Boris Hristov

Founder of 356labs

Founder of 356labs
and PowerPoint MVP.
Speaker, Trainer & Author.
A guy that loves to do sports, have fun and enjoy life. Gallery / Blog / Contact

Copyright © 2019 ·

T-SQL Tuesday #45 Auditing:
Make them feel a bit scared!

By Leave a Comment

TSQL2sDay
A day before the end date for submitting the #tsql2sday posts and actually yesterday, one of our huge, huge customers was scared! And it was partially our fault – DBA’s fault. Now, let me provide you some background…

I work for HP Enterprise Services and probably many of you work for a companies that provide their DBA’s knowledge as a service to their customers. I hope you will never be part of a transition project (migrating the service to other team or company), but this is what one of our customers decided to do. As part of this transition project, the new team that will start supporting the customer’s environment needs to be granted access, right? So they were.

When we were deciding on what level of access to get to the new team(we are talking what level of access they need to be granted before they officially start supporting the environment here), we were always “describing” it as a read-only access. And yes, I am talking about the discussions between me and my colleagues. However, something happened and someone told the customer that we have granted read-only access to the new team! Surprise, surprise, customer! Someone out there has read access to your financial data! As you can imagine, this is something that no company (especially a NYSE one) wants to hear. Never ever! Forever ever? Yes, forever ever! (classing song, by the way).

As you can imagine questions and “a bit angry” e-mails started to fly in to our inboxes. It turned out that not only the customer was not happy to hear that someone was granted read access to all of their data, but the company was actually in the middle of a SOX audit. Ouch! Now, they needed to explain to the auditors why is this domain group (of the new team) granted “read-only access” to the whole environment!

At that moment we decided to tell them the truth and here it is – our so called “read-only access” was actually looking like this:

use [master]
GRANT VIEW ANY DATABASE TO [domain_group]
GO
GRANT VIEW ANY DEFINITION TO [domain_group]
GO
GRANT VIEW SERVER STATE TO [domain_group]
GO

Can you imagine the relief when we actually told the customer: “Hey guys, relax! The new support team has no read acess to any of your data. They just have access to the server configuration!”. The lesson here? Whenever explaining anything related to security to a huge enterprises be ridiculously careful how you do it! Use business language and do not forget for a minute that these companies are indeed being audited very strictly and the consequences for them (for you too, but a bit later) can be monstrous (we’re talking millions here!).

At the end – thanks Mickey for hosting number 45 of the series! It was fun experience(as usual) writing this down…

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.