Maintain Your Trustworthiness

  • Comments posted to this topic are about the item Maintain Your Trustworthiness

  • You mean human beings accessing accounts they shouldn't using tools the shouldn't be using in a manner that has not been authorised?  There is legitimate monitoring software to provide governance for a number of things.

       

    •  Ensure that no-one stores GDPR sensitive data on their workstations or inappropriate file shares

    • Track what software is installed on workstations
    • Parse emails for use of profanities

    • Checking emails with attachments

    • ...etc

  • I completely agree.

    Trust of users is the key for my organisation; and I believe that is one thing that should never be compromised.

  • Reading this editorial really disturbed me. Perhaps the phrasings are more innocent that I am allowing them to be.  But my sense of integrity feels a bit infringed, so to speak.      Having been that DBA and Administrator for many years and by definition of my roles, I have had all that data sitting right in front of me. But never once did I look at data sources for the sake of looking, curiosity about how an organization functions or insight into anything at all.   This editorial seems to be redefining just who we are and how we behave, and that we have some level of entitlement in our role or that people should just expect that we are going to see and digest confidential data that we otherwise should not see. 

    Throughout my career, I have managed and held the keys for seriously confidential data belonging to institutions and individuals who needed beyond any doubt, the best and most trustworthy individuals to maintain that data, its integrity and its security throughout the management and maintenance processes.   Never once have I ever looked at data for the sake of looking at it. I would be horrified if any of my employers ever thought that I did.  My mantra has always been and always will be that I don't care what the data is, I have no interest in gleaning some bit of insight into any situation that I should not be party to.. I don't even care if the system I administer could contain an organization's plans to eliminate my department or me as an individual contributor.  I just don't care.    But what I do care about is that the data is safe and with proper DR; that the systems perform correctly with whatever diagnostics are needed. 

    I think the bar of integrity needs to maintained at a very high level.  And if we are doing our jobs right,  we shouldn't give a rats ass what the data is - even if someone tells us.  That's not what we are here for. 

    I would love to hear from others who feel similar.

  • In a previous role I found out shortly after joining that the password for the HR & Payroll database was known to all of the developers in the company, and they regularly logged in to check what other people were getting paid, how old they were, where they lived, etc. etc. Naturally I kicked up a massive shitstorm when I found out, and got it locked down, but there were backups of that data all over the place on users' individual laptops.

    In my current role I have access to the HR & Payroll database again, but have never logged in to check anything. (While I'd love to know what my colleagues get paid, I think it's a major, major breach of trust.) Anyway, I'm very glad I never did, because it turns out that the auditing everybody thought was broken, isn't broken, and there is a huge list of who logged in and whose HR records they looked at. VERY embarrassing for some people to have to justify why they looked up their boss's salary, etc.

  • jkuhne - Wednesday, August 15, 2018 5:29 AM

    Reading this editorial really disturbed me. Perhaps the phrasings are more innocent that I am allowing them to be.  But my sense of integrity feels a bit infringed, so to speak.      Having been that DBA and Administrator for many years and by definition of my roles, I have had all that data sitting right in front of me. But never once did I look at data sources for the sake of looking, curiosity about how an organization functions or insight into anything at all.   This editorial seems to be redefining just who we are and how we behave, and that we have some level of entitlement in our role or that people should just expect that we are going to see and digest confidential data that we otherwise should not see. 

    Throughout my career, I have managed and held the keys for seriously confidential data belonging to institutions and individuals who needed beyond any doubt, the best and most trustworthy individuals to maintain that data, its integrity and its security throughout the management and maintenance processes.   Never once have I ever looked at data for the sake of looking at it. I would be horrified if any of my employers ever thought that I did.  My mantra has always been and always will be that I don't care what the data is, I have no interest in gleaning some bit of insight into any situation that I should not be party to.. I don't even care if the system I administer could contain an organization's plans to eliminate my department or me as an individual contributor.  I just don't care.    But what I do care about is that the data is safe and with proper DR; that the systems perform correctly with whatever diagnostics are needed. 

