> IMHE (in my humble experience), whomever installed the database, > to continue your example, will be able to gain "system wide" > privileges quite easily, managerial and application level staff > aside. > Don't forget that for many (majority?) of software products, there > is the cumbersome application-level GUI interface and then there are > the handy-dandy shell tools that Real Sys Admins use to get at anything > in the system. This includes SQL and NoSQL databases.
I think the definition of a System Administrator is evolving, and in the future it’s unlikely there will be a single “God” person who has unlimited access to everything (in large/secure environments anyway). More likely there will be separation of Administrative responsibilities, with full accountability & transparency on what they can do. In fact this is already the case *now* in many large environments, and probably most cloud providers (I define cloud in this case as the large public SaaS/IaaS/PaaS providers like Google, Microsoft and Amazon). Services run in layers - facilities, hardware, Hypervisor, OS, Application, Data, etc. Each layer has its own admin (team that is, not individual) with no permissions to other layers. e.g. the hardware guys have no access to the software, the OS administrators don’t have access to the applications or end-user/customer data, etc. Developers build for APIs for boxes, and any test data they use is closely monitored. Sure there are some individuals or teams who could grant themselves access to data, but doing so is an audited event and unless it was pre-authorised it is treated as a security breach and sets off alarms. Audit systems/logs and security investigations are owned by separate teams. It’s still theoretically possible to remove data, but it would take a coordinated effort from a large (and probably geographically dispersed) group of people who are unlikely to ever meet. It certainly stops the single whistleblower from copying data to his USB stick and carrying it out. This is done *now* in large environments, and remember the original article was talking about the NSA who certainly have the scale and budget to implement these kind of systems. In that environment, Snowden would not have made it out of the building with the data he copied. I think that’s where they want to be. > Anyway, at the bottom level, it is all bits on storage media. These > bits can be accessed by anyone with enough skill. The bits can then > be interpreted as required by anyone given enough time, talent and > dare I say money. At the bottom level, a raw disk can be relieved of > the secrets it keeps by reading its bits. Defence-in-depth means that an “admin” cannot get to a physical disk (they don’t have access to physical facilities), and the guys who rack & stack hardware could not get any useful information from the disk (data is encrypted). EOL hardware is physically destroyed onsite (e.g. disks shredded) and there are checks and logs to ensure that actually happens, so they couldn’t even get the disk out of the datacentre in the first place. > Consider this. If a server box is so locked down that an admin cannot > even log on and look around, then when that server fails it becomes > a very expensive doorstop. Again we’re talking cloud scale - the systems won’t be a “box”. Applications will be built to expect hardware (or facility) failure and will automatically work around it. _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
