|
|
|
|
|
|
by tantalor
1931 days ago
|
|
|
Thanks for the thoughtful comment. You make several excellent points which I really appreciate! > It’s unreasonable to bar all employees from accessing sensitive data at a technical level This is the heart of the confusion. Sensitive data must be locked down (e.g., encrypted) and access tightly controlled so only employees with a legitimate purpose have read access. Since this is a "technical" solution to the problem, I would label the original data breach a "technical" vulnerability. On the hand, the "developers conspire to push malicious or faulty changes to production" scenario is not a technical vulnerability; it falls into the category of deceit/fraud à la social engineering. Of course there are technical means you could try to foil exfiltration, but generally this sort of attack is prevented by non-technical means e.g. code review. |
|
|