It is Never a Bad Time to Revisit User Permissions

by Jul 22, 2020

A database needs users to provide any value to an organization. While it might be instructive from an academic point of view to simply collect large amounts of information in electronic format, the data serves no valid purpose unless someone accesses and uses it. Enterprise data resources are usually made available to multiple entities within an organization who make use of the information to make business decisions.

One of a DBA’s responsibilities is to create login credentials for authenticated database users. This involves developing different levels of permissions that control what type of activity an individual can perform on a given system. These permissions are distributed among the organization based on job requirements. Best practices specify that a user should have the minimum permissions necessary to perform their work functions.

Mistakes can be made in the ID provisioning process that result in some users having elevated privileges that are not in line with the duties of their position in the enterprise. This can be a huge problem, as sensitive and personal data that should be protected may be made available to individuals who are not authorized to access it. In a perfect world, no malicious activities would ever be carried out by employees who find themselves with elevated database privileges. 

The Problem of Insider Threats

Unfortunately, the world we live in is not perfect and the problem of insiders misusing data is of great concern to IT leaders. Management is worried about employees accidentally or intentionally putting data at risk. A disgruntled worker may be motivated to use enterprise data for personal gain at the expense of the organization. Conscientious employees may be duped by elaborate phishing schemes or other methods to unintentionally provide data access to malicious actors.

The apprehension over data breaches involving insiders is well-founded. Repercussions following a data breach can cause substantial financial and public relations problems to the affected organization. There may be fines involved, levied by regulatory agencies, and the individuals whose data was compromised can demand compensation. Customers may be reluctant to trust the business with their information, leading to decreased sales and a loss of reputation. Suffice it to say that the best way to deal with the aftermath of a data breach is to not let one happen in the first place.

There have been many instances of large-scale data security problems that can be tied to either deliberate or accidental misuse of information resources. Here are two examples that illustrate the point.

An insider working in the Jackson Health System in Miami, Florida was terminated in 2016 when it was discovered that she had been stealing confidential patient information over the previous five years. The stolen data included names, social security numbers, birthdates, and home addresses. These are the types of informational items that allow criminals to steal identities and open phony bank accounts. In this case, the insider was intentionally compromising the organization’s data.

A more recent instance involving insiders is the Twitter security breach that occurred on July 15, 2020. In this episode, malicious messages were sent from the Twitter accounts of some of the popular communication platform’s most-followed users. Messages were sent from Barack Obama, Joe Biden, and Elon Musk, among others, as part of a bitcoin scam. While the specifics of the breach have not been fully disclosed, the company announced that they suspected a coordinated social engineering attack that targeted employees with access to their internal systems.

In both of these cases, the post-mortem investigation of the data breach should include a review of the types of permissions that the employees had versus what they needed to do their jobs. It may be found that one of the underlying causes of the breach was database privileges that were not warranted and subsequently misused.

Permissions Need to be Verified Regularly

Data security is a critical part of any IT environment. Protecting the information resources of an enterprise is one of the most important aspects of database administration. One of the ways this is accomplished is by having a viable backup available that can be used to restore systems in the event of a disaster. Another method of data protection is to demonstrate vigilance regarding the permissions that allow access to an organization’s data assets.

IDERA’s SQL Secure offers database teams a compressive platform for reviewing, monitoring, and reporting on the user permissions in your SQL Server environment. The tool provides a central point of control from which to work with physical and virtual SQL Servers housed in your data center or the cloud. A centralized data repository facilitates reporting and analysis of permissions across all of your SQL Servers.

Various aspects of enforcing SQL Server security such as analyzing effective rights and the permissions assigned to database roles are easily accomplished with SQL Secure. Powerful reporting capabilities are available for security auditing and to demonstrate compliance with regulatory standards. Weak passwords can be detected so they can be strengthened to close another potential security hole. The application even self-audits all activities related to its administration.

SQL Secure is a powerful addition to your DBA’s software toolkit that improves the security of your SQL Servers. So, when was the last time you checked your database’s permissions? Maybe it’s time to get on it.