Delegating database admin access

[Grindman]

Hello,
I'm the owner of a small business. I need to delegate the admin of our database. This will come with exporting features that the person needs to perform his / her work.
I'm using a software to monitor his PC. In case he misabuses his powers, I will be able to see it.
The database is monitored in the cloud & user access can be managed by whitelisted IPs

He should be only able to connect from HIS computer, to the database.

Anyone has a solution?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Kasimir]

Hello,
I'm the owner of a small business. I need to delegate the admin of our database. This will come with exporting features that the person needs to perform his / her work.
I'm using a software to monitor his PC. In case he misabuses his powers, I will be able to see it.
The database is monitored in the cloud & user access can be managed by whitelisted IPs

He should be only able to connect from HIS computer, to the database.

Anyone has a solution?

Sorry I don't really get your situation/problem. But maybe I'm just not that familiar with it. However, monitoring PCs of employees isn't the best solution in my mind. Why is there a need to do that?

 

[Grindman]

Sorry I don't really get your situation/problem. But maybe I'm just not that familiar with it. However, monitoring PCs of employees isn't the best solution in my mind. Why is there a need to do that?

If you give someone access to export all of your client data, it's easy to send it to a colleague that wants to start on his / her own / sell it / ..

 

[Kasimir]

If you give someone access to export all of your client data, it's easy to send it to a colleague that wants to start on his / her own / sell it / ..

I get that. But please make some research about that. It's not only a legal problem, also a moral one. You can have your employee sign an agreement. But I would never think about monitoring desktops of my employees. Maybe that's just me, or it's an American thing. But I seriously have a problem with that mindset, so I won't be able to help you I'm sorry.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Grindman]

If your business was selling data you would understand this concern.

Literally a big threat for our company.

 

[Kasimir]

If your business was selling data you would understand this concern.

Literally a big threat for our company.

Sorry my friend that has nothing to do with what you're selling. My employees could sell all our date for millions, but I trust them that they don't because they will have legal problems if they do. And every employee needs to sign a non-disclosure agreement, or something similar.

I'm sorry, but the difference is that I trust my employees. But maybe that's different in your country, but I'd have legal problems if I just monitored how my employees are working. The only legal path I'd see in my country is that I see what movement they did in an online tool with a log report. But that doesn't solve your problem I think. There are many companies working with exactly that system, you see exactly what a person changed, downloaded or deleted. But you can't see what they are doing right now and in my mind that's the right way to do it.
It all depends on what kind of employer you want to be.

 

[Grindman]

Sorry my friend that has nothing to do with what you're selling. My employees could sell all our date for millions, but I trust them that they don't because they will have legal problems if they do. And every employee needs to sign a non-disclosure agreement, or something similar.

I'm sorry, but the difference is that I trust my employees. But maybe that's different in your country, but I'd have legal problems if I just monitored how my employees are working. The only legal path I'd see in my country is that I see what movement they did in an online tool with a log report. But that doesn't solve your problem I think. There are many companies working with exactly that system, you see exactly what a person changed, downloaded or deleted. But you can't see what they are doing right now and in my mind that's the right way to do it.
It all depends on what kind of employer you want to be.

My employees could sell all our date for millions, but I trust them that they don't because they will have legal problems if they do. And every employee needs to sign a non-disclosure agreement, or something similar -

If you don't monitor this, how Will you ever Know if this happens?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Jon L]

This requirement sounds like a mess, and it doesn't sound like you've thought it through in nearly the amount of detail you need. Simple monitoring is NOT a good solution. If the data is truly that important (think SSN, protected health information, etc), then a well-thought-out, and rather expensive custom software development project is called for. (5 to 6 figures).

If the data really isn't that important: customer lists, etc., then hiring well, and trusting your employee to do the right thing is all you need.

Unless you have a very robust system, monitoring will get you nowhere. Consider: an employee can capture your data by videoing it with a cell phone, and doing OCR afterwards. How would you monitor for that?

SO:

You need to come up with the process you'd like to use to keep this data safe. (forget technical stuff at first). The first step in that is to define the business-level questions about the data:

Questions:
1) How important is this data?
2) What would happen if it got into the wrong hands?
3) how likely is that to happen?
4) by what method would someone steal the data?
5) to whom would they give it?
6) in what form would they give it?
7) How large of an investment are you willing to make to secure the data? ($100? $1000? $1,000,000?)
etc.

Here's an approximate way of figuring out how much to invest in securing the data:

Multiply the percent chance by the amount of money it would cost you if the data got into the worst-cast-scenario hands. For example: 5000 patients' HIV records were released online due to your negligence, and you're fined the max $1.5M. Beyond that, several large customers cancel contracts with you, netting an additional $10m/year loss in revenue. What is the chance that might happen? Who knows, but you can guess: 1:10 annually if nothing is done to secure the data. 10% of 11.5M is $1.15M. That's somewhere in the neighborhood of what it would cost an testing facility to secure their data, so my formula isn't all that unrealistic. With that formula, you'd be just as idiotic to spend $5000 securing it as you would $15m

Let's say that if your customer list was released to your best competitor, you'd lose $25k from your worst clients. (Those clients who are about to leave anyway, and who aren't a great fit for you). The chance of that happening is 1:100 ... which employee cares enough to bother with something like this? They'd need to figure out who to send the list to, what to charge for it, etc. That's a lot of work for little reward. 25k*1% is $250. ... In other words, don't bother trying to fix this problem.

Hope this helps.

 

[Kasimir]

My employees could sell all our date for millions, but I trust them that they don't because they will have legal problems if they do. And every employee needs to sign a non-disclosure agreement, or something similar -

If you don't monitor this, how Will you ever Know if this happens?

Trust me I know.

This requirement sounds like a mess, and it doesn't sound like you've thought it through in nearly the amount of detail you need. Simple monitoring is NOT a good solution. If the data is truly that important (think SSN, protected health information, etc), then a well-thought-out, and rather expensive custom software development project is called for. (5 to 6 figures).

If the data really isn't that important: customer lists, etc., then hiring well, and trusting your employee to do the right thing is all you need.

Unless you have a very robust system, monitoring will get you nowhere. Consider: an employee can capture your data by videoing it with a cell phone, and doing OCR afterwards. How would you monitor for that?

SO:

You need to come up with the process you'd like to use to keep this data safe. (forget technical stuff at first). The first step in that is to define the business-level questions about the data:

Questions:
1) How important is this data?
2) What would happen if it got into the wrong hands?
3) how likely is that to happen?
4) by what method would someone steal the data?
5) to whom would they give it?
6) in what form would they give it?
7) How large of an investment are you willing to make to secure the data? ($100? $1000? $1,000,000?)
etc.

Thanks! Couldn't agree more.