Re: [NTSysADM] DBA question

2017-12-06 Thread Andrew S. Baker 
+3 (1 for each previous response)

Regards,

 *ASB* * GPG: *860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842



On Wed, Dec 6, 2017 at 9:05 AM, Erik Goldoff  wrote:

> this sounds more like
> a)  I don't want to
>   or
> b)  I don't want to pay for this
>instead of
> c) it cannot be done
>
> Best Practice for Security and Auditing should be a topic for discussion,
> especially considering your statement of dealing with 'highly sensitive
> data".  Also should be raised through the chain of command, for support or
> risk acceptance by high level management, IMNSHO
>
> Erik
>
> On Tue, Dec 5, 2017 at 12:10 PM, Tom Miller 
> wrote:
>
>> Hi All,
>>
>> I have a question regarding Oracle DBA database level access.
>>
>> The DBA lead where I work states that it is nonsensical for individual
>> DBAs to use a name DBA-admin account for them.  This is a potential issue:
>> we are dealing with highly sensitive data and even within the DBA staff
>> group, we want to restrict access, if possible.  We use logging, but
>> triggering an access to particular tables would not be too helpful, as it
>> would only tell us that the DBA account access them.
>>
>> Anyone have any thoughts or suggestions?
>>
>> Thanks,
>> Tom
>>
>
>

Re: [NTSysADM] DBA question

2017-12-06 Thread Tom Miller 
Actually I am an IT Auditor (career change after 20 years in IT
engineering...) and this came up as part of an audit, and is an area where
I don't have technical experience.  You comments are appreciated, thank
you, guys.   Time to reach out to Oracle as well.

On Wed, Dec 6, 2017 at 9:05 AM, Erik Goldoff  wrote:

> this sounds more like
> a)  I don't want to
>   or
> b)  I don't want to pay for this
>instead of
> c) it cannot be done
>
> Best Practice for Security and Auditing should be a topic for discussion,
> especially considering your statement of dealing with 'highly sensitive
> data".  Also should be raised through the chain of command, for support or
> risk acceptance by high level management, IMNSHO
>
> Erik
>
> On Tue, Dec 5, 2017 at 12:10 PM, Tom Miller 
> wrote:
>
>> Hi All,
>>
>> I have a question regarding Oracle DBA database level access.
>>
>> The DBA lead where I work states that it is nonsensical for individual
>> DBAs to use a name DBA-admin account for them.  This is a potential issue:
>> we are dealing with highly sensitive data and even within the DBA staff
>> group, we want to restrict access, if possible.  We use logging, but
>> triggering an access to particular tables would not be too helpful, as it
>> would only tell us that the DBA account access them.
>>
>> Anyone have any thoughts or suggestions?
>>
>> Thanks,
>> Tom
>>
>
>

Re: [NTSysADM] DBA question

2017-12-06 Thread Erik Goldoff 
this sounds more like
a)  I don't want to
  or
b)  I don't want to pay for this
   instead of
c) it cannot be done

Best Practice for Security and Auditing should be a topic for discussion,
especially considering your statement of dealing with 'highly sensitive
data".  Also should be raised through the chain of command, for support or
risk acceptance by high level management, IMNSHO

Erik

On Tue, Dec 5, 2017 at 12:10 PM, Tom Miller  wrote:

> Hi All,
>
> I have a question regarding Oracle DBA database level access.
>
> The DBA lead where I work states that it is nonsensical for individual
> DBAs to use a name DBA-admin account for them.  This is a potential issue:
> we are dealing with highly sensitive data and even within the DBA staff
> group, we want to restrict access, if possible.  We use logging, but
> triggering an access to particular tables would not be too helpful, as it
> would only tell us that the DBA account access them.
>
> Anyone have any thoughts or suggestions?
>
> Thanks,
> Tom
>

Re: [NTSysADM] DBA question

2017-12-06 Thread Tom Miller 
Kurt, Melvin, thank you for responding.  This would be easy with MS SQL,
but I'm told by the lead DBA that it's different with Oracle.  Not having
any experience with Oracle systems, my challenge is how to verify that.  I
was told by out ISO that there is some sort of add-on component that would
allow this to be done more easily.

