Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

If or When? Expand / Collapse
Author
Message
Posted Wednesday, April 9, 2014 8:40 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 10:50 AM
Points: 31,284, Visits: 15,749
Comments posted to this topic are about the item If or When?






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1560231
Posted Wednesday, April 9, 2014 9:00 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 12:05 PM
Points: 35,606, Visits: 32,191
Added "security" is a mixed blessing. I've found that instead taking the time and expense of hardening features, some folks sometimes just make them go away.

--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1560237
Posted Thursday, April 10, 2014 2:36 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 10:05 AM
Points: 5,758, Visits: 3,678
Security is like insurance. It is more likely that it will not occur to you but you cover yourself regardless because the cost of not doing it when are attacked outweighs the cost of doing it even if it is never required.

Also, it is like being chased by a bear: you don't have to be faster than the bear, just faster than at least one other person running with you.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1560287
Posted Thursday, April 10, 2014 7:02 AM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Tuesday, November 18, 2014 11:25 AM
Points: 637, Visits: 2,143
Trust in god, but tie your camel first

Everyone working in software should have long since learned the danger of assumptions. The preparations in that article, as pessimistic as they sound, simply reflect a conscious choice not to assume that some other element of the system will keep everything safe.
Post #1560406
Posted Thursday, April 10, 2014 7:26 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Yesterday @ 8:11 AM
Points: 175, Visits: 1,877
I'm not sure IT is all that effective in addressing security. I'd like to see the accountants involved more.
Post #1560420
Posted Thursday, April 10, 2014 7:54 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Sunday, November 23, 2014 2:48 PM
Points: 1,754, Visits: 4,966
I believe that SQL Server already has the required features to implement auditing (SQL Server Audit and extended events), granular controls (permissions), and seperation of duties (database and server roles). There is also a tool Best Practices Analyzer that includes advice about security related configuration settings. I'm not sure if it's possible to add custom rules though. Virtually all DBAs know the features are there, but few put it into practice.

So, what's really lacking is an IT industry accepted set of best practices, education about why it's a necessity, and top-down compliance. For the standards, the IT industry itself can drive this, and for the oversight and compliance, I (hate to) say that the government needs a bigger role.

The government regulates how much weight can be stacked on a commercial truck, it regulates the temperature that restraunts and grocery stores maintain their frozen food, how surgical instruments should be cleaned, and 10,000 other things across most every industry, so why not personal data? I'm not saying that the government should hook into the network and look over people's shoulders or that they should make surprise onsite inspections. What I'm advocating is that the government mandate that:
"This is the minimum standard by which specific types of data should be secured in a database or network, and if we find out you're not meeting the minimum standard, then there will be fines, or even jail, if we discover that you deliberately exposed or shared protected information."
We already have this to an extent, but it could be broader, not just healthcare and financial organizations, and it could include requirements for specific best practices.

If an organization collects data like credit card numers or person information about customers and then claims that they don't have the resources to properly secure that data, I mean basic stuff like secure connections and role based security, then... screw you. That right, I said screw you. You are menace to society.

If a doctor or chef can take the time to clean and maintain the tools of their trade, then why not a DBA?
Post #1560439
Posted Thursday, April 10, 2014 9:28 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 10:23 AM
Points: 2,630, Visits: 4,041
Hackers are not going to try to hack all severs. They look for the easiest path. This is one area where it's best to be the ugly duckling at the dance. Make it as difficult as you can for hackers and they will leave you alone for someone easier and more attractive.

As Eric said, it would be great to have industry standards for DBAs and developers. Who would set the standards? I don't know that the government would be the best choice. Do you want different standards for each vendor; Microsoft, IBM, Oracle, open source, etc."

Tom
Post #1560501
Posted Thursday, April 10, 2014 9:54 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Sunday, November 23, 2014 2:48 PM
Points: 1,754, Visits: 4,966
OCTom (4/10/2014)
Hackers are not going to try to hack all severs. They look for the easiest path. This is one area where it's best to be the ugly duckling at the dance. Make it as difficult as you can for hackers and they will leave you alone for someone easier and more attractive.

As Eric said, it would be great to have industry standards for DBAs and developers. Who would set the standards? I don't know that the government would be the best choice. Do you want different standards for each vendor; Microsoft, IBM, Oracle, open source, etc."

Tom

The standards would not have to be very technical. Dedicated sysadmin accounts, removal of service accounts from sysadmin role, seperation duties, application accounts with minimal privilege (ie: no ad-hoc sql and access only to required tables), encryption at rest for columns containing sensitive data, encrypted backups, encrypted connections between application and database layer: these basic best practices would apply to any enterprise database platform. If a database platform doesn't provide support, then the organization has simply chosen the wrong platform.
Post #1560515
Posted Thursday, April 10, 2014 10:24 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 10:05 AM
Points: 5,758, Visits: 3,678
Just define legal requirements to be best endeavours. I think that most sectors where it counts there are further standards, for example in the UK we have the Data Protection Act (personal data), PCI (financial transaction aka payments) and we all seem to follow Sarbanes-Oxley. By legislating only the demand for best endeavours then we rely on the courts to apply it reasonably e.g. if I have a Solitaire scoreboard score that isn't encrypted then I would not expect any liability but medical records, bank account details etc. and I would expect protection by the law for any slackers.

The grey area is the dumping grounds of data like DropBox or OneDrive which are just buckets.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1560528
Posted Thursday, April 10, 2014 10:42 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Sunday, November 23, 2014 2:48 PM
Points: 1,754, Visits: 4,966
Gary Varga (4/10/2014)
Just define legal requirements to be best endeavours. I think that most sectors where it counts there are further standards, for example in the UK we have the Data Protection Act (personal data), PCI (financial transaction aka payments) and we all seem to follow Sarbanes-Oxley. By legislating only the demand for best endeavours then we rely on the courts to apply it reasonably e.g. if I have a Solitaire scoreboard score that isn't encrypted then I would not expect any liability but medical records, bank account details etc. and I would expect protection by the law for any slackers.

The grey area is the dumping grounds of data like DropBox or OneDrive which are just buckets.

I believe that major financial, healthcare, and government organizations stay on top of data security. Where it's still the wild west are data aggregators, small online retailers, and fly-by-night startups. Not only do I not trust their technical expertise, but many of them have a business model where they swap or sell data dumps with reckless disregard for the privacy. The government and media have their attention focussed on the larger corporations, but there are a lot of small companies collecting big data. God only knows who's running these outfits, what their business model or agenda is, and what best practices (if any) they follow. We need laws that provide blanket coverage of any organization, regardless of size or industry, that aggregates sensitive personal data.
Post #1560533
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse