First, what data do we have?
- Do we store any personally identifiable data?
- Does any of that data include children?
- Do customers believe that this data will never be seen publicly?
- Do customers believe that this data will never be seen by your employees?
Next, what would happen if this data became public?
- What would happen if all of the data was suddenly available publicly?
- What would happen if the not-really-considered-private data was made public? (Customer lists, products, sales numbers, salaries)
- If someone got a copy of our backups, what data would they be able to read?
- If someone got the application’s username/password, what data would they be able to read?
What are we doing to ensure those scenarios don’t happen?
- If our backups aren’t encrypted, do we know everywhere that the backups are right now?
- How are we preventing people from taking out-of-band backups?
- How are we preventing systems administrators from taking snapshot backups or copying backups?
- How are we preventing people from running queries, saving the output, and taking them out of the building?
- For each of these scenarios, do we have a list of all of the people who could accomplish these tasks?
- For each of these scenarios, would we know if they happened?
And finally:
- Overall, what risks are out there?
- Have you documented the risks in writing?
- Has this risk list been given to management?
- Or, when any of these scenarios eventually happen, are you going to be the one who was assumed to be protecting the business from this kind of thing?
After all, notice the title of this blog post – you’re managing the databases, right?
18 Comments. Leave new
Policy mantle questions !!
I’d be curious to hear about good ways to address this one: “How are we preventing people from running queries, saving the output, and taking them out of the building?”
I really don’t see how you can prevent that. I mean, if someone is dedicated enough they’ll just take a series of screen captures and save them off.
This was my question as well. Is it possible to prevent this entirely? IT can lock down flash drives through GPOs and such, but who/what can prevent a rogue dev from saving the output in SSMS and emailing it to himself, uploading to Dropbox, Google Drive, etc? Can a DBA disable the “Save Results As” functionality in SSMS?
Easy – don’t give your devs access to production environments.
In my experience, developers who have access to production data are usually pretty responsible about it. The problem is not from the responsible or locked-down Devs, but from business users who can access data as part of their jobs, and have very little regard for its safety.
That’s kinda like saying in my experience, I haven’t needed life insurance.
no, i was responding to “Easy – don’t give your devs access to production environments.” to point out its often not the devs who are the main risk. not that they aren’t a risk.
Or more so the temporary contractors they bring in and give a lot of access to.
One of the places I used to work used to disable all the USB ports on the computer if a nonapproved disk drive was plugged in. I don’t recall how exactly it worked, it used a hardware id to provide exceptions, but it is possible. As soon as a device was plugged in that wasn’t on the approved list, it sent us an alert (computer name, logged on user, etc) and essentially locked the computer until it was rebooted.
Query > Query Options > Results > Discard results after executing
This might work if it can be enforced at the role level.
All your backup are belong to us
Well let’s see…
They regularly hire contractors who use their laptops for short term stints to help them and give them a lot of access so how secure is that?
And when you identify this issue it’s ignored. As for the data itself, someone else can chose a solution that is very time intensive (static masking for example) but you don’t get any more resources.
Oh yah, this worked out well.
As for suggestions, well management makes those decisions. 🙂 Doesn’t matter what you suggest it seems.
Sometimes trying to do the right thing can be somewhat frustrating.
P.S.
A possibility was have the application encrypt those fields that are deemed sensitive as it has provisions to do so. Wasn’t chosen.
One question you didn’t mention. For each security measure we decide to implement, what is it’s cost? Both in terms of time to get it setup, and lost productivity for those people who are impacted. Every security measure has a cost to someone, even something as simple as a door lock (it takes you a couple seconds to open the lock).
And here I thought you don’t do security work 😉
You’ll note that there’s no answers here, only questions. 😉
Heheh