TSQL Tuesday #63 – Security

SQL TuesdayThis months T-SQL Tuesday is hosted by none other than Kenneth Fisher (B|T). His topic for this month revolves around security and how you manage security. There probably couldn’t be a more fitting topic; especially with the many breaches we have had lately both ones that are known and ones that are not known.

With that said I want to take this time to expound on a wider variety of topics instead of diving into specific targeted areas within SQL.

When I first heard this topic I immediately drifted to thoughts such as:

  • Afterthought
  • Responsibility
  • Lax
  • Validation
  • Vendor Apps
  • Breaches within
  • Password Strength

Afterthought

Countless times over the years I have seen, reviewed, fixed, and contemplated over security within SQL that simply was an afterthought. Security whether role based, AD Groups, etc. should be worked into any project plan. If you have ever inherited a system only to review that 600 users have sysadmin access you know how detrimental that could be to the data contained within.

Responsibility

Being a DBA means you have great responsibility. Every single database is under your care, own it. Each day someone will be trying to access that database; at least that should be your mentality especially with any production environment.

Lax

A lot of us are creature are habits. It is very easy for a data professional to fall into the trap of becoming accustomed to daily routines. Security should not fall into this category; I repeat security should not fall into this category. Do you know who has access to your databases and why? Do you know what user accounts are tied to specific groups? If you can’t answer this then you may find yourself in this category

Validation

I like this one, how many of us validate our security measures? Do we take any proactive approaches to see just how safe our data is? Maybe you rely on an outside 3rd party to see if they can hack in; whatever the case maybe it would behoove us as a group of data professionals to be actively testing our systems looking for points of entry. I will be completely honest; if you aren’t you can guarantee someone else is.

Vendor Apps

Yes, I am a vendor installing an app your company purchased and we will need sysadmin rights on the box or cluster. Um. yeah you go right ahead – NOT. I hope by now, as a DBA, you have strategies in place where you will work with the vendor directly or have some form of processes that allow for tracking of such activity. Remember, these databases are yours if you maintain them; you be the gate keeper not the other way around. Don’t let anyone on  your system without our knowledge and you better know what kind of data is on your system and who is accessing it.

Breaches Within

If you aren’t careful all your eggs will be in the “protecting from the outside syndrome”. Yes potential threats are rampant from people both stateside and abroad; with that said however have you ever thought about what maybe at risk within your own walls? Do you have safeguards in place for co-workers and fellow employees? Security cannot be just thought of with outside threats. No you need to prepare for both outside and inside threats. To make it even better if you are on a DBA team is your team being audited to keep everyone honest? The data should be your top priority

Password Strength

These little rinky dinky passwords aren’t cutting it guys. Ensure you are following best practices and standards when setting up password strength. The easier you make it the easier it is for threats and breaches to occur. Are the passwords on  your systems set to be changed every so often? But that would require a lot of work – yes and when you sign up to be a DBA or Data Professional you retain great responsibility.

Conclusion

Security is one place where you cannot be lackadaisical about. It is a crucial role within SQL or any platform for that matter that usually becomes an afterthought. If you are in a shop you should review your security guidelines and if you don’t have any I suggest that you take initiative and create some. Without proper security you ones business could be jeopardized and once  issues arise what would become of the companies reputation; or your reputation. Be proactive, make it yours, own it, and get it done.

TSQL Tuesday

This is a block party started by the renowned Adam Machanic (B|T); if you are interested in becoming a host one month and an avid blogger you can reach out to him via the methods above.

T-SQL Tuesday #35 – Soylent Green

This month’s host for T-SQL Tuesday is Nick Haslam (b | t) and the question he poses is based on a movie called Soylent Green. I have not seen the movie; however his question  he asks is what the most horrifying thing you’ve seen in SQL Server.

WHAT THE MOST HORRIFYING THING YOU’VE SEEN IN SQL SERVER

Thinking back through the past I’ve had some serious, funny, and down right what the type of things happen. I’m sure all of us have.

One that sticks out to me is early on in my career I was fortunate enough to work for a company (mid-size) earning millions of dollars in revenue. Back then I had my own homegrown check list to go through, so after getting acclimated to everything I start going down my checks.

I come to my backup check……I start searching……looking………looking……..still looking. Come to find a previous employee had removed all the back up jobs; which now leads me into the next question, “Were there checks daily for certain things oh I don’t know verification of backups were occurring?”  Unfortunately, the person who was handed over the DBA daily tasks was not the person who should have been in the position of such importance.

I will not say how long the company went without any backups but needless to say that along with several other issues were resolved!

For information on hosting or getting involved with T-SQL Tuesday you can contact Adam Machanic.