The Care of Data

  • Comments posted to this topic are about the item The Care of Data

  • Hi Steve, agree with you in almost all aspects. But, "If a cloud vendor's employees can access your files, so can a hacker that gains access". Well yes, but taking away those permissions doesn't make it any harder for the hacker, because you the owner can still access your files, so can the hacker that gains access.

  • Hi Steve ,

    I fully agree with you , I find extremely annoying when DBA's supply information freely with out asking the right questions and have the required paper work to create a audit trail as to who can gain access to the information

    Regards

    Jody

  • “Expect the best, plan for the worst, and prepare to be surprised.”

    I suppose it all come down to a "DBA as facilitator" or "DBA as jail keeper" argument

    Encryption and or obfuscation of data is also an option.

  • It is not only a problem of hackers accessing data or it being disclosed by accident.

    I remember a recent newspaper article here in the UK about criminal gangs infiltrating financial organisations in Scotland to steal customer data. This was done by either getting a member of the gang employed in the organsiation, or more commonly, by the use of co-ersion (financial or threat) on existing low level employees.

    The implication here that access needs to be strictly controlled to only those with a business need to access it and also strict audit controls on who is accessing and extacting data.

  • It is very important for DBAs to understand the importance of protecting sensitive data and the laws/regulations that are associated with their protection. Our role is certainly one of public trust and should be regarded as such.

    Thanks, Steve, for this editorial!

  • The best response to today's editorial (it seems to me) is to remember what should be by now one of the primary axioms of any computer-based business...

    "Anything that can be built, can be broken or reverse-engineered."

    Hoping for better encryption, hardware or software security, is like taking half-steps to the wall. You never get there.

    Ethics and morals are great, of course - when I got my degree (now some 30 years ago) one took Ethics classes focused on handling data - these days I dont think these are even offered.

    Thus, old fart that I am I think what we need is obvious, as it has been for decades...

    We need strong criminal penalties, a government department focused on chasing down hackers, and data thieves, and a committment to understanding that today, we no longer keep vital, sensitive data in file cabinets within the office. All of us personally, and business-wise are in essence, laid out for the taking. You want to stop people stealing and mis-using data? Give them something to fear. Right now, most data theft doesnt even warrant a parking ticket!

    As long as there are very smart people trying to build great stuff, there will be similar very smart people trying to tear it down and hack it up. Let's stop kidding ourselves - there has never been any fully secure solution, and there never will be. But the fear of spending a good part of your life locked up - that might deter some of the more shady very smart people.

    There's no such thing as dumb questions, only poorly thought-out answers...
  • Thank you, Steve, for raising this topic. The give and take of caring for data versus allowing users to manage it is a daily struggle. One aspect of current data storage technology -- and maybe of any data storage technology -- is that ultimately the content is by default neutral with regard to who sees it and with regard to whether it is put to good or evil uses. For every technology that gives users control of securing their data, there will be a criminal who abuses that technology to hide his crimes. And so on. I know that even auditing can be abused and defeated, but it seems to me that following auditing best practices at least gives an organization a chance to see what happened and who did it, even if they can't stop every threat. (Assuming that you don't know ahead of time whether a given user will be using the technology for good or evil purposes.)

    I'm curious to see what some of the more expert people on SSC have to say if they weigh in on this thread.

    - webrunner

    -------------------
    A SQL query walks into a bar and sees two tables. He walks up to them and asks, "Can I join you?"
    Ref.: http://tkyte.blogspot.com/2009/02/sql-joke.html

  • mar10br0 (6/1/2011)


    Hi Steve, agree with you in almost all aspects. But, "If a cloud vendor's employees can access your files, so can a hacker that gains access". Well yes, but taking away those permissions doesn't make it any harder for the hacker, because you the owner can still access your files, so can the hacker that gains access.

    It depends on how this is implemented. Encryption can make a difference here, whereby the owner has to supply some seed/key/hash that isn't apparent to the vendor/employee, nor the hacker.

    Not foolproof, but if encryption can somewhat stymie the governments of the world, it can probably slow down hackers. Or get them to move on to other, easier to crack, places.

  • mar10br0 (6/1/2011)


    Hi Steve, agree with you in almost all aspects. But, "If a cloud vendor's employees can access your files, so can a hacker that gains access". Well yes, but taking away those permissions doesn't make it any harder for the hacker, because you the owner can still access your files, so can the hacker that gains access.

    It depends on how this is implemented. Encryption can make a difference here, whereby the owner has to supply some seed/key/hash that isn't apparent to the vendor/employee, nor the hacker.

    Not foolproof, but if encryption can somewhat stymie the governments of the world, it can probably slow down hackers. Or get them to move on to other, easier to crack, places.

  • blandry (6/1/2011)


    ...We need strong criminal penalties, a government department focused on chasing down hackers, and data thieves, and a committment to understanding that today, we no longer keep vital, sensitive data in file cabinets within the office. All of us personally, and business-wise are in essence, laid out for the taking. You want to stop people stealing and mis-using data? Give them something to fear. Right now, most data theft doesnt even warrant a parking ticket!....

    'Strong criminal penalties' is good for politican photo-ops, but penalties have only a limited effect on crime beyond a certain point, especially tempting crime, crime that can be committed remotely. And it's quite incorrect to say that data theft doesn't warrant a parking ticket, there are already substantial penalties in place ... it's just that getting caught, or even realizing breach has occurred are rare, and they probably will be for the forseable future.

    Just like it's incumbent on banks to physically protect their money it's up to the holders of information to make it very difficult for the wrong people to access it.

    No matter what, however, data theft will not be eliminated, regardless of penalties on criminals or on companies who are victims. We need to rethink about ways to do after-the-fact damage control. One thing that is needed is a streamlined way (both in law and implementation) for individuals to revoke and reissue (to valid organizations) credit/bank account information. Right now it's a hodgepodge, but there is no reason it has to be. One should be able to within minutes abort any access to your accounts, and similarly easily work from a list of suppliers to re-enable access to those that require it.

    It should also be technically possible to have very short lifetimes on stored CC account numbers (i.e. approved vendors will be continuously updated with encrypted signed updates but shortly, within moments, after the information is stolen, its static nature will render it useless.)

    ...

    -- FORTRAN manual for Xerox Computers --

  • jay holovacs (6/1/2011)


    It should also be technically possible to have very short lifetimes on stored CC account numbers (i.e. approved vendors will be continuously updated with encrypted signed updates but shortly, within moments, after the information is stolen, its static nature will render it useless.)

    Interesting idea. Maybe we could get something like the SecureID system for CC's that would render them useless after a few minutes.

    We definitely need to have more responsibility from information holders. Unfortunately I don't see how companies will bother with the effort without some regulation. Either direct regulation (I don't like this), or the requirement of xxx insurance and forcing the insurance companies to push their own rules companies (I like this). The lack of coverage or insurance often has a better impact on a business than direct regulation.

  • Fundamentally, you have to be the guardian of your data. Maybe that means not putting everything you own onto Dropbox. For me, I use only one credit card for all my online purchases. That way, if the number is compromised I only have to deal with the one card. It's your responsibility to balance convenience vs. safety.

    And really, it's quite clear a fundamental assumption cloud providers make about their services is this: don't share it if you don't want it shared.


    James Stover, McDBA

Viewing 13 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply