http://www.sqlservercentral.com/blogs/sqlrnnr/2012/04/01/sql-2012-has-launched/

Printed 2014/10/22 06:13PM

SQL 2012 has Launched

2012/04/01

LAUNCH

If you have been hiding under a rock, you have probably not heard that SQL 2012 has launched.  With it, some really cool features are now available to use in our SQL database environments.

Some of these cool new features include some new DMVs, the AlwaysOn feature, and columnstore indexes.

But did you know that there are some new recommended best practices?

Today, I want to share with you a new best practice that involves table naming schemes.

With the release of SQL 2012, it is now advised that tables be named in such a manner that the name is obfuscated.  The reason for this is to slow down any would be attacker from quickly finding which table holds the most sensitive data.  Currently it is not too far fetched for an attacker to look in a database and figure out where the orders or customer confidential information may be placed.  After all, it is fairly common to name those tables in such a manner that the name describes the data.

Now though, the best practice is pushing in a new direction.  And no longer is it even a good idea to use legible words.  The drive is for full obfuscation of the table name.  In an effort to demonstrate, here is a quick script that will create several tables that are obfuscated in name.

Code block   
IF not exists (SELECT 1 FROM sys.databases WHERE name = 'Fun')
BEGIN
	CREATE DATABASE Fun
END;
GO
 
USE Fun;
Go
 
SET NOCOUNT ON;
GO
 
DECLARE @rocket CHAR(100)
DECLARE @boost TINYINT
DECLARE @tiers TINYINT
DECLARE @maxtiers TINYINT
DECLARE @SQL	VARCHAR(MAX)
DECLARE @overall	TABLE	(rocket VARCHAR(MAX));
DECLARE @somevar	VARCHAR(MAX)
		,@someint	INT = 0
 
SELECT @rocket = ' ', @tiers = 1, @boost = 1, @maxtiers = 4
PRINT @rocket
 
INSERT INTO @overall (rocket)
	VALUES (@rocket);
 
WHILE @tiers < @maxtiers
BEGIN
	SELECT @boost = POWER(@tiers,2)
	WHILE @boost < 12*@tiers
	BEGIN
		SET @rocket =  STUFF(@rocket, (DATALENGTH(@rocket)/2)-(@boost/2), @boost,REPLICATE('*', @boost))
			UPDATE @overall
				SET rocket = rocket +CHAR(10) + @rocket
			SET @SQL = 'Create Table ['+ @rocket + '_'+ CONVERT(VARCHAR,@someint) +'] (someint int);'                 PRINT @SQL
		SET @boost = @boost+2
		SET @someint = @someint + 1
 
	END
 
	SET @tiers = @tiers+1
END
 
SELECT @somevar =  rocket
	FROM @overall
 
PRINT 'The following Tables have been created:' +CHAR(10)+CHAR(13)
PRINT @somevar

I like this new standard.  Now, I will just design images into my tables that describe the database in whole.  As you can see, this particular database would be useful for maybe a space case or maybe a hobbyist with a high enthusiasm for rockets.  Or maybe it just works really well for any demo involved with the SQL 2012 Launch.  Other than a neat little picture, the tables are completely obfuscated.

Conclusion

Keep best practices in mind whenever designing a database.  Maintaining best practices can help protect the data you were hired to manage and protect.  In addition to that, make sure you forget every other word of this post.  It is complete and utter hogwash.  Happy April Fools.


Copyright © 2002-2014 Simple Talk Publishing. All Rights Reserved. Privacy Policy. Terms of Use. Report Abuse.