June 22, 2005 at 1:48 pm
Our company has hired an outside vendor to accomplish the day to day monitoring of our database environments to free up the company dbas (myself being one of them) for "more important" tasks i.e new projects, etc. My question is: what kind of access to our production environments can I give them that will allow them to monitor for performance, status of jobs, etc. that will not compromise SOX security requirements. They will have a fit if they ever discovered that an outside vendor had access to the companies sensitive/classified information not to mention the company would have a fit as well.
Thanks,
Steve Ramiro
June 22, 2005 at 3:46 pm
This is indeed a very sensitive issue.
But the outside vender need to have access to your server for monitoring ... and our outside vender need to access the server to restart sql if sql server service stoped for whatever reason. That mean they need to remote login to your server... and no one can remote login to any server unless they are admin on the window server.
I wonder if it is the same to have a vender/contractor sitting in the office of the client?
mom
June 22, 2005 at 4:08 pm
I am not getting it.
You can certainly remotely login to a server not being an admin. For example in Windows 2003 server there is a built-in Remote Desktop Users group. If you are a member of this group you may use Terminal Services without admin privileges.
I understand the original question was about external access to the network. I would suggest the outside vendor will set up counters on the servers and the script will send results by email.
Yelena
Regards,Yelena Varsha
June 23, 2005 at 1:04 am
I believe that for monitoring SQL server remotely there is no requirement of Administrative privileges. I donโt think that an outside vendor will not restart the sql server(if he has requirement to do so he will inform the on-site Dba) and more over there is much difference between administrating and monitoring.
June 23, 2005 at 4:18 am
long shot but ...
you could advise to set up e.g. ca unicenter , netiq DiagnosticManager, Veritas indepth, ... to capture all the needed data and have your "outside-monitoring-staff" only work on the result-data and reportingfeatures that you collection tool(s) provide.
$$ will be involved, but security has a price, and even then you'll have to invest in the proper setup.
So you'll have to have a very detailed list of the scope of things they will be allowed to perform, see, ...
This way you may be able to avoid sysadm/sa rights to _all_ you sqlservers;
I hope this helps.
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution ๐
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
June 23, 2005 at 6:43 am
Yelena makes a good point about emailing performance data from within the databases.
I am not sure from your question what kind of monitoring the vendor will do. If they are just checking resource usage, database growth, etc. you could automate much of this and do without them. If they will be doing performance tuning, they will need access that will expose your data. Will they be taking care of updates and patches?
Your concern for SOX compliance indicates you understand this is more than just a technical issue. Some things cannot be fully addressed thru technology, people and companies have to be held responsible. At a minimum, the vendor should be required to sign a NonDisclosure Agreement (NDA) if they have access to the actual data. If you have someone in your organization responsible for SOX, it would be a good idea to ask them what legal and contractual 'hoops' the vendor should jump through.
Good luck
June 23, 2005 at 9:46 am
The issue sounds more legal than anything else (there are technical points but they are outweighed by the legal ramifications in my opinion). A 'reputable' vendor will have the neccessary non-disclosure agreements in place, liability insurance and the like if they are worth thier salt. They should meet and discuss the SOX concerns with your management as a part of the changover in monitoring responsibilities. In this case it's in your best inerest to raise the flags of concern to your management and the monitoring company and let them earn thier keep all the while maintaining vigilence and an open mind.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply