I saw an open letter to Google recently that caught my eye. Someone asked if HTTPS, the secure version of HTTP, could be enabled by default for their applications like Gmail, Calendar, etc. There's not real reason not to use HTTPS, especially as most computers these days have plenty of processing power to handle the encryption/decryption and all browsers support it. I've never felt that it was easy to snoop on traffic in general, but why take the chance? Why not just encrypt communications as https? I know some companies don't allow it, but that's silly. Why not ensure secure communications?
It got me thinking about how we handle security in databases. We tend to limit all rights be default, at least in SQL Server. If you aren't explicitly granted rights to a table or object, you can't access it. With SQL Server 2005, Microsoft built the product to be secure by default, meaning that many of the features and subsystems are disabled by default. It may be a pain for developers and administrators at times, but I think it's the right way to approach things.
Are there other things we can do? Should we be looking to make SQL Server more secure by default? Maybe encrypt client communications as the rule, and not the exception. Are there other changes that we could make as defaults in SQL Server that would make the server more secure?
I can't think of any, but I'm sure there are other ideas out there. The open letter to Google makes sense, and it's the kind of low hanging fruit for security that we ought to go back and reconsider. Making email, DNS, the fundamental services of computing more secure would be a good idea, even if there is some breakage. I would think that as DBAs and developers, we'd also want to be sure our database services are as secure as possible.
Steve Jones
The Voice of the DBA Podcasts
The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there.
You can also follow Steve Jones on Twitter:
Overall RSS Feed:
or now on iTunes!
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.
