Security is more than just protecting data. This white paper takes a closer look at one aspect of security: protecting your data.
The protection of your data is about two things: Prevention and Repression. Prevention concerns measures to prevent crisis situations, repression concerns actions to solve a crisis. The more attention is paid to prevention, the smaller the chance that repressive actions will have to be taken. In IT terms, the term “High-Availability and Disaster Recovery” (HADR) is often used.
Prevention is about protecting your data. Think of things like: “ Who can read the data ?”, “ How do I prevent my data from getting into the hands of unauthorized users ?” and “ How do I make sure I have a safe copy of my data ?”
Repression concerns the possibilities of reconstructing data as quickly and as completely as possible. This includes backup and fallback procedures.
Good security starts at the front door. Therefore, make sure that users can only use complex passwords. Also, regularly review the list of authorizations, paying special attention to users with sensitive authorizations.
The IT Infrastructure must already offer good protection in the basics. Think of firewalls and antivirus software, but awareness among users is also important. The chance that a user accidentally clicks on a link in a suspicious email is always present and the consequences can be serious.
A quick win is to use Windows Active Directory authentication for your databases. MSSQL Server can take login credentials from the Windows domain. This simplifies user logins and ensures that a complex password on the domain is sufficient. For management it is recommended to assign authorizations to groups and then give these groups rights in MSSQL.
Software contains flaws, including security flaws. Therefore, regularly install the latest updates of the software used.
The latest versions of MSSQL Server have a lot of extra options to protect data, for example the entire database can be encrypted, or just the backup of the database. A copy of the database cannot then be read on another server. It is also possible to secure the connection between the user and the database. This is particularly recommended for databases that are “in the cloud”, but is also not an unnecessary luxury for internal systems. This security is transparent to the application and therefore does not require time-consuming adjustments. With the arrival of MSSQL 2016, the security options have been expanded even further. For example, data can now be protected based on who logs in; even for database administrators, data can be shielded!
It is recommended to regularly perform a certain amount of “auditing” on the database servers. As a result, suspicious situations are noticed more quickly. We recently discovered a hacking attempt in this way at a customer.
If the data must be available quickly after a disaster, it is wise to have an answer to two important questions in advance: “In the worst case, how much data can I lose after a disaster ?” (Known by the term RPO) and “How long can it take before the data is available again ? (Known by the term RTO).
RPO and RTO determine the availability of the data and influence the HADR strategy. If the RTO of data is very low (read: the maximum recovery time is short), a fall-back solution is often necessary. If the RPO is low, this largely determines how often and what types of backups are necessary. Keep in mind that a higher availability requirement usually also entails higher costs.
A good HADR strategy can only function properly if it has been proven to work. It is therefore necessary to restore a backup regularly. An annual fall-back test is also a must.
Security and data protection are important aspects for companies; not only financial, but also social risks can arise if sufficient attention is not paid to this. Also think of the Data Breach Notification Act!
DBA.nl has an extensive security check available for your MSSQL environment, which provides a detailed picture of the current situation. In addition, we are happy to think along with you about repressive solutions such as a backup solution or the implementation of a method for increased availability.
Do you want to be completely unburdened? We offer services in which your MSSQL environment is monitored by us 24×7 if desired. We would be happy to discuss the options with you. Please do not hesitate to contact us if you are interested. Check out our website for contact details and the options we can offer you.
DBA.nl is the all-round database expert specialized in setting up, maintaining and monitoring database environments. In addition, we provide advice and remove performance problems.
In almost every organization the most important and most structured data is located in a few critical tables within your...
CVE-2015-0235 aka “The GHOST Vulnerability” On January 27, a vulnerability was discovered in the Linux glibc library...
"Oracle counts all servers when using VMware vSphere from version 5.1" Several sources on the internet report that Oracl...