Where did the good old days of security go? I remember learning about the basic information security principles of least privilege, delegated administration and separation of duties way back when security wasn't cool. They were the cornerstones of effective IT administration and secure systems. Fast forward to today and it's rare to find these data protection principles in effect in any given network. Nowadays, we're so caught up putting out daily fires and managing the complexities of our systems that we're failing to integrate the core security data protection principles in our SQL Server environments.
People in management – especially IT management – often refer to the terms accountability, compliance and risk management. "They're our goal and our process and that's how we do it here" is the mantra. Yet, the very essence of the business's existence – its electronic databases – often lacks even the most basic security controls. To keep database security in check, you've got to have them. There's no amount of technical controls that can fix this gaping hole and prevent breaches long term. Unfortunately, it's the big iron firewalls, fancy database intrusion prevention technologies and database encryption that are getting all the attention.
If you step back and look at your database environment closely, it's easy to find many real-world weaknesses where not using the practices of least privilege, delegated administration and separation
- Running applications with admin-level privileges and relying on front-end controls to protect
the back-end database.
- DBAs using admin-level accounts for day-to-day tasks that don't require such privileges.
- Multiple administrators with their hands in the same systems.
- Sharing of Windows administrator accounts to manage the database.
- Not using stored procedures where possible.
- Not creating database views based on user or group permissions.
- Audit logs going unviewed and untouched.
- Multiple administrators for database storage and backup management.
- Little or no data classification thus placing every database on the same level of importance.
These data security weaknesses can, at the least, lead to an unnecessary remote system compromise and malware infection. More important, they create accountability and oversight problems
and lead to the situation where no one is truly responsible for security of the system.
If you want to buy yourself better SQL Server database security, then focus less on fancy security products and technical controls and more on the basics of security operations. It's hard to fight the marketing machine and their all-in-one technologies that can harden your database environment virtually guaranteeing security and compliance. But go against the grain. Set your sights on getting your processes right first.
Once you have the basics down pat, you can then go about finding ways to automate your controls to take some of the effort out of the process. This will have the double benefit of closing that ever-evasive change management loop and providing a rock solid database environment that you know you've gone the extra mile to lock down.
ABOUT THE AUTHOR
Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.
This was first published in December 2007