when talking about "databases, internet, security", the focus is usually on firewalls etc. When a database is connected to the internet, it is of course a good idea to move the database server behind a firewall. But I wonder if the threats from INSIDE the firewall aren't often underestimated. The question is: where is the major threat for an enterprise with a database connected to the internet? Is it the employee, working in this enterprise, who abuses his privileges, or is it the hacker who assaults the database via the internet? Any opinions? If anybody has some information about that topic (maybe some statistics, too), please let me know. - Thanks!
I don't have any statistics, but my opinion is that security has to be addressed from every angle, and that if anything falls through the cracks, whether it's in the firewall, the server, application or database, it could put the whole enterprise at risk. Also, security isn't a one-time consideration. It needs to be monitored, evaluated and improved upon all the time. Hackers are doing the same, working non-stop at getting through all the known security measures. We need to be vigilent about keeping security measures up-to-date and effective for current situations.
Thanks for your opinion. But I sometimes wonder if it's worth spending $10000 for a firewall computer when an careless employee writes down his login/passwd on a piece of paper, pins it on his desktop...and leaves the office for a cup of coffee without locking the door...
Yeah, that's a problem everywhere. Perhaps the money would be better spent on training employees about security measures.
But that's a good argument for restricting privileges to the minimum that the user needs. So this would be a case where roles and privileges should be carefully planned. That way, this careless user's password being compromised doesn't compromise the whole enterprise.
Human error is still the biggest security risk, in my opinion, and so unless you can get rid of those 'careless' folks from your environment, it's up to people in the IS&T department to train users.
The problem I see is that users want to have the same userid and password for multiple systems, and that's understandable, but that adds to the risk. You can't please them all.