• Steve Jones - SSC Editor (4/11/2014)


    Eric M Russell (4/10/2014)


    The standards would not have to be very technical. Dedicated sysadmin accounts, removal of service accounts from sysadmin role, seperation duties, application accounts with minimal privilege (ie: no ad-hoc sql and access only to required tables), encryption at rest for columns containing sensitive data, encrypted backups, encrypted connections between application and database layer: these basic best practices would apply to any enterprise database platform. If a database platform doesn't provide support, then the organization has simply chosen the wrong platform.

    Sounds good in practice, but this is somewhat how PCI and SOX are written. The problems come in when the encryption is poor, i.e. using MD5 for passwords, or someone argues about what minimal privilege is.

    I do think the government should lay out some framework and then industries, perhaps with groups like SANS, should give more guidance and detail on what would constitute good security for a platform and version.

    Obviously the government, wether it be Congress or some agency dedicated to the task, can't come up with the standards; it has to be the industry putting their heads together, sort of like the various standards working groups for HTML or network protocols.

    We can argue about what minimal privilege is, for example does the DBA also need to be local Admin on the server, or does the Network Admin or service accounts also need to be sysadmin on the database server.

    However, when it comes to discussions about wether the developer, CEO, or director of business analytics needs to be SYSADMIN on the database server, then that's not even worth discussing; the answer is obviously no. We all have to move past that.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho