December 2, 2009 at 9:04 pm
Comments posted to this topic are about the item Who Watches the Watchers?
December 2, 2009 at 9:22 pm
On one side I somewhat agree with the concept of seperation of duties, the problem is that I have seen it taken WAY too far, particularly in big companies and not far enough in little ones. The big companies tend to be risk adverse so they throw money, people, policy, and tech at it, especially if they are in a regulated industry. But the problem is that all these systems really do is keep honest people honest, the guy who is coming in with the plan to steal from you is not going to be deterred and in most cases you aren't going to know what hit you until later. Also in big companies, the DBA isn't the watcher, there is often a group (or two) above them that watches, they often go by names like Compliance and they tend to watch the whole infrastructure as well, from the network switch to the machine, to the database..
CEWII
December 3, 2009 at 5:31 am
Of course, separating duties can help a lot by decreasing the opportunity for, and temptation to, wrongdoing. But regulations don't, and can't, solve the basic problem.
If one defines "human nature" as "what humans do naturally, i.e. when they think no-one is looking / in private / anonymously / if they think there will be no inconvenient consequences", the need for allegiance to a higher ideal than mere self is obvious.
And regarding the Romans, it wasn't as if they weren't aware of the problem. As Juvenal remarked: Quis custodiet ipsos custodes?
Who, indeed?
Mark Dalley
December 3, 2009 at 5:47 am
Who watches the Watcher who watches..... How many levels can one go to?
History has shown that a person who is determined to steal will steal. IT has made it even more easier to steal data, instead of stealing physical documents which would consumes lots of space, a pen drive can be used to steal large amounts of data.
I agree human nature is such that what we do when no one is looking is different than when someone is looking.
December 3, 2009 at 5:52 am
What, no video?
Excellent editorial. The link seems to be missing to the T-Mobile story in the UK. Any chance of posting it?
We're working with a tough piece of software. SQL Server has made so much of the basic parts of database administration blindingly easy. So it doesn't appear that it needs the kind of specialist that's just assumed with an Oracle or DB2 database. The fact is, it needs a gate-keeper just as much as it needs someone who knows how it works to make sure everything is working correctly.
Oh, and nice draw on the Roman Empire collapse. Some mention of Vercingetorix was in order though.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
December 3, 2009 at 6:02 am
Excellent editorial Brandie and right on the mark!
The problem really, is that data is an asset to any company and yet decades into the computer revolution most executives and managers don't think of it that way. Sure, company higher ups will give speeches about the importance and value of data, but they do not know let alone understand the particulars of managing and if you will, sheparding data.
I saw this time and time again during my days in the technical trenches and then when I rose through the management ranks, frankly, it only got worse. For example, I remember in one job I worked the DBA quit and the company directors kept pushing to move one of the younger, (very much) less experienced guys into the position. When I argued that data was an important asset and we needed an experienced, qualified DBA, well, I was shot down. Directors saw it as merely filling a role, or in the vernacular, getting a warm backside into an empty chair.
If you look deeper into some of the recent data theft incidents such as the hijacking of TJX Corporation's data, what you find is just that. Someone is acting as the DBA when really, they are not a DBA and lack the vital skills necessary to protect data.
For years I have whined on about some definitive measure of what a DBA is, and as your editorial assists in pointing out, that measure is still remains decades overdue.
December 3, 2009 at 6:03 am
Great editorial. I had been trying to make the same argument at a "smaller" company (that I left) - we need safeguards in place. As a DBA, I *want* those. I do have the keys to the kingdom, in a way, but there should be some checks and balances. I would tell my managers and IT security folks what I was doing and why, and they would look at me as though I had two heads. I view checks/balances as my safety net too.
Here is the link for the TMobile security breach:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374722,00.html#
December 3, 2009 at 6:08 am
Grant Fritchey (12/3/2009)
Excellent editorial. The link seems to be missing to the T-Mobile story in the UK. Any chance of posting it?
