How to organize access of employees to servers?

T

tttttv2022-04-15 00:12:27

Project management

tttttv, 2022-04-15 00:12:27

Hello. I faced a non-trivial task when implementing a money-based system (something at the level of a mini bank, with sending money by cards, etc.)

There is a system that provides a significant cash flow between a large number of people. Until now, for security reasons, only I had access to the production server and real databases, but we are faced with the problem of scaling - we need technical support for the project at a time when I cannot do it.

For example, money transactions suddenly broke down due to some error in the latest updates, work is stopped, everyone suffers losses, including our company, and I, for example, have a temperature. It turns out that the whole system dies for a couple of days, until I personally can deal with the issue (find an error on real data from the database and upload the update to the prod)

Just giving the second backend developer access to the pro server is probably not an option. In the event of a conflict situation, you can stop the entire system for a couple of days (for example, by erasing the database). You can merge the customer database (it is significant, you can even sell it for good money)

But worst of all - you can take advantage of the fact that the system operates with real money, and somehow withdraw them to your cards (after which the company obviously compensates for the losses). For example, on the server there are ssl keys that can be obtained through the code, with the help of which to further forge appeals to banks.

How best to approach this issue? I am guessing. Partially giving access to the server will not work, because otherwise it is impossible to fully correct and find errors in the work.

----------

UPD: In general, any fraud can be tracked through the user's history in the system. And in the contract to prescribe responsibility, for example, for the loss of money by the system. But the question is - will the history of ssh in court be considered evidence of something ...?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Alexander Prokhorovich, 2022-04-15
@tttttv

In fact, as elsewhere with access to sensitive data, it is a matter of trust in your team and the good work of the Security Council. If there is no trust in the employee, access cannot be given.
As correctly noted, the Security Council (or other trusted employee) sets up round-the-clock monitoring of all actions, including a camera behind the back of an employee who has access.
Since the issue is related to money, and, apparently, potentially a lot of money, the employee who violates the rules faces criminal liability, it is not necessary to prescribe this in the contract.
The story of SSH is quite acceptable as evidence in a court of law, although it is unlikely to be considered direct evidence.

V

Vladimir Korotenko, 2022-04-15
@firedragon

The way out is to trust people, to select a team. Another option is to differentiate access by roles. And in general, I did not often see that the developer would leak something. Usually these are managers, and top ones, and they conditionally leave with their base

M

Morrowind, 2022-04-15
@hekkaaa

Hey!
Try to use the setting of user role rights through AD (if you have a Windows server for example) and in the database.
Give the minimum permissions. In some places, you can generally prohibit copying, giving only viewing.
This will not save you from writing data from the monitor to a sheet or printscreen.
Unfortunately, if there is very, very confidential data, then write in the terms of the contract of employment about the consequences of the leak.
If this is not possible, then look for a separate security officer who will install monitoring of employee actions, traffic analysis, and cameras in the corners. You will have to put everyone at computers in offices or virtual remote machines under your control.