December 6, 2006 at 5:10 pm
Privileged Access
This article is about email, but it could just have easily be about data in your SQL Server database. In any company, there are a few IT people that have access to most all of the company's data. It's probably you if you're a regular member of SQLServerCentral.com as most of us are the DBAs that manage the production systems.
And often those production systems have data that's critical or sensitive and shouldn't be accessed by too many people. It might be confidential sales information, HR data such as salaries, or some other data element that a very limited number of people should be able to access. However as much as we'd like to be sure access is limited to those that need to know, often permissions creep as applications change, on-the-fly changes are made, or exceptions get granted.
However even if you keep tight control of permissions, ultimately a system administrator can still gain access to most, if not all, of your data. Which means that you need to trust your administrators to act as custodians of the data and not maliciously disclose information to outsiders. Or use it for their own purposes, which could expose your firm to a variety of legal penalties.
This trust is one of the reasons that I'm always surprised that system administrators are often not treated as valuable employees. I know many other positions are not treated with the respect in accordance to the value of the data, but system administrators are in a unique position of being custodians of tremendous amounts of data. Cleaning workers may have access to your entire company, but they aren't charged with managing the company during the day. Paralegals can access most records, but they aren't necessarily able to access all the data.
System administrators for the OS, mail, or databases, are truly positions that require a great deal of trust. I really believe that most of us will need to be bonded at some point because of the potential issues if a system administraotr violated that trust. Social engineering shouldn't work on most admins, but I certainly could see bribery or some other criminal activity working more and more as the value of the data goes up and criminals offer more to tempt you to disclose data.
Steve Jones
December 7, 2006 at 7:12 am
From your keypad to our CEO's ears (or eyes).
Tool bad there aren't more CEOs or CFOs reading these pages, too. Then, maybe, we'd be paid better.
December 7, 2006 at 7:22 am
I agree with just about everything you say except the bonding part. Bonding is where a gurantee of service or payment of company/individual A is made by a bonding company for the benefit of company/individual B. If company/individual A defaults on their service or payment, the bonding company will make good the service or payment to company/individual B. Then the bonding company will pursue company/individual A through the legal system.
If we were private contractors providing DBA services to a company, then bonding would be appropriate.
For an in-house DBA, though, who admittedly has the "keys to the kingdom", there must be other things you can do. Certainly background checks are appropriate. The military requires of its high risk members that they provide curosry financial statements. The financial statements have the power of perjury hanging over them. Maybe something like this like a sworn financial statement.
December 7, 2006 at 8:45 am
So... DB Admins should be 'more trustworthy' than other employees. I can understand that, but I don't think they should be paid any more because of it. If you can't trust your top-level employees, regardless of pay scale... then you can't trust anyone. People who have access to all the data can seriously hurt a company as you said, but if they decide to to that, they have commited a crime in most cases. If you can't trust people to not commit criminal acts against the company... again, the problem is not with pay scale. I agree that admins are often not acknowledged for their work and most probably should be getting more money, but as we saw with Enron, more money doesn't solve the trust/honesty issues.
December 7, 2006 at 10:11 am
I dunno ... color me a half a bubble off ...
It has nothing to do with trust - this is something you earn. It's actually professionalism - something you practice at work or in your career.
again ... color me a half a bubble off ...
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
December 7, 2006 at 12:28 pm
Ok, but what color?
I'm in agreement, though I'd prefer to be one full bubble off.
There's too many people these days suffering from too much of the entitlement delusion. And paying for honor is the surest way not to get it or destroy it.
If you're not treated to your liking change it, get another job, or embrace it. If the bosses are too dimwitted to properly descriminate character while hiring and they put too much sensitive information in the hands of those disgruntlables they hire, and it comes back to bite them later... Well, that's just nature, cause and effect.
(how do you say "screw Ceasar" in latin?... and the equus he road in on.)
December 7, 2006 at 1:25 pm
On a less serious note . . .
I LOVE the reference to "Spies Like Us"!
Chevy: "What is our final objetive?"
CIA Guy: "That information is given on a need to know basis, and you don't need to know"
December 7, 2006 at 1:59 pm
The solution suggested by the article is encrypting all your corporate data. Then they say the cost for that could range from $100,000 to $1 million, and that only a few very large companies do that.
That's a lot of money to spend on a POTENTIAL problem when management in most cases doesn't perceive it as too likely to be a problem. And of course it would also have to move ahead in the priority stack when in most cases people already have a lot on their plates.
On the human side, yes, it would be good if management, in general, treated employees better -- all of them. Even though Sys Admins have the Keys to the Kingdom, many other employees could also do significant harm to their own company if that was their mindset.
December 8, 2006 at 8:46 am
I'm probably a bubble and a half off, most likely colored purple or fuschia, maybe bland oatmeal.
Payment doesn't have to money. I think a more respectful treatment would pay a lot more to the trusted admins than a few sheckels.
December 8, 2006 at 9:16 am
In course of life, the intangibles, by far, outweigh the tangibles in life.
Have a great weekend Steve !
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
December 8, 2006 at 9:27 am
"other employees could also do significant harm to their own company if that was their mindset."
Yeah but we can do it totally by accident! Heheeheeee
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply