Securing your data...
Posted on 13th Sep 2018 13:48:28 in Misc, Platform, Technology
Securing your SQL Server is by no means a one and done event. Today's internet, the value of data is increasing rapidly, and access to central station database is not solely a data specific issue, but a global security of assets (burglary monitoring), and life and death concern (fire and medical monitoring). Here are some security recommendations to protect your data, based on our platform perspective.
- Database isolation - When a hacker gains access to a network their priority is to “locate valuable data”. Because application servers need to be accessible to users, it becomes easy for hackers to locate them. If your database is stored on the same server, then hackers can target them directly. A good practice is to isolate databases away from users direct access. This can be done by first moving the database into its own server, and then move that server it into either a virtual or physical network completely separate from the network used to access the application platform.
- Tailor your database installation - SQL Server installation is straightforward; however, it estimates what features you will want/need. Adding features that will not be used adds unwanted possible security vulnerabilities. Read and document every step of the installation. Be sure all servers have the same installed features.
- Prepare and separate time for updates - Software updates often comes with security patches. Be sure consistently scheduled time to install patches and updates.
- Restrict database process - By default SQL Server runs under local system accounts. These users have high access to local resources. If a hacker has query access to the SQL Server, they might be able to remotely execute commands on the server. By creating a custom local user with restricted access, you can limit hacker's access to local resources.
- Restrict SQL traffic - Even when SQL Server is running on a separate server, is a good practice is to lock as many ports as possible. This could be archived with a managed switch, routers, or at a local software based firewall. This adds extra protection against port scans and other methods used to locate and access servers.
- Audit database login - This is a process that needs to be done constantly, and often helps identify unexpected access to the database. If all else fails, this is also a favorable forensic tool in case the database has already been compromised.
- Ensure safe storage and procedures for your backup - Backup procedures should always be first-priority, even if for local redundancy. A backup will not only help you recover but also helps trace back any unexpected security vulnerabilities that might previously have existed on your system. Always makes sure your backup storage is not network accessible, and preferred off-premise.