|
|
|
|
|
|
by lotsoweiners
925 days ago
|
|
|
But what if this person has direct access to the database? I’m a developer for my local government and have direct read/write access to many system’s production data. I could not only read but also update important info about people without going through an application all while logged in as the applications SQL ID. In fact I have to do this to handle tickets that are caused by limitations in the system. |
|
|
For example, if you can get code into production you cannot have access to production data and vice-versa.
You'll also see data in different databases where no one has access to both. You'll also see things like this with the use of encryption keys, such as KEK vs DEK where no system has access to both.
https://security.stackexchange.com/questions/93886/dek-kek-a....
typically speaking these compliance frameworks will have exemptions for "business need" and companies will try to drive a semi-truck through that hole. Whether they get away with it depends on multiple factors such as the size of the company and the auditor's mood.
It's almost like being "too big to fail". I have seen some absolutely heinous setups surrounding compliance related data that was allowed via "business need" because pulling that rug would cause the entire company to stop functioning. Generally when companies do things like this and they get to that size they'll spend years rectifying the problem because auditors will start giving them the stink-eye or they'll actually hire people who aren't comfortable with what they're doing.
it's all very messy, but don't assume that just because you have that kind of access that you should (and don't assume the reverse either). Without knowing more about what you do I couldn't say.
But for sure the other poster went quiet when I asked who the company was because they're fully aware they're on shaky ground. Which was my point in making that statement.