I had the opportunity to write another guest post at SQL Authority:
This one covers how to determine who made changes in a database that has been deleted. This isn’t a situation where you can use the schema changes history report… Read more
I was reading a book about network security monitoring and it mentioned The Cuckoo’s Egg by Cliff Stoll. Stoll’s book has been around for a long time, and it’s considered a classic book with regards to information security. If you’re not familiar with it, it’s the story of a gentleman… Read more
My guest editorial is live on SQLServerCentral.com. My argument is a simple one: we don’t care about data and IT security. I don’t just mean IT folks. I mean most everybody. I include myself in this characterization. I know a few exceptions, but they are truly exceptions.
In the… Read more
I will be giving a presentation on ETL (Extract, Transform, Load) security at two user groups in the coming weeks.
Securing the ETL Pipeline
We’re going to look at typical ETL (Extract, Transform, Load) pipelines and consider the weak points an attacker might go after. Our goal in this isn’t… Read more
Statistics, Indexes, and their Impact
Speaker: Brian Kelley, SQL Server MVP
Statistics. Indexes. Clustered Indexes. Non-Clustered Indexes. Covering Indexes. Bookmark Lookups. Perhaps you’ve heard these… Read more
Let’s make it democratic. Let’s ensure we get solid sessions from key people. And let’s save a ton of work in the process.
There are certain folks that are extremely knowledgeable in their areas of expertise. They also happen to be excellent presenters. Have the spotlight sessions and… Read more
On Facebook last night, I posted the following:
An operational DBA isn’t just a manager of a traditional RDBMS, transactional system. An operational DBA manages the data platform, whatever it is, when it hits production. Their goals are not traditionally the same as someone focused on development. They are looking…
If you’re thinking, “Why would I want (to be) a lazy DBA?” let me explain. There’s a lot to be said for hard work. However, have you ever seen someone who… Read more
I’m not prophetic, I promise. However, some good news on the service pack front with regards to SQL Server 2008 and 2008 R2. There have been rumblings about a last service pack for these versions of SQL Server for a while, but nothing official had been said. However, an… Read more
“This is one reason I’ve been hesitant to remain current with Cumulative Updates (CUs). Microsoft doesn’t stand behind them, with the text on each CU page that users should only apply the patch if they…
When we talk about security, we often point to the Point of Least Privilege. I write a lot about applying this to SQL Server, but it’s important to handle this outside of SQL Server, especially at the file / share level. Why would we care about this as DBAs /… Read more
(in a wrestling announcer’s shocked voice) “It can’t be! He’s not supposed to be here! It’s the Scary DBA! What’s he doing here!”
Do you know what the “Three A’s of Security” are and how they apply to Microsoft SQL Server? Let’s look at them as they are important for managing security properly on a given Microsoft SQL Server.
Authentication is determining who a person/process is.
When a connection is made, it’s… Read more
I was looking at a product recently and came across a rather unpleasant surprise: the install instructions specified that I put the database connection in plaintext in web.config. I’ll explore this particular case and why it’s particularly egregious, but from a security perspective, this shouldn’t happen anymore, regardless of application.… Read more
The Midlands PASS Chapter is an official PASS (Professional Association for SQL Server) chapter located in Columbia, SC. It’s free to attend our meetings, which are typically held the 2nd Thursday of each month.
Once a year we like to do an open forum on SQL Server security. It’s typically… Read more
Recently I posted about participating in a #datachat about SQL Server security. As it turned out, we didn’t talk about SQL Server security, but data security. It was a good discussion with quite a few knowledgeable folks joining in. A summary of the discussion including some highlighted tweets can… Read more
When you’ve got a SIEM appliance or application, you want actions and events going into it as a central repository. That allows you to see patterns and hopefully track incidents across systems. As a result, if you want to track actions in VMware’s vCenter and you’ve got the database hosted… Read more
The weakest link in database security is the same as for most all IT security: people.
Because the weakest link is always people, we have adopted a principle called The Principle of Least Privilege to determine how we should assign security. If you’ve never heard of it, it’s a basic… Read more
Tonight, at 9 PM Eastern, I’ll be participating in a #datachat on SQL Server security. It’s sponsored by Confio (now part of Solarwinds).
You can find more details about the #datachat here.
How can you participate? Simply open up a search for #datachat and participate in the community Q… Read more
On February 19th, 2014, I’ll be giving a webinar from 3-4 PM Eastern on the Top SQL Server Vulnerabilities. You can register here for it.
Your goal is to have a secure SQL Server installation. However,… Read more