On Tue, Dec 5, 2017 at 3:59 PM, Kurt Buff  wrote:

> To expand on and clarify Melvin's point...
>
> Yes, certainly, it's a really good idea to have separate named
> accounts for DBAs, just like it's a good idea to have separate named
> accounts for workstation logins, Domain Admins, Exchange Admins, etc.
>
> It's not just a security issue, it's a management issue - paychecks
> aren't issued to "Anonymous DBA", you issue them to Susie DBA or Joe
> DBA.
>
> After all, if you can't measure what people have done, or hold them
> accountable or reward them for their actions, you can't really say
> you're managing them.
>
>
> OTOH, if you're a $5m company, and each DBA license costs $200k, well,
> you might need another approach.
>
> Kurt
>
> On Tue, Dec 5, 2017 at 10:03 AM, Melvin Backus 
> wrote:
> > Personal experience leads me to believe that this attitude is primarily
> > based on the sometimes oppressive historic licensing practices
> surrounding
> > many database products which increase the cost of licenses based on the
> > number of named users, thereby encouraging cost reduction at the expense
> of
> > security.  I have no empirical evidence of this, strictly an observation
> > based my dealing with many DBAs over the years, many of whom seem to have
> > succumbed to the same brainwashing.
> >
> >
> >
> > If you can’t track who specifically did any particular operation then
> that
> > operation is inherently less secure. That may not mean it needs to be
> fixed
> > in all cases. Do you really need a $200 lock to protect your $20 bicycle?
> > Probably not, but your $5000 racing bike is probably worth the
> investment.
> >
> >
> >
> > --
> > There are 10 kinds of people in the world...
> >  those who understand binary and those who don't.
> >
> >
> >
> > ¯\_(ツ)_/¯
> >
> >
> >
> > From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com]
> > On Behalf Of Tom Miller
> > Sent: Tuesday, December 5, 2017 12:11 PM
> > To: NTSysADM@lists.myitforum.com
> > Subject: [NTSysADM] DBA question
> >
> >
> >
> > Hi All,
> >
> >
> >
> > I have a question regarding Oracle DBA database level access.
> >
> >
> >
> > The DBA lead where I work states that it is nonsensical for individual
> DBAs
> > to use a name DBA-admin account for them.  This is a potential issue:  we
> > are dealing with highly sensitive data and even within the DBA staff
> group,
> > we want to restrict access, if possible.  We use logging, but triggering
> an
> > access to particular tables would not be too helpful, as it would only
> tell
> > us that the DBA account access them.
> >
> >
> >
> > Anyone have any thoughts or suggestions?
> >
> >
> >
> > Thanks,
> >
> > Tom
>
>
>

RE: [NTSysADM] DBA question

2017-12-05 Thread Melvin Backus 
Personal experience leads me to believe that this attitude is primarily based 
on the sometimes oppressive historic licensing practices surrounding many 
database products which increase the cost of licenses based on the number of 
named users, thereby encouraging cost reduction at the expense of security.  I 
have no empirical evidence of this, strictly an observation based my dealing 
with many DBAs over the years, many of whom seem to have succumbed to the same 
brainwashing.

If you can’t track who specifically did any particular operation then that 
operation is inherently less secure. That may not mean it needs to be fixed in 
all cases. Do you really need a $200 lock to protect your $20 bicycle?  
Probably not, but your $5000 racing bike is probably worth the investment.

--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

¯\_(ツ)_/¯

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Tom Miller
Sent: Tuesday, December 5, 2017 12:11 PM
To: NTSysADM@lists.myitforum.com
Subject: [NTSysADM] DBA question

Hi All,

I have a question regarding Oracle DBA database level access.

The DBA lead where I work states that it is nonsensical for individual DBAs to 
use a name DBA-admin account for them.  This is a potential issue:  we are 
dealing with highly sensitive data and even within the DBA staff group, we want 
to restrict access, if possible.  We use logging, but triggering an access to 
particular tables would not be too helpful, as it would only tell us that the 
DBA account access them.

Anyone have any thoughts or suggestions?

Thanks,
Tom