    I think the bar of integrity needs to maintained at a very high level.  And if we are doing our jobs right,  we shouldn't give a rats ass what the data is - even if someone tells us.  That's not what we are here for. 

    I would love to hear from others who feel similar.

    I'm with you on this.  It's not "my" data, it's the companies data and if I need to know what that data is, they'll tell me or instruct me to go looking.  I've been asked to poke through our databases to see if there's any PII, and while my method is not the most exact, it was sufficient for our purposes.  I scoured the tables, checking column names for the most obvious variations of SSN.  If I found such, I raised it to my boss, who in some cases then told me to check further, so I selected the suspicious column(s) and checked the data.  I wasn't "looking" at the data so much as looking at the pattern of the data.

    So if an SSN column had data like ABCD123-wer, yeah, not a social security number.  But, if it had 123456789 or 123-45-6789, then there's a good chance someone was storing unencrypted SSNs.  Findings would be relayed to my boss and I let them handle it from there.

    Frankly, being trustworthy as a DBA, or any sysadmin role, should be paramount.  After all, DBAs and sysadmins have "the keys to the foundation of the kingdom" and can bring a company down for hours, days, weeks, or forever.

  • I completely agree with the idea that we should never look at data out of curiosity. But I also think that we should be careful to define our searches of data. For instance, once I had been asked to generate four or five reports and began to suspect the manager was looking for something. I reached out and was able to find the answer to her inquiry. To be sure it involved looking through a lot of data to find the pattern she wanted to know. So looking for insights when invited to me is fine. Sometimes the data is there, but not just the way someone is expecting.

    As for management spying on employees, while such represents a lack of trust. The trust was already breached. Employees should know that their actions on the computer might be spied on. They should be reminded that such is within the power of the company. And... they should behave accordingly. All the same management takes on a huge role of responsibility when said spying starts showing an employee logged into their personal bank records or other private areas.

  • David.Poole - Wednesday, August 15, 2018 1:28 AM

    You mean human beings accessing accounts they shouldn't using tools the shouldn't be using in a manner that has not been authorised?  There is legitimate monitoring software to provide governance for a number of things.

       

    •  Ensure that no-one stores GDPR sensitive data on their workstations or inappropriate file shares

    • Track what software is installed on workstations
    • Parse emails for use of profanities

    • Checking emails with attachments

    • ...etc

    There is software for this, but I've rarely found this to be software in budget, and cumbersome to implement with the rules for what data is sensitive. What's worse is that it becomes a set it and forget it for sysadmins or security folks.

  • jkuhne - Wednesday, August 15, 2018 5:29 AM

    Reading this editorial really disturbed me. Perhaps the phrasings are more innocent that I am allowing them to be.  But my sense of integrity feels a bit infringed, so to speak.      Having been that DBA and Administrator for many years and by definition of my roles, I have had all that data sitting right in front of me. But never once did I look at data sources for the sake of looking, curiosity about how an organization functions or insight into anything at all.   This editorial seems to be redefining just who we are and how we behave, and that we have some level of entitlement in our role or that people should just expect that we are going to see and digest confidential data that we otherwise should not see. 

    I don't think that was the phrasing, but perhaps I've mis-worded things. I point out that we can see the data, and often do. If a user asks why a query for salaries (or other data) doesn't work, we'll see the data.

    I say it's incumbent upon us to maintain confidentiality, and also if we see any strange software in use, or others accessing this data, we say something. In no way have I implied any of us are breaking confidentiality.

  • Insider threats don't receive the attention or remediation that they should. The link Steve has in the post is interesting. This guy had 9 people working with him? That is bordering on organized crime. The article does not say but I wonder how they caught him?

