I’ve grown up reading Tom Clancy and probably most of you have at least seen Red October, so this book caught my eye when browsing used books for a recent trip. It’s a fairly human look at what’s involved in sailing on a Trident missile submarine…
If you’ve been involved in technology for any length of time you are aware of outside threats to your network or databases. You read about some of these threats in the news such as hacking, breaches, etc.
All of these outside threats are pertinent and require our attention to detail as data professionals, but along with that threat are you considering any threats that could occur on the inside? Every shop should have some form of guidelines, documentation, regulations around their processes.
The risk from inside threats such as employees, ex-employees, and trusted partners. Some of these threats are accidental while others can be of a malicious nature. In either circumstance the consequences can be devastating for a company. Below are some things to think about within your own environment to prevent such actions from occurring.
Secure User Access
- Stop unauthorized access – in all honesty this means button up the shop. If you have SA access across the board you are doing it wrong. Think about utilization of role based security, AD groups, etc. You are responsible for the data so don’t make this an afterthought.
- Manage the threat of shared passwords – fifteen people shouldn’t have access to critical accounts. Check into secure user and password utility such as Secret Server; there are a number of companies out there that provide such products. Who is accessing these accounts and why?
- Organizational Critical Assets – a companies assets such as data is one of the most important and integral pieces to the puzzle – it needs to be treated as such. This can mean many different things on many different levels. Do you know who is accessing your data and why?
- Immediate Response to Suspicious Behavior – What do you do when you find activity going on that raises some concern? If you don’t have a process in place of reporting this then I suggest you think about getting one in place. Standards of such events are important; trust me on this. The time will come (and it will come) when threats become real. Procedures should be in place and gone over with all related data teams.
I ran across this article some time back from simple-talk and found it to be very fruitful in showing you How to Get SQL Server Security Horribly Wrong When you get time do check it out. In many cases I have run across security is an after thought – don’t let it be.
Define Areas of Vulnerability
This is a key component in getting started with taking your data seriously. Accessibility to information is a key deliverable in most shops; the data is the heartbeat. Face it; we live in a world today that is data driven; many decisions throughout every minute of the day are based on integrity of the data. Without addressing security in the design around the data it will leave you open to potential threats.
- Network File Shares
- Legacy Permissions
- Logging and Monitoring
- Change Control
These are just to name a few that could be potential vulnerabilities a shop can be exposed to.
We, as data professionals, need to take control and secure our data. But even more importantly we need to educate our end users on best practices and standards within the companies and shops we are associated with. Security can no longer be an afterthought.
If this means changing some things and rattling some cages then so be it; it may just save you in the end from a major security breach. We often are aware of external threats; what most people tend to over look are the threats from within the walls of a company.
It is imperative to take preventative measures and even the highest level of clearance should be monitored in some form or fashion. Think about the DBA for a second, and not just because I am one. They have the keys to the kingdom so to speak; same as a lot of sysadmins. There should be transparency in their actions; auditing should occur as to the what, when, and why.
Taking it a step further would be conducting data forensics (that would be a fun topic of discussion)
Bottom line I encourage you to start taking security around your data seriously if not someone else will.