[dba-SQLServer] Who's using my db?

Jim Lawrence (AccessD) accessd at shaw.ca
Thu Dec 9 05:03:03 CST 2004


Hi Mark:

I think you are right. In some cases the company or government office has
decided that the staff should not be able to see the data. So they hire a
third-party company to handle their sensitive data. Having been in the
position of the third-party company, it becomes ridiculous as even though
the company may be 'bonded', any of the techs could have free rein with the
data. In my time, having written the program or in charge of maintaining
same, I find myself totally entrusted with all of a client's most sensitive
data. It is not a responsibility I have taken lightly but given the
potential, some terrible leaks could take place.

Jim

-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of Mark
Breen
Sent: Wednesday, December 08, 2004 11:39 PM
To: dba-sqlserver at databaseadvisors.com
Subject: Re: [dba-SQLServer] Who's using my db?


Hello Jim,

If I understand Christopher correctly (and sorry to all if I do not),
he is talking about a sys admin person going in using EM or SQL
Analyser and reading raw tables.  Of course this person has rights to
do anything on the SQL server (from a technical perspective) but
morally they do not have rights to read the data.

This raises a whole other question: Companies employ senior managers
to look after highly confidential issues, such as HR or other
sensitive and then they employ young guys and gals to be sys admins,
paid Euro 25k per annun and the young guy or gal had rights to the
entire network.  This is wrong, but what are the alternatives?

Some young guy comes in off the street, joins the IT department to
just install PCs and has access to confidential data.  More rights
that senior managers in the company.  My gripe is not with the
unfairness to the senior manager, what I am concerned with it that the
industry seems to have overlooked this front door access that we give
to this select group of employees without concern to normal security
issues.

What do you all think




On Wed, 08 Dec 2004 18:10:10 -0800, Jim Lawrence (AccessD)
<accessd at shaw.ca> wrote:
> Hi Christopher:
>
> Is it not possible to have the data on the SQL only accessed through SPs
or
> views. In each of these SPs there would be a function call that would
write
> a record of it's access to a transaction log table. This technique is done
> through all POS systems to track the users, access dates, times and any
> changes made to the invoice records.
>
> It all depends on your permissions on the BE.
>
> Jim
>
>
>
> > -----Original Message-----
> > From: Mackin, Christopher [mailto:CMackin at quiznos.com]
> > Sent: Tuesday, December 07, 2004 10:57 AM
> > To: dba-sqlserver at databaseadvisors.com
> > Subject: [dba-SQLServer] Who's using my db?
> >
> > Does anyone have any suggestions on how to track/view a log of users
> > that have accessed information on the Server and specifically at the
> > Database level?
> >
> > There are users authorized to view a particular db with confidential
> > information, and I need to verify that no other users are accessing this
> > data.  In this situation it's rather complex because security keeps out
> > the majority of people, but there are certain people with the sa
> > password and admin rights on the server that should not be looking
> > either.
> >
> > Thanks in advance,
> > Chris Mackin
>
> _______________________________________________
> dba-SQLServer mailing list
> dba-SQLServer at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
> http://www.databaseadvisors.com
>
>
_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com




More information about the dba-SQLServer mailing list