A community of more than 1,600,000 database professionals and growing

The Voice of the DBA

Protecting Our Stream of Data

Protecting the data our companies collect is important. Many of us go to great lengths to secure our databases, firewall connections, limit access, and more. However, we can't secure the data before it gets to us, and that can be a problem. I ran across a link on Bruce Schneier's blog that shows a criminal placing a skimmer on a credit card scanner in a convenience store. The original video is gone, but there are plenty more.

In general, the loss of data from the application (and physical hardware in this case), isn't really a database issue. After all, the data is essentially split into two streams, with some going to the legitimate database and other processes while another stream goes to the skimmer. If this happens, and the skimmer isn't discovered, however, it's entirely possible that any data loss might be blamed on the database or IT infrastructure.

If someone suspected you were hacked because of data being lost, could you prove you weren't hacked? Or that the data didn't come from your database? This is impossible, since you can't prove a negative, but would you have any evidence that could be used to bolster your claims? Is there auditing or other tracking of activity? Does your organization keep any logs that would show a lack of activity and are protected against tampering? Ideally you would find the source that lost the data, but if you can't, it can be difficult to prove that the losses didn't come from your systems.

For most of us, we might not have much in the way that would show our systems have only had legitimate access. Instead we'd depend on the limited SQL Server logging, as well as other infrastructure tracking, such as firewall activity logs. The strength of our presentation would likely determine whether security staff or management accepted our claims as valid.

Point of Sale systems are different than the applications that most of us use, but certainly we have database security concerns that we should address. I would hope that SQL Server would bolster its capabilities in this area, providing a way to set up a tamper proof log easily that accepts writes of activity from a database in some structured text file that uses minimal resources. I'm not even sure what I'd want here that I can't get from XE, but I do think having something more robust and standardized would be nice. If nothing else, a local SQL Server could stream XE events out to a file target in a remote location that only supports writing. This wouldn't necessarily prove anything if the connection were disrupted, but it would ensure that a business was aware of the breakdown between the instance and audit log.

I know the ways in which people attempt to access and steal data will continue to evolve and become more complex and creative. We can't protect against many of them from the database side, but I'd like to think that we could protect the data we have. We should ensure it is safe from theft, loss, or inappropriate access and prove we have done so.

Steve Jones from SQLServerCentral.com

Join the debate, and respond to today's editorial on the forums

The Voice of the DBA Podcast

Listen to the MP3 Audio ( 4.2MB) podcast or subscribe to the feed at iTunes and Libsyn.

The Voice of the DBA podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music.

The industry standard for comparing and deploying SQL Server database schemas

Trusted by 71% of Fortune 100 companies, SQL Compare is the fastest way to compare changes, and create and deploy error-free scripts in minutes. Plus you can easily find and fix errors caused by database differences. Download your free trial

CI/CD for your SQL Server database

Feeling the pain of managing and deploying database changes manually? Redgate SQL Change Automation completes your database delivery process by building, testing, and deploying the database changes you and your team check into version control.
Try it free

Question of the Day

Today's Question (by Steve Jones):

In SQL Server 2016, what is a column set?

Think you know the answer? Click here, and find out if you are right.

We keep track of your score to give you bragging rights against your peers.
This question is worth 1 point in this category: Column Sets.

We'd love to give you credit for your own question and answer.
To submit a QOTD, simply log in to the Contribution Center.

Extract, Transform, and Load with SQL Server Integration Services: With Microsoft SQL Server, Oracle, and IBM DB2

Readers will learn by example how to use Microsoft SQL Server 2016 Integration Services (SSIS) as they design and implement extract, transform, and load (ETL) solutions to support a business application that integrates with a data warehouse and an online Web store across a heterogeneous system. This volume describes proven methods to support common ETL needs, such as databases communicating directly with each other, using files to exchange data, or performing database operations using Web services.

Pick up your copy of this great book today at Amazon today.

Yesterday's Question of the Day

Yesterday's Question (by Steve Jones):

What is the limit for Foreign Keys in SQL Server 2016? In other words, how many other tables can my dbo.Sales table reference?

