Who Watches the Watchers?

Brandie Tarvin, 2014-10-16 (first published: 2009-12-03)

This editorial was originally published on Dec 3, 2009. It is being republised as Steve is on vacation.

When I worked in retail and the education industry, cashiers did not write out the bank deposit slips. Accounts Receivable clerks did not pay the bills. Accounts Payable clerks (the bill payers) did not accept money from the customers and the people who did the bank deposit slips did not serve as Cashiers. It's a little thing called "Separation of Duties" and has grown out of a need to make sure embezzlement (or outright theft) is controlled in environments that handle money.

What does this have to do with Database Administrators? Everything, actually. There are a lot of "accidental DBAs" in this world. An accidental DBA is a developer or power user given responsibility for managing her company's database servers because the company can't afford a real DBA. And there are a lot of companies who use one DBA (or a small team) to do everything in the book: Development, Production support, Server maintenance, Business Intelligence, etc.

So, basically, there are DBAs in the what would be the position of Accountant, Comptroller, Accounts Payable & Receivable Clerk and Cashier all at the same time. Now, you might say data isn't money, but since companies are paying out millions to compensate customers who have lost their identity due to company negligence, I have to disagree.

Why is this a big deal?

Recently, there's been a lot of press about identity theft and data theft. Much of it is caused by outside hackers who exploit a weakness in a company's network / server and steal the information that way. And shame on them. But the disturbing part is when data theft comes from inside the company you trust (see this article about T-Mobile in the U.K.). And since this affects my job, I just have to say "Shame on you" to those who do it.

Database Administrators are the stewards, the final protectors, the Knights of the Round Server, who are responsible for taking care of the data and making sure it isn't used irresponsibly. When people pull stunts like the T-Mobile guy, it makes everyone's job harder. New laws and new pressures from the boss (hovering over your shoulder because he can't trust that you aren't going to be one of those data theft people) just make doing a normal's day work even more difficult.

And it's not always a DBA that does the internal theft. There are some companies that don't have business rules set up around the compilation of data. Or, if they do, have their employees so terrified of disobeying the higher-ups, that the poor DBA will do whatever necessary to keep their job. Think of those DBAs who, when requested by their boss or other managers, have to churn out pages of data (or CDs of data) that could contain personally identifying information for people. They don't necessarily know what this data will be used for. They can do their best to encrypt it, password protect it, etc., and the data can STILL get misused.

At a certain point, the paranoia generated by stunts like this becomes ridiculous. After all, the only way to truly make a database safe is to unplug the network cable and lock it in a safe in Iron Mountain's Pennsylvania salt mine facility and even then, it's not truly protected so long as someone knows the safe combination or can cut through it with a blow torch. Right?

Let's not even discuss natural disasters at this point in the conversation.

So who watches the watchers? Where is the line between Separation of Duties and the need to be able to do one's job effectively? Will there be Citizen DBA Commissioners sitting beside every database administrator and data user to make sure nothing is misused?

Let's hope not. Database Administrators have the keys to the kingdom. Someone has to be trusted with that ultimate Admin Account password. And everyone who works with private information (or even semi-private information) needs to remember that what they do reflects on everyone who does these jobs. Ethics and integrity are a necessary basis for a fully-functional civilization. Those civilizations that don't play by those rules tend to tumble down. Don't believe me? Bone up on your history of the Roman Republic / Roman Empire. This is the most recognizable example I can give you.

Rant over. Soapbox stuffed back under the couch.

Lockdown or Let Them Free

by Steve Jones

SQLServerCentral.com

Editorial

Do we take security too far? Are we creating unnecessary rules for those that need to use the resources we support? Steve Jones talks today about security and how we might want to approach it when handling rights for developers.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

4.5 (2)

You rated this post out of 5. Change rating

2014-06-27 (first published: 2009-09-21)

217 reads

Discuss

Placing a Value on Data

by Steve Jones

SQLServerCentral.com

Editorial

What's your stolen data worth? It might be worth investigating, as Steve Jones suggests. Then you'll know how much you should be spending to protect it.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2009-08-05

66 reads

Discuss

The Danger of Algorithms

by Steve Jones

SQLServerCentral.com

Editorial

What problems occur because of the algorithm chosen to generate data? A new report says that social security numbers in the US can be predicted. Steve Jones has a few warnings about what algoriothms you choose.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2014-04-28 (first published: 2009-07-27)

326 reads

Discuss

Administering Securely

by Steve Jones

SQLServerCentral.com

Editorial

A common request is how can you secure SQL Server data and prevent the system administrator from viewing data. Steve Jones talks a little about the issue and how you can handle it.