Using a case study where an organization had to suffer the consequences of lax security measures, we try to understand why it is critical to enforce strict security measures in any enterprise SQL deployment.
The most preferred enterprise level relational database management system – SQL Server, is also supposed to be one of the most protected and well maintained software. No company fills a SQL Server database with data that is not important; being an expensive product that it is, SQL is always used for storing business data which typically contains sensitive data. SQL databases are usually filled with customer and employee details, both of which are very important for a company and should be well protected. Some companies tend to neglect the security of their SQL databases and few of them end as victims to data thefts and hacking attacks.
What Happens When a Company Compromises on SQL Server Security?
If a company does not take the security of its SQL databases seriously, it can face frequent database corruption, loss of data, unauthorized access to data, etc. Although SQL Server provides its users with a lot of in-built security measures, like row – level security, database encryption, Authentication modes, Database roles etc, using all of these might still keep your database open to vulnerabilities. Apart from using all these features provided by SQL Server you might opt for choosing a third party software to deal with emergency situations where you may need to perform a SQL Server repair operation.
Consequences Can be Very Grim
The impacts of lax security measures while deploying SQL Server can be better explained by an example / case study.
Let’s take an example of a large Real Estate company, called ‘X’. Since X is a large company, its operations are not limited to the United States, but spread all across the globe, in many Asian and European countries. Understandably, the company makes use of SQL Server database for managing its heavy load of information. The DBAs make attempts to secure the databases, but a few weak points remain. Slowly, the vulnerabilities of the company’s user data increase and data started go into wrong hands. Insider data thefts combined with multiple incidents of identity fault brought it before several compliance authorities and it was exposed to several legal suits. All this led to a reduction in company’s profits along with maligning the brand name. This could have been easily avoided if the databases were secured by stringent security measures.
Given below are a few of the multiple causes under lack of database security, leading to company’s downfall.
- Unauthorized Access / Changes: One of the main reasons that led to the downfall of X was unauthorized access to the database, this might have happened either due to weak passwords or lack of change management.
- Incorrect Authentication Modes: The DBA for SQL databases of X, made use of the mixed – mode authentication instead of Windows authentication. This does not mean the Windows authentication is not secure, but modes should be selected based on the kind of data stored.
- Backup Thefts: Weak network security led to theft of database backups of X, and copying of data. If database encryption was enabled, this could have been avoided.
These were not the only reasons leading to X’s downfall, but were the main contributors. To avoid any such thing from happening to your company ensure the safety of your databases.
As evident from the case study, SQL Server security should be taken lightly at all. Any laxity on the part of organization to put in a proper security framework can lead to grim consequences.
Victor Simon is President & Chairman of DataNumen, Inc., which is the world leader in data recovery technologies, including repair mdb corruption and sql recovery software products. For more information visit www.datanumen.com