Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

SQLAndy

I'm Andy Warren, currently a SQL Server trainer with End to End Training. Over the past few years I've been a developer, DBA, and IT Director. I was one of the original founders of SQLServerCentral.com and helped grow that community from zero to about 300k members before deciding to move on to other ventures.

Are You Security Minded?

It's fun to just sit and talk with people, never know what you'll learn or be forced to rethink based on a different view point. During a recent conversation somehow we got around to security and went beyond the normal IT stuff to security in the real world. I mentioned that I take routine precautions as part of daily life; my front door is always locked and I lock car doors when I drive. My friend was astounded, he never locks his front door (and thus remains nameless here), which in turn astounded me. Why wouldn't you take a simple precaution?

Being security minded means that you are willing to invest some time and effort to protect against something that could happen, but isn't likely to happen. I work in an office with one other person that I definitely trust, but when I walk away from my desk my PC is locked. Why? If he goes out to lunch, gets distracted, etc, I don't want my machine exposed. I definitely don't want to leave my machine unlocked at night when the cleaning crew is in, so rather than special case locking, I just do it all the time.

A lot of people pooh pooh the idea of things like door locks because they won't stop someone that is determined. True enough. But it's a little more complicated than that. Most criminals look for easy scores. If the bad teenager across the street realizes you don't lock your door, they are a lot more likely to venture over when they see you leave to see what they can find. Not likely you say? Let's say a determined person decides to do a home invasion, if they have to break the front door while you're gone it increases the chances that someone else will notice and call for help. If it happens when you're home, it gives you a precious few seconds that can determine whether you or the invader is about to have a very bad day.

Do a few seconds matter? At worst you have time to dial 911 or hit the panic button. If you've absorbed the ideas of defense in depth you may well gain some additional time that lets you make the fight or flight decision. I don't live in a fortress and I'd just as soon never have to react to a bad situation, but I do what I reasonably can to mitigate risks. We can't eliminate risks, only try to mitigate them. Whether you're protecting your home or your database, you should do the things you can do.

Is it preparation or paranoia? Does having to lock your front door imply that something bad might happen and that in turn generates stress? Is it about time, the time it takes to lock/unlock the door a couple times a day?

Remember that as much as possible security should be hidden. It's fine to let visitors to your office see the lock on the server room door, but don't tell them what you do (or don't) for encryption or your plan for offsite backup. Sure they might be able to figure it out one way or the other, but don't make it easy for them. Equally if you implement layers of defense for physical security, you want one or two that are hidden (and not published in your blog!).

Are you doing the things you can reasonably do?

Of course, I think it depends on your point of view. If you reasonably see there is no (or close to zero) risk, then maybe you can defend taking fewer precautions?

Comments

Posted by Steve Jones on 10 December 2008

Reasonable precautions make sense. However I think we all have to decide in our mindset what makes sense.

We don't lock our front door, but we live far away from things and I don't like having to unlock it when I'm going in and out, or remembering to lock it when I leave to go out. It's kind of a habit thing. We actually joked the other day that we haven't really locked our doors in years.

However we have a big dog. That helps.

I'm torn on the not sharing part. On one hand you don't want to create vulnerabilities in your system, but at the same time we should share our security ideas so that others can use them if necessary. I let people know I use Password Safe, but the key isn't something I'd give out.

Posted by Andy Warren on 10 December 2008

I agree with talking about some tools and techniques, especially if new or used in a new way. It's a fine line to walk. I can see talking about using alarm systems on a server room, but maybe not disclosing which one I use, or maybe not putting down that it doesnt have a cellular backup if the land line is cut.

Dogs are nice deterrents, no doubt about that!

Leave a Comment

Please register or log in to leave a comment.