Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


If or When?


If or When?

Author
Message
Steve Jones
Steve Jones
SSC-Forever
SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)

Group: Administrators
Points: 41854 Visits: 18876
Comments posted to this topic are about the item If or When?

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Jeff Moden
Jeff Moden
SSC Guru
SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)SSC Guru (54K reputation)

Group: General Forum Members
Points: 54339 Visits: 40390
Added "security" is a mixed blessing. I've found that instead taking the time and expense of hardening features, some folks sometimes just make them go away.

--Jeff Moden

RBAR is pronounced ree-bar and is a Modenism for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair

Helpful Links:
How to post code problems
How to post performance problems
Forum FAQs
Gary Varga
Gary Varga
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10580 Visits: 6352
Security is like insurance. It is more likely that it will not occur to you but you cover yourself regardless because the cost of not doing it when are attacked outweighs the cost of doing it even if it is never required.

Also, it is like being chased by a bear: you don't have to be faster than the bear, just faster than at least one other person running with you.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Nevyn
Nevyn
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1064 Visits: 3149
Trust in god, but tie your camel first

Everyone working in software should have long since learned the danger of assumptions. The preparations in that article, as pessimistic as they sound, simply reflect a conscious choice not to assume that some other element of the system will keep everything safe.
Robert.Sterbal
Robert.Sterbal
SSC Veteran
SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)SSC Veteran (241 reputation)

Group: General Forum Members
Points: 241 Visits: 2000
I'm not sure IT is all that effective in addressing security. I'd like to see the accountants involved more.
Eric M Russell
Eric M Russell
SSCertifiable
SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)

Group: General Forum Members
Points: 6594 Visits: 10066
I believe that SQL Server already has the required features to implement auditing (SQL Server Audit and extended events), granular controls (permissions), and seperation of duties (database and server roles). There is also a tool Best Practices Analyzer that includes advice about security related configuration settings. I'm not sure if it's possible to add custom rules though. Virtually all DBAs know the features are there, but few put it into practice.

So, what's really lacking is an IT industry accepted set of best practices, education about why it's a necessity, and top-down compliance. For the standards, the IT industry itself can drive this, and for the oversight and compliance, I (hate to) say that the government needs a bigger role.

The government regulates how much weight can be stacked on a commercial truck, it regulates the temperature that restraunts and grocery stores maintain their frozen food, how surgical instruments should be cleaned, and 10,000 other things across most every industry, so why not personal data? I'm not saying that the government should hook into the network and look over people's shoulders or that they should make surprise onsite inspections. What I'm advocating is that the government mandate that:
"This is the minimum standard by which specific types of data should be secured in a database or network, and if we find out you're not meeting the minimum standard, then there will be fines, or even jail, if we discover that you deliberately exposed or shared protected information."
We already have this to an extent, but it could be broader, not just healthcare and financial organizations, and it could include requirements for specific best practices.

If an organization collects data like credit card numers or person information about customers and then claims that they don't have the resources to properly secure that data, I mean basic stuff like secure connections and role based security, then... screw you. That right, I said screw you. You are menace to society.

If a doctor or chef can take the time to clean and maintain the tools of their trade, then why not a DBA?


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
OCTom
OCTom
SSCrazy
SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)SSCrazy (2.9K reputation)

Group: General Forum Members
Points: 2865 Visits: 4152
Hackers are not going to try to hack all severs. They look for the easiest path. This is one area where it's best to be the ugly duckling at the dance. Make it as difficult as you can for hackers and they will leave you alone for someone easier and more attractive.

As Eric said, it would be great to have industry standards for DBAs and developers. Who would set the standards? I don't know that the government would be the best choice. Do you want different standards for each vendor; Microsoft, IBM, Oracle, open source, etc."

Tom
Eric M Russell
Eric M Russell
SSCertifiable
SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)

Group: General Forum Members
Points: 6594 Visits: 10066
OCTom (4/10/2014)
Hackers are not going to try to hack all severs. They look for the easiest path. This is one area where it's best to be the ugly duckling at the dance. Make it as difficult as you can for hackers and they will leave you alone for someone easier and more attractive.

As Eric said, it would be great to have industry standards for DBAs and developers. Who would set the standards? I don't know that the government would be the best choice. Do you want different standards for each vendor; Microsoft, IBM, Oracle, open source, etc."

Tom

The standards would not have to be very technical. Dedicated sysadmin accounts, removal of service accounts from sysadmin role, seperation duties, application accounts with minimal privilege (ie: no ad-hoc sql and access only to required tables), encryption at rest for columns containing sensitive data, encrypted backups, encrypted connections between application and database layer: these basic best practices would apply to any enterprise database platform. If a database platform doesn't provide support, then the organization has simply chosen the wrong platform.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Gary Varga
Gary Varga
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10580 Visits: 6352
Just define legal requirements to be best endeavours. I think that most sectors where it counts there are further standards, for example in the UK we have the Data Protection Act (personal data), PCI (financial transaction aka payments) and we all seem to follow Sarbanes-Oxley. By legislating only the demand for best endeavours then we rely on the courts to apply it reasonably e.g. if I have a Solitaire scoreboard score that isn't encrypted then I would not expect any liability but medical records, bank account details etc. and I would expect protection by the law for any slackers.

The grey area is the dumping grounds of data like DropBox or OneDrive which are just buckets.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Eric M Russell
Eric M Russell
SSCertifiable
SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)SSCertifiable (6.6K reputation)

Group: General Forum Members
Points: 6594 Visits: 10066
Gary Varga (4/10/2014)
Just define legal requirements to be best endeavours. I think that most sectors where it counts there are further standards, for example in the UK we have the Data Protection Act (personal data), PCI (financial transaction aka payments) and we all seem to follow Sarbanes-Oxley. By legislating only the demand for best endeavours then we rely on the courts to apply it reasonably e.g. if I have a Solitaire scoreboard score that isn't encrypted then I would not expect any liability but medical records, bank account details etc. and I would expect protection by the law for any slackers.

The grey area is the dumping grounds of data like DropBox or OneDrive which are just buckets.

I believe that major financial, healthcare, and government organizations stay on top of data security. Where it's still the wild west are data aggregators, small online retailers, and fly-by-night startups. Not only do I not trust their technical expertise, but many of them have a business model where they swap or sell data dumps with reckless disregard for the privacy. The government and media have their attention focussed on the larger corporations, but there are a lot of small companies collecting big data. God only knows who's running these outfits, what their business model or agenda is, and what best practices (if any) they follow. We need laws that provide blanket coverage of any organization, regardless of size or industry, that aggregates sensitive personal data.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search