Personal experience leads me to believe that this attitude is primarily based
on the sometimes oppressive historic licensing practices surrounding many
database products which increase the cost of licenses based on the number of
named users, thereby encouraging cost reduction at the expense of security. I
have no empirical evidence of this, strictly an observation based my dealing
with many DBAs over the years, many of whom seem to have succumbed to the same
brainwashing.
If you can’t track who specifically did any particular operation then that
operation is inherently less secure. That may not mean it needs to be fixed in
all cases. Do you really need a $200 lock to protect your $20 bicycle?
Probably not, but your $5000 racing bike is probably worth the investment.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
¯\_(ツ)_/¯
From: [email protected] [mailto:[email protected]] On
Behalf Of Tom Miller
Sent: Tuesday, December 5, 2017 12:11 PM
To: [email protected]
Subject: [NTSysADM] DBA question
Hi All,
I have a question regarding Oracle DBA database level access.
The DBA lead where I work states that it is nonsensical for individual DBAs to
use a name DBA-admin account for them. This is a potential issue: we are
dealing with highly sensitive data and even within the DBA staff group, we want
to restrict access, if possible. We use logging, but triggering an access to
particular tables would not be too helpful, as it would only tell us that the
DBA account access them.
Anyone have any thoughts or suggestions?
Thanks,
Tom
