There should be an ISO standard with respect to how much power and information t...

whyever · 2025-05-15T16:36:36 1747326996

They main defense against internal attacks is bookkeeping. Banks have been dealing with this for thousands of years. I recommend the corresponding chapter in Security Engineering by Ross Anderson: https://www.cl.cam.ac.uk/archive/rja14/Papers/SEv3-ch12.pdf

SoftTalker · 2025-05-16T02:52:09 1747363929

Bookkeeping will alert you to employees stealing your money. It won't alert you to employees selling information.

whyever · 2025-05-18T11:47:06 1747568826

Access logs do help with this. They have been successfully used by the police to identify rogue officers abusing their access to police databases.

wepple · 2025-05-15T18:30:34 1747333834

> better training and more monitoring.

That’s very load-bearing. It won’t help.

The CS reps are based in a LCOL country so the opportunity for theft is simply incredibly lucrative.

What is really needed, is customer-in-the-loop for access to their data. The problem is, not all accesses would make sense. Doing analytics over the data of the top 1% of customers, for example, requires some level of access, but would freak out those customers if they had to approve it.

wat10000 · 2025-05-15T18:37:20 1747334240

If it would freak out the customers, maybe they shouldn’t be doing it.

wepple · 2025-05-15T20:58:00 1747342680

That’s a nice thought, but naive.

What about, for example, a higher-tier support person performing QA over someone else’s work? What about DFIR teams doing research on potential abuse? Etc etc.

xyst · 2025-05-15T18:40:48 1747334448

Compartmentalization is a very expensive customer support model.

caseyohara · 2025-05-15T18:46:31 1747334791

So are $20M ransoms and the reputational damage from data breaches.