SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

Backup Data Security

By Steve Jones,

It seems there is no end to the insecure ways in which people manage data. I haven't seen this one before, but I'm sure it's happened. In fact, I bet it's happening right now in more than one company. A company was using rsync to keep data files copied between two insecure servers. Insecure because of a lack of username and password on the systems. In this case, the problem was a subcontractor that dealt with confidential US military personnel data.

I appreciate that many of you are talented scripters that solve problems and build great solutions. I wonder how many of you actually think about security and the potential implications of small mistakes in configuration that others might make. When you build that PoSh script to copy backup files, are you ensuring the transfer takes place in a secure manner? Do you assume that because you use an IP address or server with no DNS entries to receive data that no one else can find it?

All too often I find that sysadmins and developers make assumptions about the security of their process. They think because discovering the process or information would be hard for them or they wouldn't bother, the data will be secure. And we find that time and time again that the ways in which we build systems without considering security aren't secure. Someone will find a way to access the data, often with a fairly simple technique. Steal a laptop that's unencrypted. Get a user to click on a link that installs keystroke logger or uses phishing to gain credentials. Scan a server for known software running with un-patched vulnerabilities or default accounts. I can't tell you how many times I've logged into Oracle database servers with "System" and "Manager" in various organizations.

Certainly our software platforms haven't been well designed with security in mind. All sorts of expected, happy path behaviors are assumed by software developers, many of which are susceptible to attacks. While modern platforms are better designed and patches are becoming widely available, far too few companies apply these patches and consider security in the software they build on top of the OSes, databases, and other frameworks used for software. As an industry, we are far too guilty of granting more security than needed, opening more ports than necessary, re-using accounts too often, and assuming that our network paths are secure.

Good security comes from having layers that don't open our systems to a single mis-configuration or simple attack. Disks should be encrypted, minimal privileges granted, accounts not re-used across systems, and network communications, even for simple copies, secured. I know this can slow some development and be painful to implement, but as we become used to using secure credentials and techniques in all of our work, the complexity will fade into the background, and it will be as easy to deploy a secure system as an insecure one.

 
Total article views: 77 | Views in the last 30 days: 1
 
Related Articles
ARTICLE

Global Insecurities

The various security scans of 2012 reported lots of potential problems in companies. Why don't vendo...

ARTICLE

Software Vendor Security

This week Steve Jones finds some issues with the security of third party vendor software.

ARTICLE

Building Better Software

Steve Jones discusses the idea of building software better, and why that's a challenge for many of u...

FORUM

Security Managemen Systems

problem with Security Managemen Systems

ARTICLE

Building Better Software

Why is it so hard to build better software? Steve Jones looks at recent problem in iOS that seems si...

Tags
editorial    
security    
 
Contribute