Answer: 253

Explanation:

In SQL Server 2016+, a table can reference 253 other tables as foreign keys.

Ref: Foreign Key Constraints - click here

» Discuss this question and answer on the forums

Database Pros Who Need Your Help

Here's a few of the new posts today on the forums. To see more, visit the forums.

SQL Server 2017 : SQL Server 2017 - Administration

Is it recommended to update statistics automatically? - Databases can grow really huge, and outdated statistics can cause crucial performance issues. I am interested to know, is it...

SQL Server 2016 : SQL Server 2016 - Administration

Upgrade from 2014 to 2016 - Good Morning, did something really stupid last night and now I'm struggling on how to fix the problem. Did an...

Database in Full recovery mode, with NO logbackups but logshipping setup - Hi I have encountered an instance in full recovery mode with NO logbackups but logshipping setup to a standby server....

Index Usage Statistics report - All, I've just looked at this report for the first time so I may be missing something obvious. It's telling me that...

SQL Server 2016 : SQL Server 2016 - Development and T-SQL

EXCEPT - Do the fields of both objects and/or select statements between which i use EXCEPT keyword have to be or preferably...

Executing same SQL code twice - I have an SQL query which uses a DateFrom and DateTo variable. This query later will go into a stored...

SQL Server 2014 : Administration - SQL Server 2014

queue messaging in sql error log - Hello, Can somebody explain these messages what they mean and how to get rid of them? Do we just need to...

SQL Server 2012 : SQL 2012 - General

Dynamic Cross tab query using dates - Hi, I have written a stored proc query creating a number of tmp table to use in a sql string to...

SQL Server 2012 : SQL Server 2012 - T-SQL

Stored Procedure with mode flag - Is it possible to create a stored procedure with a mode? flag and a couple of other parameters that can...

Update row values between 2 dates before on the given date on the same account and with flag based on x number of days - I have 2 tables below. Table A contained the Spike value 2 different dates spike reading on the same AccountNum...

SQL Server 2008 : SQL Server 2008 - General

Does SQL compression process takes additional temporary disk space?, 1.2 TB database to compress - Compressing 1.2 TB database. Do I need temporary disk space for compression?. My largest table is 132 GB and for compressing,...

Findfirst VBA for SQL table - Hi All, So I am transferring an access BE to SQL. One of the things I've noticed is that some code...

SSRS MHTML formatting problem when using gmail - Hello... I'm not finding any resolutions to a problem that many seem to be running into. Google searches are turning up...

SQL Server 2008 : T-SQL (SS2K8)

Compute & Rollup - This statement will produce: Select EmpID, Yr, sum(Sales)as Sales from Sales Group by EmpId, Yr With Rollup EmpID Yr Sales

Formatting date of birth using South African ID number - Hi All I need help creating date of birth using ID number the ouput that im looking is a follows e.g. RSA...

SQL Server 2008 : SQL Server Newbies

Prevent duplicates in a table - I am entering 'salaries' information into a sql server table called 'salaries'. Fields are : id (pk,identity),c_id (int),month,year,salary. I use a stored procedure...

How to set the primary key for each table - Hi all. I am a super noob with SQL server. and I mean, brand spankin' new noob still with bright sparkly...

Data Warehousing : Integration Services

SSDT 15.8 and 15.8.1 / Cannot Deploy to SSISDB - If you are using SSDT 2017 and SSIS, you may be advised not to upgrade to 15.8 yet. There is...

SQL Server 2005 : SQL Server 2005 Integration Services

Copy all files from folder - How can I copy all files from folder. G:\MainFolder\Folder\ Inside this Folder has txt files. I want to move all this txt...

Career : Retired Members

Retiring from one team and onwards - Hi I came across this interesting area of Forum as I think the people with experience might have some advice for...

This email has been sent to newsletter@newslettercollector.com. To be removed from this list, please click here.
If you have any problems leaving the list, please contact the webmaster@sqlservercentral.com.

This newsletter was sent to you because you signed up at SQLServerCentral.com.
Feel free to forward this to any colleagues that you think might be interested.
If you have received this email from a colleague, you can register to receive it here.