It seems like there is an inverse relationship between sophistication and risk. If everything is full-custom then it may be quite easy to integrate auditing tools for who accessed user data. If an org uses mostly off-the-shelf software then it's pretty much impossible to audit e.g. who connected to what mysql server and ran which queries. So I'd be a lot more worried about a Twitter (fairly unsophisticated deployments of standard software stacks), moderately worried about Facebook (hacks upon the usual stack) and not very worried about Google (literally everything written in-house).
The data scientists at Facebook have pretty much free reign to pull down whatever data they feel they need and often do. As much as there's talk about how much of a no-no that is there, it doesn't seem like anyone is really looking.
You should be a lot more worried about Facebook.
This pretty much applied to US government warrantless wiretaps as well come to think of it. Unfettered access isn't so hot if you like your privacy.
That's a different problem though. The fact that Facebook employees access your private data is not because of insider risk being taken unseriously. It's because looking at and distributing your private data is a core function for that company. They don't consider it a flaw.
It is quite common that sql servers run just with a few accounts. Helpful audit logs on critical systems have a high cost. So technically it is not hard but practically it is.
True but they can have systems which execute on the behalf of an authenticated user and pass that to the SQL server but the system in the middle would have logs of that query and by whom. Now, to be fair, there are usually holes that allow direct access as well.
I work in the public sector where we take these things fairly seriously, but it doesn’t really matter when the auditors are drowned in the vast amount of data.
We have 300 IT systems with 8000 users that take care of 700000 citizens. There is an ungodly amount of information on who accessed what and when. Data security, even post GDPR is a total illusion.
We’re working to build better access control, by indexing data and mapping user rights to job functions, but even then things are going to get lost in the audits.
> who connected to what mysql server and ran which queries.
Let’s say I’m a foreign spy who happens to be the company’s DBA. Audit logs don’t really help you there since it’s not particularly noteworthy that I was in the DB.
That's exactly my point. In a company like Twitter there is some person or probably many people who are "the dba" and accessing a mysql directly or even using tools to access the underlying storage is an event of no discernible consequence. By contrast in a Google-style stack there is no person who is "the DBA", making it far easier to audit. A Gmail admin might need to unwrap the encryption keys that protect your attachments to, for example, diagnose a message-of-death that is crashing their backends, but that event would be so rare as to be easily audited, and it would tie a specific actor to a specific victim. Also I would say a custom auditing stack is way more resilient to things like just deleting the logs off the server, restarting the server without auditing, and whatnot.
