Website to Database Security
-
@s.hackleman said in Website to Database Security:
This ensures that every database access can be tracked back to an individual account.
That doesn't make sense. You log that from the application, not the database.
-
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.
Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.
The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.
I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.
-
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.
Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.
The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.
I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.
So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.
-
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.
Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.
The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.
I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.
So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.
I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.
-
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.
Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.
The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.
I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.
So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.
I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.
I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.
-
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.
Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.
The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.
I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.
So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.
I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.
I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.
That is the case I am building, just checking my own sanity, and looking for information that is easy to digest.
-
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.
Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.
The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.
I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.
So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.
I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.
I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.
That is the case I am building, just checking my own sanity, and looking for information that is easy to digest.
Anything else will be impossible because defending against "random inaccurate statements" isn't really plausible. But why would someone be introducing this risk at any level is a serious question. What's their purpose in doing this? -
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.
Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.
The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.
I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.
So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.
I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.
I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.
That is the case I am building, just checking my own sanity, and looking for information that is easy to digest.
Anything else will be impossible because defending against "random inaccurate statements" isn't really plausible. But why would someone be introducing this risk at any level is a serious question. What's their purpose in doing this?In short non technical middle management making rules and enforcing them down on technical people.
-
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.
Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.
The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.
I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.
So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.
I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.
I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.
That is the case I am building, just checking my own sanity, and looking for information that is easy to digest.
Anything else will be impossible because defending against "random inaccurate statements" isn't really plausible. But why would someone be introducing this risk at any level is a serious question. What's their purpose in doing this?In short non technical middle management making rules and enforcing them down on technical people.
But how did they get that power and why is the security head not stepping in to fix a problem? Why are their managers not protecting the company from them?
-
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
@scottalanmiller said in Website to Database Security:
@s.hackleman said in Website to Database Security:
The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.
Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.
The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.
I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.
So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.
I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.
I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.
That is the case I am building, just checking my own sanity, and looking for information that is easy to digest.
Anything else will be impossible because defending against "random inaccurate statements" isn't really plausible. But why would someone be introducing this risk at any level is a serious question. What's their purpose in doing this?In short non technical middle management making rules and enforcing them down on technical people.
But how did they get that power and why is the security head not stepping in to fix a problem? Why are their managers not protecting the company from them?
Next time I see you in person, I'll buy you a beer, and we can break it all down.
-
I'm curious how this other group even got involved? Who are they to the project?
