I saw an interesting perspective on data breaches and how companies invite them from the VP at a Sentrigo, a database security products company. The fact that this is from someone selling products to protect your database should raise some red flags, but it doesn't mean that the ideas are wrong.
I'm not sure that we've neglected database security, though most of us are concerned with solving problems first and ensuring security second. Often we find that quickly solving someone results in less security. Building a new report or stored procedure for many of us involves answering a question for a business analyst. I'm not sure how many people spend the time to analyze their code to look for injection possibilities or security chain issues, or any other vulnerability.
It seems that most IT people are generally optimists. They believe that their code or application will be used as designed, not maliciously attacked. That their users are trying to get work done, not find ways to gain access to data they shouldn't.
It will never be possible to prevent all data breeches. They are just too many ways that people can copy data, too many ways that criminals can target data, and just too much data for us to keep complete control of every piece of data.
It's been said quite often and probably needs to be repeated over and over until most of us see security as part of our job, not an afterthought like testing often is.
Security is an ongoing process and requires constant work to do well. You'll never be perfect, but you can get better, and more importantly, you can build systems to quickly discover when you've had a breech.
Steve Jones
The Voice of the DBA Podcasts
The podcasts are now available at sqlservercentral.podshow.com to get better bandwidth and maybe a little more exposure :). Comments are definitely appreciated and wanted, and you can get feeds from there or below.
or now on iTunes!
- Video Podcast (MOV) - 6.8MB Quicktime
- Video Podcast (WMV) - 8.0MB Windows Media
- Audio Podcast (MP3) - 4.5MB MP3
Today's podcast features music by Megaphone. Check them out at http://www.megaphonemusic.net/.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you like it, tell the boss!