Who Do You Trust with Your SQL Servers?

by Sep 30, 2020

Protecting enterprise data resources has never been more important. The large quantities of data that many organizations store present an inviting target to both external actors and malicious insiders. Hackers have used the COVID-19 pandemic as cover to ramp-up their efforts at delivering malware and compromising sensitive information.

A recent data breach that affected the online shipping site Shopify illustrates the danger posed by rogue employees. In this episode, two individuals are accused of stealing customer data from over 100 merchants who were using the site.

Any business that ignores this danger is playing with fire and will probably get burned to some degree. Most organizations are making at least some attempt to protect the sensitive data that they store on employees and customers.

They have been spurred on by the rise in the number of regulatory standards that have are being enforced in various jurisdictions around the world. It can be very expensive in financial fines and reputational damage to companies affected by a data breach.

The Zero Trust Security Model

One security methodology that has gained traction with many enterprises since its inception is the Zero Trust Model. This concept was introduced by John Kindervag of Forrester Research in 2010.

The model provides a completely new way to approach the security of computer networks and the systems they support. The core doctrine that guides Zero Trust is the elimination of the idea of trusted internal and untrusted external networks. It also insists that for security purposes, data packets can be untrustworthy and cannot be treated in the same way as people.

This new model was developed to address the gaps in the prevalent security paradigm of the castle and moat. The moat represents external network security that is meant to keep unauthorized users away from the systems and data resources stored in the castle.

Security inside the castle is lax as it is assumed that only trusted entities have been granted access to its inner lair. Assuming is usually not a good thing, and putting too much credence in this type of security model is no exception.

All network traffic, whether carried out on internal or external segments is considered untrusted from the perspective of Zero Trust. Two weaknesses in the traditional trust but verify method of conducting security were identified as requiring remediation.

  • Insiders cannot be implicitly trusted as was discovered in Kindervag’s research.
  • Data packets can never automatically be trusted. There is always doubt regarding their origin or who sent the data, so every packet needs to be seen as potentially harmful.

The Zero Trust philosophy proposes three core principles that address these security weaknesses.

  1. All computing resources need to be accessed securely with all internal or external traffic considered as a threat until it has been authorized, inspected, and secured.
  2. The concept of least privilege needs to be enforced throughout the organization with stringent access control that only allows users to access data needed to perform their jobs.
  3. All network traffic needs to be monitored and verified in real-time before being granted access to connected systems or resources. Logging traffic is instructive but not sufficient to adequately protect a computing environment.

It is important to note that Zero Trust is a security philosophy rather than a technical solution. There are no dedicated Zero Trust security applications on the market. Implementing this security methodology demands a combination of the proper mindset and software tools designed to address the requirements of specific systems that comprise an enterprise computing environment.

The transition to the Zero Trust security model cannot be accomplished overnight and is comprised of several independent steps.

  • Catalog all assets including devices, applications, and data transmission paths.
  • Locate data assets and identify who needs access and where the data will be used.
  • Implement micro-segmentation to segregate sensitive areas of an environment from general access.
  • Implement strong identity and access management (IAM) principles that pertain to external and internal entities.
  • Protect data resources where they are currently stored, such as in your SQL Server databases.

Protecting Your SQL Servers

IDERA’s SQL Secure is a valuable addition to the software defenses protecting your SQL Server environment. It can help organizations implement the Zero Trust security model by enabling database teams to institute access to SQL Servers using the concept of least privilege.

The tool’s user analysis capabilities track membership to powerful server administration roles to ensure that the level of access is justified. Both on-premises and cloud instances of SQL Server are supported by this versatile security application.

A full suite of security reports is available with SQL Secure. Predefined policy templates based on industry standards provide guidelines to protect your systems from common intrusion attacks. Historical security settings can be used to designate baselines to compare against future snapshots to identify unauthorized changes.

Compliance and SLA reporting and an automated security scorecard add to the features designed to provide maximum security for your SQL Server environment. If your shop includes a SQL Server environment, your team needs to take a look at how SQL Secure will help keep your data safe.