How to Secure Your SQL Servers from Internal Threats

by Oct 7, 2020

The tremendous value of enterprise data resources makes them an inviting target for malicious actors. Losing sensitive financial or personal data can destroy an organization’s reputation, put customers’ information at risk, and lead to serious penalties for non-compliance with regulatory requirements. Unfortunately, the number of data breaches shows no signs of slowing down anytime soon.

Many people incorrectly conclude that the greatest threat to corporate data comes from external forces that overwhelm network security to gain access to systems and databases. Outside hackers are certainly a problem, but insiders also pose a risk and can be hard to identify. Rogue employees may deliberately compromise sensitive information while those with insufficient training may accidentally enable unauthorized access to data resources.

An instructive Webcast is available for viewing that offers valuable best practices for protecting sensitive data from internal threats. It covers the importance of security awareness and understanding where your sensitive data assets are stored. The information is presented by IDERA’s Brian Kelley, who is an expert in SQL Server and Windows security as well as being a certified information systems auditor. We recommend you watch the webcast if you are concerned with the sensitive data in your databases. What follows is an overview of the information presented in the webcast.

Proven Strategies for Protecting Sensitive Data

Providing adequate protection for sensitive data resources requires a multi-faceted approach that addresses the people who handle the data, the technical solutions used when processing the data, and where the data is stored. A failure in any area of the protection strategy can negate the whole endeavor. Here are the components of a viable data protection scheme.

Security awareness

One of the ways that hackers try to gain access to your systems is by compromising the weakest link in your system’s security. This is almost always the people layer that is comprised of everyone in the organization, whether or not they have direct access to sensitive information. It is much easier to attack a person than it is to gain access to a hardened system.

Security awareness involves an understanding of enterprise data assets and how individuals may be targeted by malevolent actors. Most employees will not knowingly enable hackers to access the organization’s systems, but they may be less able to defend themselves against phishing and targeted spear-phishing emails. The forces behind these emails are essentially con men trying to gain the trust of their unsuspecting targets.

The goal of a spear-phishing email is to entice the recipient to click on an embedded link that will deliver malware to their computer. The malicious software can be used for various purposes ranging from destroying data to stealing user credentials. Sophisticated attacks use information gleaned from various sources such as LinkedIn to personalize messages in an attempt to trick the user into believing it comes from a trusted source. They present a credible narrative that can be extremely hard to detect as a dangerous impersonation.

Security awareness training can help limit the dangers of phishing, though there is always the potential for one to get through. This is a clear example of how the best technical security defenses can be subverted by a single lack of judgment or mistake.

Data classification and governance

Classifying data based on its degree of sensitivity is critically important to its protection. Not all data needs the same level of protection and treating it all similarly is a recipe for disaster. Most organizations need between three and five different classifications which can be augmented with tags to further limit unauthorized access. Minimum handling requirements are implemented for each data class.

Data governance is a method of handling data assets consistently throughout an organization. Data owners who are often department heads or members of upper management decide how to classify various information assets. The policies they define are enforced by data stewards or custodians. Training is required to ensure that data is correctly classified throughout the organization.

Controlling the use of production data

Using production data in non-production environments exposes it to unnecessary risk of unauthorized use. Development systems often do not have the same level of security to facilitate the updates and testing that needs to be performed on them. It is a common but bad idea for development teams to use production data to conduct testing. Even stale production data can provide hackers with sensitive information. Once malware enters a computing environment, it hunts for the easiest targets which may well be your development servers.

The best solution to this problem is to use artificial data for development and test systems. The extra time or effort spent in creating this data will be repaid with the knowledge that no sensitive data is at risk in your development environment.

End-to-end data encryption

Encrypting sensitive data is a viable method for protecting it from unauthorized use. But fully protecting your data with encryption may be more complicated than you think. The data needs to be encrypted while in transit, during use, and at rest. This means that backups and data transmissions over internal networks need to be encrypted.

Harkening back to the human element involved in data protection, system admins can access unencrypted data when it is in memory during processing. These individuals need to be vetted before being given the permissions required to perform their jobs.

Protecting Your SQL Server Environment

SQL Compliance Manager is an excellent tool for discovering and protecting the sensitive data residing in your SQL Server databases. It enables your team to locate where sensitive data is stored in your databases which is a necessary first step in protecting it. The tool allows you to monitor specific SQL Server events and generate alerts to inform the right people that something may be amiss.

A central management console enables you to view all enterprise SQL Servers located in your data center or with a cloud provider. SQL Compliance Manager is a valuable tool to assist with the challenging task of protecting your data resources. It will also help demonstrate compliance and pass audits based on the regulatory guidelines that apply to the data in your SQL Servers.