It seems like we’re (finally) moving into an implementation phase with SQL Server and data security. By that I mean, it seems like we are close to having the tools we need for various places in the lifetime of information and, for a good majority of them, those tools do indeed provide the cover to implement good security.
- Application firewalls and awareness for injection and front-end challenges
- Coding best practices and testing tools to further help the front-end
- Encryption of information in transit
- Security on the instance, access controls
- Encryption of data at rest, from in the table to backups, etc.
- Encryption of data provided on the other side of the process – worksheets and such.
This doesn’t mean we have security knocked. First of all, security will always, I think, be a “cold war” type thing – one-upping the bad guys, while they one-up the good guys. It’ll be this back and forth for the foreseeable future, if not forever. I say that because we can create all of the great tools and technologies we need, but there will still be social engineering of entry points and stolen key cards and passwords that are used to get to things that shouldn’t be gotten to.
But I feel like the excuses not to have a good handle on security are getting pretty sparse. No one is perfect, there is always more to be done. But the good stuff – the easily accessible and usable tools – those are things that now come down to implementation.
If ever you’re faced with the responsibility to deploy a solution, or support one, or even just review an existing implementation and security isn’t a checkbox that you’re reviewing, something’s in need of another look.
In fact, going back over an existing application every now and then and finding out how it’s really used can be a really helpful and healthy way to see where some additional elements of securing that information are needed.
One perfect example of this is an application where they had built out the solution well with checks and so forth all along the way. As we were going through the application on a functional level, it became clear that people were pulling extracts against the tables and using them locally. From Excel to other tools, they were using that information to create reporting and decision making data sets. We had to work to first educate (this was the fastest option to implement) and then provide some additional tools or approaches so the users could get the information they needed, while still keeping the control on the data. times that review cycle is just the thing needed – you can add in just a couple of steps to double check that things are used the way you anticipated and that information is being addressed and managed as needed.
Do you feel like the tools are there now? Do you have what you need, or are there still shortcomings when it comes to security libraries, tools and techniques?