Is SQL Server Always Encrypted, for sensitive data encryption, right for your environment? July 27, 2018 by Aamir Syed So, your manager wants you to figure out how to encrypt sensitive Data? Well, Microsoft has introduced a fairly easy way to configure feature called Always Encrypted. Read more »
SQL Server security considerations with open source tools June 21, 2018 by Timothy Smith As our company has grown, we’ve recently added developers to our team who want to use open source tools (open source languages and libraries). In the past, we built and used our own custom libraries, but our new developers to prefer to use open source libraries or add new languages that require new libraries. We’re concerned that the use of open source libraries may not be secure and may introduce new inputs and outputs in our system that we don’t fully understand. What should we consider when we think about allowing open source software, tools or languages in our environment from the standpoint of security? Read more »
SQL Server data security feature RLS (Row-Level Security) and GDPR March 9, 2018 by Prashanth Jayaram Of late, there’s been a lot of noise around the term, GDPR. Chances are, some of us even had to go through learning sessions targeted at IT professionals to learn about what this new standard of data protection means. GDPR is primarily a European privacy law which sets a new bar, globally, on privacy rights, compliance, and security. GDPR is mainly about protecting the rights of every individual, providing the individual with more control over his personal data. It dictates how data should be handled, managed and protected going forward, the individual’s choice being the prime focus. Today, data is widespread; many corporations handle part of the data on the cloud and part of it on premises. Our focus being SQL Server, we shall talk about what capabilities Microsoft gives us in order to be compliant with these laws that come into effect on the 25th of May, 2018. We would have to modify our data handling procedures keeping the focus on the security of the data processing. Read more »
How to drop a role in a SQL Server Database September 6, 2017 by Jefferson Elias Introduction Let’s say we have a database role that we don’t need anymore because we defined another security policy using another database role. What are the steps to follow in order to properly drop this database role? That’s the question this article will try to answer, covering as many cases as possible. In the following article, we will consider the simple steps we can follow in order to do this task using both SSMS and T-SQL. Then, we will focus on some facts that will lead us to the conclusion that, if we do it this way, it won’t work every time. We will list some situations where it could fail and define a test case situation in order to create a stored procedure that will do the job correctly, in all cases bymanaging these situations. Read more »
How to drop a SQL Server Login and all its dependencies July 19, 2017 by Jefferson Elias Introduction Sometimes, we need to drop a SQL Server Login because we gave an access to a person who left, this login was used by an application that has been decommissioned for example. Read more »
SQL Server Logins, Users and Security Identifiers (SIDs) July 12, 2017 by Simon Liew Abstract Logins and Users are basic security concepts in SQL Server. They are often, and incorrectly, considered to be pretty much one in the same so it is sometimes confusing to some SQL Server users. Another important security concept tied to a login and user in SQL Server is Security Identifiers (SID). This article will explain these concepts through a step-by-step demonstration. This article will focus on the Windows login and provide some specific usage scenarios. Read more »
SQL Server Database Architecture and Audits for Enhanced Security June 5, 2017 by Timothy Smith This year, digital security has risen as a top concern for many people, especially after the recent security compromises with Cloudflare in February and ransomware in May. Throughout the last two years, we’ve also seen the rise of sim-swapping where a hacker is able to extract a user’s cell phone data and compromise all emails and two-factor authentication. Unfortunately, I expect these security issues to continue and cause compromises for user’s data while negatively impacting companies involved. Read more »
Digital certificates: when and where to use them May 26, 2017 by Nikola Dimitrijevic Digital certificates are form of electronic authorizations used to verify the identities of persons, companies, computers, and other network entities. Read more »
How to set and use encrypted SQL Server connections May 8, 2017 by Daniel Tikvicki As the standard for securing the host-server interaction, Secure Sockets Layer or SSL is implemented in a Web environment. However, the SSL can provide the encrypted connection and data transfer between a particular SQL Server instance and a client application. A trusted SSL certificate validates the SQL Server instance when the client application requests encrypted connection (or vice versa), while the SQL Server must be configured to follow the certificate authority (CA). This means that a certificate must be “signed” by a trusted source. Read more »
Five ways to protect your data in Azure SQL Database April 28, 2017 by Minette Steynberg When storing data in the cloud the main concern companies generally have is whether or not their data is safe. And what can be done to ensure that the following 4 scenarios are addressed: Read more »