  • Steve Jones - SSC Editor - Wednesday, August 15, 2018 8:40 AM

    jkuhne - Wednesday, August 15, 2018 5:29 AM

    Reading this editorial really disturbed me. Perhaps the phrasings are more innocent that I am allowing them to be.  But my sense of integrity feels a bit infringed, so to speak.      Having been that DBA and Administrator for many years and by definition of my roles, I have had all that data sitting right in front of me. But never once did I look at data sources for the sake of looking, curiosity about how an organization functions or insight into anything at all.   This editorial seems to be redefining just who we are and how we behave, and that we have some level of entitlement in our role or that people should just expect that we are going to see and digest confidential data that we otherwise should not see. 

    I don't think that was the phrasing, but perhaps I've mis-worded things. I point out that we can see the data, and often do. If a user asks why a query for salaries (or other data) doesn't work, we'll see the data.

    I say it's incumbent upon us to maintain confidentiality, and also if we see any strange software in use, or others accessing this data, we say something. In no way have I implied any of us are breaking confidentiality.

  • jkuhne - Wednesday, August 15, 2018 9:18 AM

    Steve Jones - SSC Editor - Wednesday, August 15, 2018 8:40 AM

    jkuhne - Wednesday, August 15, 2018 5:29 AM

    Reading this editorial really disturbed me. Perhaps the phrasings are more innocent that I am allowing them to be.  But my sense of integrity feels a bit infringed, so to speak.      Having been that DBA and Administrator for many years and by definition of my roles, I have had all that data sitting right in front of me. But never once did I look at data sources for the sake of looking, curiosity about how an organization functions or insight into anything at all.   This editorial seems to be redefining just who we are and how we behave, and that we have some level of entitlement in our role or that people should just expect that we are going to see and digest confidential data that we otherwise should not see. 

    I don't think that was the phrasing, but perhaps I've mis-worded things. I point out that we can see the data, and often do. If a user asks why a query for salaries (or other data) doesn't work, we'll see the data.

    I say it's incumbent upon us to maintain confidentiality, and also if we see any strange software in use, or others accessing this data, we say something. In no way have I implied any of us are breaking confidentiality.

    Thanks Steve!  And I totally get that your editorial serves great purpose in maintaining that bar.   I wouldn't want anyone to think that when we speak about data security and trust-worthiness in our roles that the notion of confidentiality comes with a wink.   

    Of course, that begs another question;  How are others bringing in the new guard?  With unemployment levels as they are, the potential to unwittingly place "unsavory types" in trusted roles can introduce these kinds of problems to an organization.  I suppose there are always options to outsource to professional services, who by virtue of their separation from a client's internal affairs and politics have no stake in viewing confidential data.

  • jkuhne - Wednesday, August 15, 2018 9:45 AM

    Of course, that begs another question;  How are others bringing in the new guard?  With unemployment levels as they are, the potential to unwittingly place "unsavory types" in trusted roles can introduce these kinds of problems to an organization.  I suppose there are always options to outsource to professional services, who by virtue of their separation from a client's internal affairs and politics have no stake in viewing confidential data.

    I think vetting people to ensure no background issues and no major problems in previous positions is the best you can do. That and trying to form some judgment in an interview, though I often try to ensure there are multiple people to get different impressions.

    Outside of that, early hires ought to be on probation and their actions reviewed to be sure they don't do this. Some trust is given, but most is earned.

  • The sysadmin charged with guarding the gate doesn't necessarily need the key to every door inside the castle. For databases containing sensitive data, there should be something like column level encryption and someone other than the DBA holds the private keys.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell - Wednesday, August 15, 2018 12:32 PM

    The sysadmin charged with guarding the gate doesn't necessarily need the key to every door inside the castle. For databases containing sensitive data, there should be something like column level encryption and someone other than the DBA holds the private keys.

    This becomes much harder when DBA's aren't strictly just doing pure SQL Administration.  In that case sure you might be able to implement application level encryption but it's very common for DBA's or in general the people who manage the databases to be involved with development, data analysis, troubleshooting data issues etc...

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic. Login to reply