developers need to get better at using proper techniques.

That said, companies are the real root cause of poor software. The opposition to allowing time to code, test and validate is the largest issue. I know a lot of developers that WANT TO write better code, but are not allowed to.

Dave
Eric M Russell
Eric M Russell
SSCarpal Tunnel
SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)SSCarpal Tunnel (4.7K reputation)

Group: General Forum Members
Points: 4661 Visits: 9582
djackson 22568 (6/25/2013)
I agree that developers need to get better at using proper techniques.

That said, companies are the real root cause of poor software. The opposition to allowing time to code, test and validate is the largest issue. I know a lot of developers that WANT TO write better code, but are not allowed to.

Developers may be a members of DBO or even SYSADMIN when they login to development database using their domain account. They need that for creating tables, procedures, etc. However, when unit testing or performing QA, they should login using a seperate account that has the same name and least privillages as the application account (should have) in production. If testing is not done under a least privillage account like this, then many organization will punt and grant full DBO or SYSADMIN rights to the application account.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search