Timothy Smith

SQL Server Database Architecture and Audits for Enhanced Security

June 5, 2017 by

This year, digital security has risen as a top concern for many people, especially after the recent security compromises with Cloudflare in February and ransomware in May. Throughout the last two years, we’ve also seen the rise of sim-swapping where a hacker is able to extract a user’s cell phone data and compromise all emails and two-factor authentication. Unfortunately, I expect these security issues to continue and cause compromises for user’s data while negatively impacting companies involved.

For those working on the database side, what lessons can we learn in design to prevent users from loss, while preventing compromises?

Security SQL Server audits

In the below example script, we look at the users on the database and their role with the create and modify date of the users:

In the above example, one of the keys we’re tracking is the user, create and modify date, as any new user or changed user may be cause for a concern. We can query this temporary table and monitor the results, raising alerts if we see a cause for a concern. We can also add a filter by recent date either for the create or modify date and have the results emailed.

One alternate route to creating permissions here is to script all windows user, SQL user and role creation and create only through a table or file based configuration. This provides a trail for every user that is created where any information read from these queries could be “checked” against the table or file required before creation. This process could follow the model of user submits a request for a role or user creation or modification, the creation or modification is approved, and daily audit checks against this table.

An example of a configuration table for creating users that also is used to audit the servers and databases that should have these users.

When we think about security design and auditing this information, here’s questions to keep in mind:

  • How often should audits of users, roles and permissions be done?
  • If an audit passes successfully, should the audit data be saved and archived, or removed after a period of time?
  • What teams need to be informed if the audit fails?
  • Should audits include other checks, such as users who are currently online?

Federated vs. Decentralized Design

The interaction between users and company occurs with user data, with both users and companies holding some or all user data.

Most companies approach user data storage with a federated data model – they store some of the user’s information while the user also stores their information. This creates two points of failure; the user can lose his information and the company can lose his information. It also creates two points of compromise: both may be targets. Both users and companies hold the user data while the company provides a service that requires a piece of that user data – such as a service which allows a user to pay an electric bill.

The interaction between users and company occurs exclusively with a key, with only users holding their own data.

An alternative to this data storage approach is a decentralized model where only the user has access to data, while the company exclusively provides a service which only requires a key without further information. An example using an electric bill would be a key (like a meter id) for each user and data showing whether that user paid, without any information retained about the user. In the event of a data compromise with the company, the hacker would only have access to the key – they would have nothing about the user.

In jurisdictions where this architecture is allowed, I suggest considering this model, as it reduces the probability of users being impacted during a data compromise of a company. Currently when a compromise occurs at a company, the company faces damages in multiple fronts and this becomes expensive, while the above model prevents a company from losing key customer data.

Build Architecture for Optional Inconvenience

Some users may prefer inconvenient design, as inconvenient is generally more secure. Consider a person who keeps money in a bank at a remote city without any digital access to the funds and with a requirement of two forms of ID provided to obtain access to the funds. This is incredibly inconvenient, but it’s also incredibly secure.

Some people may prefer to pay for inconvenience because it enhances security. In the case of sim-swapping cell phones, this only occurs because people are able to do this over the phone through social engineering techniques; what would happen if a cell phone company allowed people to pay annually for a feature that made all cell phone changes required in person at a cell phone branch? For these customers, sim-swapping would become impossible.

On the database side, we have a few options here:

  • We could use a bit field where 1 translates into a feature being disallowed, such as an operator being unable to switch a cell phone over the phone (on the application side, the information could all be faded out).
  • We could store the data in a separate table/database/server. If an operator cannot find the customer over the phone (because some cells wouldn’t allow any remote operator access), it means all changes must occur in person at a physical branch. This helps prevents an update to a table, in the instance that a server or database is hacked.

In both of these examples, our application for phone operators and branches may be different as well, preventing data from entering certain applications.

When we consider our users, let’s remember that some users may prefer less convenience for more security.

Offer Incentives for Enhanced Security

In most cases, a hacker is responding to an economic incentive where the hack yields a return – in most cases, financial. For instance, the recent ransomware wanted payout for access and the cloudbleed issue involved compromising user information, which could have also resulted in financial loss for the users.

What prevents companies from offering bug bounties or security bounties to people who identify weaknesses? If someone spots a security weakness, contacts the company, and the company is able to path the weakness, the nature of providing an incentive for this encourages people to help report problems, rather than use them against companies. I’m surprised how few companies offer these bounties, yet I’ve seen the few who do increase their security, as it offers rewards to people who help strengthen their system.

In addition, a person who continues to spot weaknesses, or helps a company improve should be considered as a candidate that could make a great addition to a company. A person who finds problems on their own time and makes suggestions for improvement is a person that makes a great addition to a strong security team.

Summary

Security will continue to rise as a major concern for both companies and users. Consider some of the following architecture and audit ideas as methods to increase your environment’s security. Depending on how much flexibility you have in your design, you can significantly reduce the negative impact of a compromise on users – even if it does occur.

Timothy Smith
Security

About Timothy Smith

Tim manages hundreds of SQL Server and MongoDB instances, and focuses primarily on designing the appropriate architecture for the business model. He has spent a decade working in FinTech, along with a few years in BioTech and Energy Tech. He hosts the West Texas SQL Server Users' Group, as well as teaches courses and writes articles on SQL Server, ETL, and PowerShell. In his free time, he is a contributor to the decentralized financial industry. View all posts by Timothy Smith

168 Views