August 24, 2009 at 11:10 am
For a point of clarification: The term "Two Factor Authentication" normally is applied to a situation where two forms of identification are required to authenticate a single individual -- such as a username, password and a changing number such as a RSA token, or biometric such as finger print. This situation is normally applied to remote logins to corporate, and/or access to secure systems where just a password is not consider sufficient.
What's been discussed so far is really classed as "Dual/Two person control" - My company is small, but does deal with financial security, and we are constantly fighting with dual control situations, in that any change in user permission, system security etc must be approved, audited and tracked. Because we have not been able to developed a dual control process for these types of changes, we are required to regularly audit the SQL permission (and C2 audit logs) against an external "approval" list of permissions to verify there have been no "unapproved" changes.
We are still running 2005, so any ideas on how to establish dual control for specific functions would be greatly appreciated.
August 24, 2009 at 11:12 am
I work in big shops--banks, insurance companies and government. Currently, there is so much red tape in order to accomplish the smallest task, I would be leery of any changes which increased the red tape.
I worked for a bank our department head signature was required to edit the Master database, but the layered structure was good because I helped the security department from taking down online banking. The security department wants to remove SQL Server Agent account while bank at home was populated by SQL Server Agent run DTS package moving deposits from DB2 AS400 to SQL Server 2000.
Kind regards,
Gift Peddie
August 24, 2009 at 7:25 pm
In big companies the database security is better (not perfect), in medium or small companies I’ve seen basic security failures.
So, this sounds like a good idea, but maybe an utopia.
---------------------
Alex Rosa
http://www.keep-learning.com/blog
August 26, 2009 at 10:36 am
Hopefully DBAs would be much more careful, but as I read this I was reminded of all the jobs I've had where a supervisor had to enter verification (via a key/PIN/password/authorization) before certain actions could be taken. More than once I saw supervisors leave the key in place/tell a coworker the PIN/password/etc. because they were too busy to get to all the requests quickly or were otherwise unavailable. :ermm:
Andrew
--Andrew
August 26, 2009 at 1:14 pm
Andrew (8/26/2009)
Hopefully DBAs would be much more careful, but as I read this I was reminded of all the jobs I've had where a supervisor had to enter verification (via a key/PIN/password/authorization) before certain actions could be taken. More than once I saw supervisors leave the key in place/tell a coworker the PIN/password/etc. because they were too busy to get to all the requests quickly or were otherwise unavailable. :ermm:Andrew
Supervisors who do that at a company with effective policies will find themselves out of a job. There's a reason for the additional controls.
August 26, 2009 at 1:15 pm
It certainly won't solve all issues, but it could help. The supervisor/2nd person would still be responsible for their actions. If they let something through because they gave out their "key", then that would be something they had to live with.
Viewing 6 posts - 16 through 20 (of 20 total)
You must be logged in to reply to this topic. Login to reply