[ Thanks to Peter Parker for this
link. ]
“Databases are one thing that is often overlooked. DBAs
have access to most of the data in there, so IT managers will set
them up as if they are in total control of all the data and access
privileges. Managers who own all of the data in the IT environment
don’t have as much knowledge as they should about these databases.“Another challenge is applications that come bundled with their
own internal security. In these cases, how do you know that these
applications aren’t doing something in such a way that it has more
access to data than it needs? For example, I have a program, and
that program has to run with root access on Linux and has to be
able to log into the database. It will do its own security check.
These applications that have their own internal security are
becoming very hard for people to say, “Do I really understand who
has access to what in my network?” In these cases, you rely on a
vendor to publish schemas and to do their own audits on the
applications.””