What does goal setting have to do with SQL Server security? Everything! Like most things security-related, protecting...
your database is not a one-time deal. Instead, it's a mode of operation made up of doing the things that make databases secure on a consistent basis.
For example, you've made your New Year's resolutions and you've vowed to finally work on database security to limit security weaknesses. They are the same things you meant to accomplish last year – and maybe even the year before.
Why is it that we make resolutions like these but they never seem to stick? It's because resolutions don't work. They're a short-term motivation at the beginning of each year, but then we get busy and the things we wanted to do get pushed to the side day after day and month after month. Before we know it, the New Year is upon us. Again.
This cycle of continuous let-down is actually pretty simple to fix. It's called goal setting. The difference between resolutions and goal setting is rather small, but it can make a profound difference in how much you accomplish on your job. We often resolve but we don't lay out specifics for getting it done. With goal setting, you dream up what you want to happen in the same way, but then you write out clear, concise steps on how to make things happen. You also assign deadlines to hold yourself accountable. Then it's just a matter of sitting down and doing it slowly over time.
Determine your SQL Server security needs
It's one thing to say (or assume) you're going to have a secure SQL Server environment. But what does that mean? How do you take action? It starts with saying things like, "I'm going to work with management this quarter to put together some database-related security policies and next week I'm going to harden my SQL Servers based on the CIS Benchmarks." Or, "We're going to hire an outside firm to perform a security assessment this year." You'll likely have both short- and long-term goals. Once you start thinking about what's needed with regards to database security – that is, what you can do to help reduce business risks – you can start writing out specifics.
The following are sample short- and long-term SQL Server security goals you may want to shoot for this year in order to limit database security weaknesses:
- In the next two weeks, we patch all of our SQL Servers with the latest service packs and hotfixes (sounds trite, but most SQL Server systems I come across are at least a year behind).
- Within 60 days, we conduct an initial network security assessment to see where we currently stand with regards to SQL Server vulnerabilities.
- Within 30 days after our initial assessment, all database server systems are hardened according to XYZ standards or best practices at both the SQL Server and Windows levels.
- By the time of our summer company retreat, I inform management of our current database security posture.
- We conduct in-depth security assessments on all database systems every three months.
- By the end of Q3, all electronic information is classified into specific categories organization-wide.
- All SQL Server tables/columns that store sensitive information are encrypted by Q4.
- By this time next year, we install a database firewall, host-based IPS or similar endpoint security technology for monitoring and blocking unauthorized SQL Server use.
- All employees are trained and tested on database security policies in Q1 of every year.
Where the rubber meets the road
Notice that the goals listed above are written in present tense. This makes each objective more action-oriented and helps program your
subconscious mind that "this is how things are." By reviewing your goals every day – or at least every other day – you'll soon be making decisions subconsciously that help you work toward your goals. This isn't some New Age psychology hocus-pocus. These are proven methods for goal setting that I've learned from others, and they work.
Assuming that management at least understands some semblance of database security and the associated business risks, by carrying out the following steps, nothing should get in your way of attaining your SQL Server security objectives:
- Determine what's needed – come up with your short- and long-term goal list similar to the ones above.
- Document your goals on paper or in your word processor, which helps commit your goals to memory and creates a record you can easily access and update.
- Set a specific deadline for each goal, like in the examples above, for accountability on your (or someone else's) part.
- Document every step required to accomplish each goal. It gives you a roadmap to follow, even if it's just a tiny task each day.
- Prioritize each goal and the steps for each goal to help you realize what's urgent and important to work on.
- Get started on your plan to get your momentum going – again, even if it's just a little each day.
- Print out your goals and revisit them every day or every other day just for 5 to 10 minutes to keep your goals on the top of your mind.
I know it's a lot easier said than done when you've got a hundred things to juggle at any given moment. But if you sit down and write out what you want and need to accomplish in your job and then take small steps every day, you can make it happen.
Always remember that everything you do counts with regards to database security and creating a more secure SQL Server environment. Likewise, everything you don't accomplish will push you further away from your goals. If you ditch the resolutions and take responsibility for making your goals happen, you'll undoubtedly help your business and yourself to make for a great 2008.
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummiesand Hacking Wireless Networks For Dummies(Wiley). He's also the creator of the Security on Wheels information security audio books and blogproviding security learning for IT professionals on the go. Kevin can be reached at email@example.com.