Get your SQL Server security goals in order

For example, you've made your New Year's resolutions and you've vowed to finally work on database security to limit security weaknesses. They are the same things you meant to accomplish last year – and maybe even the year before.

Why is it that we make resolutions like these but they never seem to stick? It's because resolutions don't work. They're a short-term motivation at the beginning of each year, but then we get busy and the things we wanted to do get pushed to the side day after day and month after month. Before we know it, the New Year is upon us. Again.

This cycle of continuous let-down is actually pretty simple to fix. It's called goal setting. The difference between resolutions and goal setting is rather small, but it can make a profound difference in how much you accomplish on your job. We often resolve but we don't lay out specifics for getting it done. With goal setting, you dream up what you want to happen in the same way, but then you write out clear, concise steps on how to make things happen. You also assign deadlines to hold yourself accountable. Then it's just a matter of sitting down and doing it slowly over time.

Determine your SQL Server security needs

It's one thing to say (or assume) you're going to have a secure SQL Server environment. But what does that mean? How do you take action? It starts with saying things like, "I'm going to work with management this quarter to put together some database-related security policies and next week I'm going to harden my SQL Servers based on the CIS Benchmarks." Or, "We're going to hire an outside firm to perform a security assessment this year." You'll likely have both short- and long-term goals. Once you start thinking about what's needed with regards to database security – that is, what you can do to help reduce business risks – you can start writing out specifics.

The following are sample short- and long-term SQL Server security goals you may want to shoot for this year in order to limit database security weaknesses:

Short-term goals

1. In the next two weeks, we patch all of our SQL Servers with the latest service packs and hotfixes (sounds trite, but most SQL Server systems I come across are at least a year behind).


2. Within 60 days, we conduct an initial network security assessment to see where we currently stand with regards to SQL Server vulnerabilities.


3. Within 30 days after our initial assessment, all database server systems are hardened according to XYZ standards or best practices at both the SQL Server and Windows levels.


4. By the time of our summer company retreat, I inform management of our current database security posture.

Long-term goals

1. We conduct in-depth security assessments on all database systems every three months.


2. By the end of Q3, all electronic information is classified into specific categories organization-wide.


3. All SQL Server tables/columns that store sensitive information are encrypted by Q4.


4. By this time next year, we install a database firewall, host-based IPS or similar endpoint security technology for monitoring and blocking unauthorized SQL Server use.


5. All employees are trained and tested on database security policies in Q1 of every year.

Where the rubber meets the road

Notice that the goals listed above are written in present tense. This makes each objective more action-oriented and helps program your

More on SQL Server security: How secure is your SQL Server network design? Basic SQL Server security principles you can't afford to miss Why store sensitive data if you don't have to?

subconscious mind that "this is how things are." By reviewing your goals every day – or at least every other day – you'll soon be making decisions subconsciously that help you work toward your goals. This isn't some New Age psychology hocus-pocus. These are proven methods for goal setting that I've learned from others, and they work.

Assuming that management at least understands some semblance of database security and the associated business risks, by carrying out the following steps, nothing should get in your way of attaining your SQL Server security objectives:

1. Determine what's needed – come up with your short- and long-term goal list similar to the ones above.


2. Document your goals on paper or in your word processor, which helps commit your goals to memory and creates a record you can easily access and update.


3. Set a specific deadline for each goal, like in the examples above, for accountability on your (or someone else's) part.


4. Document every step required to accomplish each goal. It gives you a roadmap to follow, even if it's just a tiny task each day.


5. Prioritize each goal and the steps for each goal to help you realize what's urgent and important to work on.


6. Get started on your plan to get your momentum going – again, even if it's just a little each day.


7. Print out your goals and revisit them every day or every other day just for 5 to 10 minutes to keep your goals on the top of your mind.

I know it's a lot easier said than done when you've got a hundred things to juggle at any given moment. But if you sit down and write out what you want and need to accomplish in your job and then take small steps every day, you can make it happen.

Always remember that everything you do counts with regards to database security and creating a more secure SQL Server environment. Likewise, everything you don't accomplish will push you further away from your goals. If you ditch the resolutions and take responsibility for making your goals happen, you'll undoubtedly help your business and yourself to make for a great 2008.

ABOUT THE AUTHOR:

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator and author of the Security On Wheels blog and information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com. Copyright 2008 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SQL Server security SQL Server source code analysis and management adds database security Ten common SQL Server security vulnerabilities you may be overlooking SQL Server 2008 security and compliance features reduce security risks How secure is your SQL Server network design? Creating a SQL Server user authentication schema Could a join of encrypted SQL Server data have a problem? SQL Server connection lost when SA password is changed How to set SQL Server password for SA login Creating a login in SQL Server 2000 Enterprise Manager Basic SQL Server security principles you can't afford to miss Strategy and planning SQL Server PerfMon counters for access methods and buffer manager Find size of SQL Server tables and other objects with stored procedure Monitor SQL Server disk I/O with PerfMon counters Tips for scheduling and testing SQL Server backups Ten common SQL Server security vulnerabilities you may be overlooking SQL Server PerfMon counters for tracking Windows memory Create an upgrade plan for your move to SQL Server 2005 Determining SQL Server database storage requirements Database mirroring factors to consider before setup Replication techniques in SQL Server Microsoft SQL Server SQL Server source code analysis and management adds database security Retrieve XML data values with XQuery in SQL Server 2005 SQL Server tempdb best practices increase performance SQL Server 2008 security and compliance features reduce security risks Create an upgrade plan for your move to SQL Server 2005 Designing SQL Server non-clustered indexes for query optimization Simplify queries with SQL Server 2005 common table expressions (CTEs) XML data type in SQL Server 2005 vs. VARCHAR (MAX) How secure is your SQL Server network design? SQL Server encryption vs. hashing for data security RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.