Sorry about that. This is the same link Steve posted in an editorial a week or two ago:
December 3, 2009 at 6:23 am
laurav (12/3/2009)
I would tell my managers and IT security folks what I was doing and why, and they would look at me as though I had two heads. I view checks/balances as my safety net too.
There's something to be said about CYA. But it's not just you you're covering when you do that sort of thing. I think the problem is that corporate officials don't always realize (until you get to the stratospheric heights of management) that data loss and data theft is a monetary issue. 1s and 0s don't count for much. It's *just* information.
But if you start putting a dollar amount on the issue, it might help draw attention to your plight.
Here are the things I would start adding monetary values to: bad publicity, legal fees, paying for the customer's credit monitoring for the next X number of years, losing market share, re-training employees (or getting new ones) and the possible cost of hardware improvements (wireless credit card machines broadcasting in the clear, anyone?).
Hand them that invoice, and I guarantee they'll either think you're crazy or finally sit up and take notice.
December 3, 2009 at 6:24 am
laurav (12/3/2009)
Great editorial. I had been trying to make the same argument at a "smaller" company (that I left) - we need safeguards in place. As a DBA, I *want* those. I do have the keys to the kingdom, in a way, but there should be some checks and balances. I would tell my managers and IT security folks what I was doing and why, and they would look at me as though I had two heads. I view checks/balances as my safety net too.Here is the link for the TMobile security breach:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374722,00.html#
Thanks again. I missed that article. Man, that's messed up. No details though. Was the guy in IT or just some sales puke with WAY too much access? Perfect example for your editorial though.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
December 3, 2009 at 6:24 am
Another name for Compliance is Internal Controls. Where I work, it is all day, everyday.
In today's world, now with SOX / HIPAA, it is just part of doing business. At the places I've worked over the last 10 years or so, the mantra is acknowledge and move on..........
M
December 3, 2009 at 6:39 am
I work in a highly regulated industry. We have three external auditors that I'm familiar with. On for IT specific issues, another for business process flow, and yet another for something that I'm not entirely familiar... (Can you say SAS70?)
That's not to mention the standard accounting audits and such.
Then there's group internal audit...
All this is well and good. but as someone mentioned previously, "Locks keep honest people out." (paraphrased)
Again, this concept of watching the watchers was touched before, and will again. It comes down to having to trust SOMEONE at some point.
Courage is not simply one of the virtues but the form of every virtue at the testing point, which means at the point of highest reality. - C. S. Lewis
Perfect courage is to do without witnesses what one would be capable of doing with the world looking on. - François, Duc de La Rochefoucauld
I guess it comes to a point where what matters is the character of the individual. To quote one of my favorite movies, "Ethics..."
-Jon Polito as Johnny Caspar. I'll save you the whole line, but if interested check out "Miller's Crossing" (And the name has nothing to do with it.)
Honor Super Omnia-
Jason Miller
December 3, 2009 at 7:52 am
Jason Miller-476791 (12/3/2009)
... It comes down to having to trust SOMEONE at some point...
Aren't these the people that you get insurance bonding for? So it really comes down to paying someone else to ensure the trust.
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes
December 3, 2009 at 7:58 am
WayneS (12/3/2009)
Aren't these the people that you get insurance bonding for? So it really comes down to paying someone else to ensure the trust.
At some point, there is a requirement for trust. Peel back a layer on the onion enough times, eventually you get to the core...
Honor Super Omnia-
Jason Miller
December 3, 2009 at 8:03 am
A recent poster mentioned having to trust somebody sometime and I largely agree, but the compliance (internal controls, whatever) group doesn't need high level access, they need to be able to check logs and to see if internal controls are being followed, but that doesn't translate into high level access, maybe for the tools but not necessarily for the people themselves.
In many cases I wouldn't trust the compliance people with high level access, the reason? They often don't have strong knowledge of the software, they are usually "process" people they know more about security and process than SQL Server or Windows. But then again that is my experience, mileage may vary..
CEWII
Viewing 15 posts - 1 through 15 (of 46 total)
You must be logged in to reply to this topic. Login to reply