I think data security is important, and it's one of those areas that I usually focus on early when I work with in an organization. Over time, I think data security has become more and more important, especially in the cases of sensitive information. Increasing legislation, as well as more fickle customers, are forcing those of us that work with data to be more careful with our data security practices.
Often I've had an ad hoc review of security practices. As I notice areas where security seems lax, I'll try to make changes and tighten up the configuration. The goal is reducing the attack surface area, which should be something we do in a methodical fashion. Microsoft has given us a basic tool in the Baseline Configuration Analyzer, but this isn't quite enough.
With that in mind, I wanted to ask if any of you have something better. Do you have a security to-do list that you move down to ensure that good (or best) practices are still being followed?
A security to-do list appeared in my feed recently, and it got me to think a bit about the items that are important for data security. While many of these items are general security issues, I do think that these are areas that we might use, and extend, for our data platform. Certainly long passwords and checking logs are important, but how many of you keep sessions open to production servers (or dev servers with production data) and walk away? Or you know others that do the same thing?
The flash drive item is very interesting. I tend to not accept any flash drives from others, precisely because of these issues. It's gotten to the point where I'm afraid of malware and don't even want to use my own flash drive if someone else has plugged it into their machine. It's sad, but we have a fair amount of malware still be transferred with those types of connections.
There are other items that are relevant, including perhaps sniffing your own network for malicious database traffic, but there are a few items that might apply specifically to the data platform, such as evolving and tightening our security with multiple roles and limits on access for different groups. This seems to be one of the more common areas where data professionals fall down. We give large groups access to our data because it's easier. We should be careful with access because social engineering and too much access for non-privileged users is one way we lose lots of data.