SQL 2012 has Launched

Jason Brimhall, 2012-04-01

LAUNCH

If you have been hiding under a rock, you have probably not heard that SQL 2012 has launched.  With it, some really cool features are now available to use in our SQL database environments.

Some of these cool new features include some new DMVs, the AlwaysOn feature, and columnstore indexes.

But did you know that there are some new recommended best practices?

Today, I want to share with you a new best practice that involves table naming schemes.

With the release of SQL 2012, it is now advised that tables be named in such a manner that the name is obfuscated.  The reason for this is to slow down any would be attacker from quickly finding which table holds the most sensitive data.  Currently it is not too far fetched for an attacker to look in a database and figure out where the orders or customer confidential information may be placed.  After all, it is fairly common to name those tables in such a manner that the name describes the data.

Now though, the best practice is pushing in a new direction.  And no longer is it even a good idea to use legible words.  The drive is for full obfuscation of the table name.  In an effort to demonstrate, here is a quick script that will create several tables that are obfuscated in name.

Code block    
IF not exists (SELECT 1 FROM sys.databases WHERE name = 'Fun')
BEGIN
	CREATE DATABASE Fun
END;
GO
 
USE Fun;
Go
 
SET NOCOUNT ON;
GO
 
DECLARE @rocket CHAR(100)
DECLARE @boost TINYINT
DECLARE @tiers TINYINT
DECLARE @maxtiers TINYINT
DECLARE @SQL	VARCHAR(MAX)
DECLARE @overall	TABLE	(rocket VARCHAR(MAX));
DECLARE @somevar	VARCHAR(MAX)
		,@someint	INT = 0
 
SELECT @rocket = ' ', @tiers = 1, @boost = 1, @maxtiers = 4
PRINT @rocket
 
INSERT INTO @overall (rocket)
	VALUES (@rocket);
 
WHILE @tiers < @maxtiers
BEGIN
	SELECT @boost = POWER(@tiers,2)
	WHILE @boost < 12*@tiers
	BEGIN
		SET @rocket =  STUFF(@rocket, (DATALENGTH(@rocket)/2)-(@boost/2), @boost,REPLICATE('*', @boost))
			UPDATE @overall
				SET rocket = rocket +CHAR(10) + @rocket
			SET @SQL = 'Create Table ['+ @rocket + '_'+ CONVERT(VARCHAR,@someint) +'] (someint int);'                 PRINT @SQL
		SET @boost = @boost+2
		SET @someint = @someint + 1
 
	END
 
	SET @tiers = @tiers+1
END
 
SELECT @somevar =  rocket
	FROM @overall
 
PRINT 'The following Tables have been created:' +CHAR(10)+CHAR(13)
PRINT @somevar

I like this new standard.  Now, I will just design images into my tables that describe the database in whole.  As you can see, this particular database would be useful for maybe a space case or maybe a hobbyist with a high enthusiasm for rockets.  Or maybe it just works really well for any demo involved with the SQL 2012 Launch.  Other than a neat little picture, the tables are completely obfuscated.

Conclusion

Keep best practices in mind whenever designing a database.  Maintaining best practices can help protect the data you were hired to manage and protect.  In addition to that, make sure you forget every other word of this post.  It is complete and utter hogwash.  Happy April Fools.

Rate

Share

Share

Rate

Related content

Database Mirroring FAQ: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup?

Question: Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? This question was sent to me via email. My reply follows. Can a 2008 SQL instance be used as the witness for a 2005 database mirroring setup? Databases to be mirrored are currently running on 2005 SQL instances but will be upgraded to 2008 SQL in the near future.

Robert Davis

2009-02-23

1,567 reads

Networking – Part 4

You may want to read Part 1 , Part 2 , and Part 3 before continuing. This time around I’d like to talk about social networking. We’ll start with social networking. Facebook, MySpace, and Twitter are all good examples of using technology to let…

Andy Warren

2009-02-17

1,530 reads

Speaking at Community Events – More Thoughts

Last week I posted Speaking at Community Events – Time to Raise the Bar?, a first cut at talking about to what degree we should require experience for speakers at events like SQLSaturday as well as when it might be appropriate to add additional focus/limitations on the presentations that are accepted. I’ve got a few more thoughts on the topic this week, and I look forward to your comments.

Andy Warren

2009-02-13

360 reads