SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Who Watches the Watchers?


Who Watches the Watchers?

Author
Message
Brandie Tarvin
Brandie Tarvin
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15436 Visits: 9006
Comments posted to this topic are about the item Who Watches the Watchers?

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Elliott Whitlow
Elliott Whitlow
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10522 Visits: 5314
On one side I somewhat agree with the concept of seperation of duties, the problem is that I have seen it taken WAY too far, particularly in big companies and not far enough in little ones. The big companies tend to be risk adverse so they throw money, people, policy, and tech at it, especially if they are in a regulated industry. But the problem is that all these systems really do is keep honest people honest, the guy who is coming in with the plan to steal from you is not going to be deterred and in most cases you aren't going to know what hit you until later. Also in big companies, the DBA isn't the watcher, there is often a group (or two) above them that watches, they often go by names like Compliance and they tend to watch the whole infrastructure as well, from the network switch to the machine, to the database..

CEWII
Mark Dalley
Mark Dalley
SSC Veteran
SSC Veteran (283 reputation)SSC Veteran (283 reputation)SSC Veteran (283 reputation)SSC Veteran (283 reputation)SSC Veteran (283 reputation)SSC Veteran (283 reputation)SSC Veteran (283 reputation)SSC Veteran (283 reputation)

Group: General Forum Members
Points: 283 Visits: 1623
Of course, separating duties can help a lot by decreasing the opportunity for, and temptation to, wrongdoing. But regulations don't, and can't, solve the basic problem.

If one defines "human nature" as "what humans do naturally, i.e. when they think no-one is looking / in private / anonymously / if they think there will be no inconvenient consequences", the need for allegiance to a higher ideal than mere self is obvious.

And regarding the Romans, it wasn't as if they weren't aware of the problem. As Juvenal remarked: Quis custodiet ipsos custodes?

Who, indeed?

Mark Dalley
Raju Lalvani
Raju Lalvani
Valued Member
Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)

Group: General Forum Members
Points: 59 Visits: 154
Who watches the Watcher who watches..... How many levels can one go to?

History has shown that a person who is determined to steal will steal. IT has made it even more easier to steal data, instead of stealing physical documents which would consumes lots of space, a pen drive can be used to steal large amounts of data.

I agree human nature is such that what we do when no one is looking is different than when someone is looking.
Grant Fritchey
Grant Fritchey
SSC-Forever
SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)

Group: General Forum Members
Points: 42729 Visits: 32667
What, no video?

Excellent editorial. The link seems to be missing to the T-Mobile story in the UK. Any chance of posting it?

We're working with a tough piece of software. SQL Server has made so much of the basic parts of database administration blindingly easy. So it doesn't appear that it needs the kind of specialist that's just assumed with an Oracle or DB2 database. The fact is, it needs a gate-keeper just as much as it needs someone who knows how it works to make sure everything is working correctly.

Oh, and nice draw on the Roman Empire collapse. Some mention of Vercingetorix was in order though.

----------------------------------------------------
The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood...
Theodore Roosevelt

The Scary DBA
Author of: SQL Server Query Performance Tuning and SQL Server Execution Plans
Product Evangelist for Red Gate Software
blandry
blandry
Mr or Mrs. 500
Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)

Group: General Forum Members
Points: 539 Visits: 723
Excellent editorial Brandie and right on the mark!

The problem really, is that data is an asset to any company and yet decades into the computer revolution most executives and managers don't think of it that way. Sure, company higher ups will give speeches about the importance and value of data, but they do not know let alone understand the particulars of managing and if you will, sheparding data.

I saw this time and time again during my days in the technical trenches and then when I rose through the management ranks, frankly, it only got worse. For example, I remember in one job I worked the DBA quit and the company directors kept pushing to move one of the younger, (very much) less experienced guys into the position. When I argued that data was an important asset and we needed an experienced, qualified DBA, well, I was shot down. Directors saw it as merely filling a role, or in the vernacular, getting a warm backside into an empty chair.

If you look deeper into some of the recent data theft incidents such as the hijacking of TJX Corporation's data, what you find is just that. Someone is acting as the DBA when really, they are not a DBA and lack the vital skills necessary to protect data.

For years I have whined on about some definitive measure of what a DBA is, and as your editorial assists in pointing out, that measure is still remains decades overdue.

There's no such thing as dumb questions, only poorly thought-out answers...
laurav
laurav
SSC-Enthusiastic
SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)SSC-Enthusiastic (124 reputation)

Group: General Forum Members
Points: 124 Visits: 155
Great editorial. I had been trying to make the same argument at a "smaller" company (that I left) - we need safeguards in place. As a DBA, I *want* those. I do have the keys to the kingdom, in a way, but there should be some checks and balances. I would tell my managers and IT security folks what I was doing and why, and they would look at me as though I had two heads. I view checks/balances as my safety net too.
Here is the link for the TMobile security breach:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374722,00.html#
Brandie Tarvin
Brandie Tarvin
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15436 Visits: 9006
Grant Fritchey (12/3/2009)
Excellent editorial. The link seems to be missing to the T-Mobile story in the UK. Any chance of posting it?


Sorry about that. This is the same link Steve posted in an editorial a week or two ago:
The T-Mobile Article

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Brandie Tarvin
Brandie Tarvin
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15436 Visits: 9006
laurav (12/3/2009)
I would tell my managers and IT security folks what I was doing and why, and they would look at me as though I had two heads. I view checks/balances as my safety net too.


There's something to be said about CYA. But it's not just you you're covering when you do that sort of thing. I think the problem is that corporate officials don't always realize (until you get to the stratospheric heights of management) that data loss and data theft is a monetary issue. 1s and 0s don't count for much. It's *just* information.

But if you start putting a dollar amount on the issue, it might help draw attention to your plight.

Here are the things I would start adding monetary values to: bad publicity, legal fees, paying for the customer's credit monitoring for the next X number of years, losing market share, re-training employees (or getting new ones) and the possible cost of hardware improvements (wireless credit card machines broadcasting in the clear, anyone?).

Hand them that invoice, and I guarantee they'll either think you're crazy or finally sit up and take notice.

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Grant Fritchey
Grant Fritchey
SSC-Forever
SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)SSC-Forever (42K reputation)

Group: General Forum Members
Points: 42729 Visits: 32667
laurav (12/3/2009)
Great editorial. I had been trying to make the same argument at a "smaller" company (that I left) - we need safeguards in place. As a DBA, I *want* those. I do have the keys to the kingdom, in a way, but there should be some checks and balances. I would tell my managers and IT security folks what I was doing and why, and they would look at me as though I had two heads. I view checks/balances as my safety net too.
Here is the link for the TMobile security breach:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374722,00.html#


Thanks again. I missed that article. Man, that's messed up. No details though. Was the guy in IT or just some sales puke with WAY too much access? Perfect example for your editorial though.

----------------------------------------------------
The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood...
Theodore Roosevelt

The Scary DBA
Author of: SQL Server Query Performance Tuning and SQL Server Execution Plans
Product Evangelist for Red Gate Software
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search