Security considerations for your Azure SQL Databases April 27, 2017 by Kaloyan Kosev You have to agree with me, when public clouds were introduced your thought was that you will never put your production data in there. Our idea was that your data is exposed, insecure and vulnerable. This was not the case back then, it is not case at the moment as well. Read more »
How to add a TDE encrypted user database to an Always On Availability Group April 27, 2017 by Ahmad Yaseen SQL Server Transparent Data Encryption, also known as TDE, is a “data at rest” encryption mechanism that is introduced in SQL Server 2008 as an Enterprise Edition feature. TDE is used to perform a real-time I/O encryption for the SQL Server database data, log, backup and snapshot physical files, rather than encrypting the data itself, using either Advanced Encryption Standard (AES) or Triple DES (3DES) encryption. Read more »
Managing SSRS security and using PowerShell automation scripts April 24, 2017 by Craig Porteous So much has changed with Reporting Services 2016 but in terms of security it’s the same under the hood and that’s not necessarily a bad thing. SSRS has long had a robust folder & item level security model with the ability to inherit permissions from parent folders, much like SharePoint and windows in general. Read more »
Sanitizing Inputs: Avoiding Security and Usability Disasters February 17, 2017 by Ed Pollack Introduction In any application, we will likely have some need to control input data, either altering, filtering or otherwise changing text to fit our application’s needs. Read more »
How to secure your passwords with PowerShell January 18, 2017 by Shawn Melton Introduction Do you have processes or scripts that require you to provide a password? Against the desires of your security officer, do you have to save those passwords in plain text, in your scripts? PowerShell offers a way that you can store a password or prompt the user for the information. You can then utilize that information to build what is known as a PSCredential. The majority of commands for PowerShell that support remote connections to servers (WMI, CIM, Invoke-Command, etc.), offer the ability to pass in a credential. While some only need the password, some need the full object to authenticate a user. This object in PowerShell can be made a few different ways based on your needs. I will go over a few options that are commonly used, but first lets discuss what makes up a PSCredential. Read more »
How to configure Transparent Data Encryption (TDE) in SQL Server December 19, 2016 by Aamir Syed Introduction and Overview Transparent Data Encryption was introduced in SQL Server 2008. Its main purpose was to protect data by encrypting the physical files, both the data (mdf) and log (ldf) files (as opposed to the actual data stored within the database). TDE Encrypts SQL Server, Azure SQL Databases, and Azure SQL Data Warehouse data files. Read more »
Securing SQL Server Surface Area October 26, 2016 by Artemakis Artemiou In a previous article, we have discussed about the top 10 security factors that you should take into consideration in order to secure your SQL Server instances. In this article I will try to deep dive into one of those factors, that is SQL Server Surface Area. Read more »
Using Dynamic Data Masking in SQL Server 2016 to protect sensitive data October 17, 2016 by Ahmad Yaseen Dynamic Data Masking is a new security feature introduced in SQL Server 2016 that limits the access of unauthorized users to sensitive data at the database layer. As an example of the need for such a feature is allowing the applications developers to access production data for troubleshooting purposes and preventing them from accessing the sensitive data at the same time, without affecting their troubleshooting process. Another example is the call center employee who will access the customer’s information to help him in his request, but the critical financial data, such as the bank account number or the credit card full number, will be masked to that person. Read more »
How to filter and block the data access using SQL Server 2016 Row-Level Security September 28, 2016 by Ahmad Yaseen SQL Server 2016 came with many new features and enhancements for existing ones, that concentrate on the aspect of SQL Server security. One of the new security features introduced in SQL Server 2016 is Row-Level Security. This feature allows us to control access deeply into the rows level in the database table, based on the user executing the query. This is done within the database layer, in complete transparency to the application process, without the need to manage it with complex coding at the application layer. Read more »
Top 10 security considerations for your SQL Server instances August 31, 2016 by Artemakis Artemiou SQL Server is one of the world’s leading data platforms. It is being broadly used hosting millions of databases. These databases store data. This data are each organization’s most valuable asset. It is with this data that organizations run their everyday operations and processes. This fact makes it a necessity to efficiently secure your SQL Server instances, in order to protect your databases and consequently your data. This article suggests a list with the top 10 security considerations based on which you can efficiently secure your SQL Server instances. Read more »
