Problems displaying this newsletter? View online.
SQL Server Central
Featured Contents
Question of the Day
The Voice of the DBA
 

The Cloud Security Problem

Your management gets a great demo from a cloud vendor and decides that the organization needs to implement the new service/application/etc. quickly. Your team tries to comply, furiously learning and experimenting with integrations, software changes, infrastructure configuration, and more. Clients and management are happy with the new capabilities and you breathe a sigh of relief.

After a bit of time there's a security issue and all of a sudden there's blame pouring down on everyone. The vendor takes a hit because it's a public security problem, but the reality might be that your organization didn't completely understand how to configure strong security. The public doesn't blame you, but internally your team don't know how to make changes to ensure future security.

That's a bit of what happened with the Snowflake customer hacks, and a good description of some of the issues is in this piece from Joey D'Antoni. Snowflake didn't necessarily have bad security, but they allowed customers to have bad security and also limited the options for customers to implement stronger security.

I think about this all the time as I look at the challenges of security that many organizations face. In my decades of working in different situations, the one thing I know is that pressure to move fast often creates security shortcuts. Much of the early security problems with SQL Server could easily be traced to a) allowing installs with no password, b) developers not understanding the security model and granting sysadmin (or using sa) in their applications, and c) management agreeing that this was OK because a deadline needed to be met.

In all these situations, workers had the best of intentions to go fix things later, but there was rarely the time or energy to do so. As someone who forced apps to change away from sa in a large org, and required separate accounts and passwords for servers, I can tell you no one liked me and I got a lot of pressure to leave things alone. That is until I could explain the risks to managers with security people present. Even then there was no shortage of people who wanted me to assume the risk of apps using sa.

Cloud security is pretty good from the major vendors. Most of the smaller co-location facilities I've worked with in the past also had good security. It was the clients that caused problems, often because of a lack of knowledge or the desire to hurry.

Joey says Entra is a great system. I agree, and I love the SSO capabilities I've seen implemented. I also know that trying to set things up and configure them has been difficult for me, and I think I can be pretty sharp about lots of technology. Joey has patiently answered many of my ignorant questions because I didn't understand how some part of Entra (AAD) works.

Most of us working in technology need more security education, better habits, and the patience to implement strong security. At the same time, I wish that the solutions out there were easier to understand, or maybe better explained for those of us who need to use some portion of the authorization and authentication systems in our software.

Unfortunately, security software is still software and those vendors push out changes and updates quickly as well, leaving education and documentation to the user. A bad situation that continually arises with regular issues in many organizations.

Steve Jones - SSC Editor

Join the debate, and respond to today's editorial on the forums

 
  Featured Contents
SQLServerCentral Article

Virtualizing AWS data by using Fabric Shortcuts: Data Engineering with Fabric

John Miner from SQLServerCentral

Learn how you can get data from AWS into Fabric in this article.

External Article

Consistency and Concurrency in NewSQL Database Systems

Additional Articles from SimpleTalk

Companies today require database systems that are reliable and capable of efficiently handling large volumes of data and numerous transactions. Traditional relational databases, once the foundation of data management, often struggle to meet these modern demands, leading to delays and program slowdowns. In response, NewSQL databases, a new class of SQL systems, has emerged.

Blog Post

From the SQL Server Central Blogs - T-SQL Tuesday #179 Roundup: The Data Detective Toolkit

Tim Mitchell from Tim Mitchell

Earlier this month, I hosted the monthly T-SQL Tuesday invitation in which I asked, “What’s in your data detective toolkit?” We got some great responses which I’ll recap here,...

Blog Post

From the SQL Server Central Blogs - Convert SQL Audit Files to a CSV Using Read-SqlXEvent

Patrick Keisler from Everyday SQL

SQL Server Audit is an efficient way to track and log events that occur within the database engine. For on-premises or IaaS environments, those audits can only be stored...

Refactoring Databases cover

Refactoring Databases: Evolutionary Database Design

Site Owners from SQLServerCentral

Refactoring has proven its value in a wide range of development projects–helping software professionals improve system designs, maintainability, extensibility, and performance.

 

  Question of the Day

Today's question (by Steve Jones - SSC Editor):

 

The LAGging NULL

I have this data in a SQL Server 2022 table:
player yearid team HR Alex Rodriguez 2012 NYY 18 Alex Rodriguez 2013 NYY 7 Alex Rodriguez 2014 NYY NULL Alex Rodriguez 2015 NYY 12 Alex Rodriguez 2016 NYY 9
If I run this code, what are the results returned in the hrgrowth column?
SELECT player , yearid , hr , hr - LAG (hr, 1, 0) IGNORE NULLS OVER (ORDER BY yearid) AS hrgrowth FROM dbo.playerstats; 

Think you know the answer? Click here, and find out if you are right.

 

 

  Yesterday's Question of the Day (by Steve Jones - SSC Editor)

AUTO_DROP Statistics

In SQL Server 2022, what does this statement do?

CREATE STATISTICS CustomerStats1 ON DimCustomer (CustomerKey, EmailAddress) WITH AUTO_DROP = ON

Answer: If these statistics interfere with a schema change, they are dropped

Explanation: This option drops statistics when they interfere with schema changes. Ref: CREATE STATISTICS - https://learn.microsoft.com/en-us/sql/t-sql/statements/create-statistics-transact-sql?view=sql-server-ver16

Discuss this question and answer on the forums

 

 

 

Database Pros Who Need Your Help

Here's a few of the new posts today on the forums. To see more, visit the forums.


SQL Server 2016 - Development and T-SQL
Nested Multi-Line Comments Q - Is the below with nested multi-line comments valid T-SQL code? I thought no because it has nested Multi-line comments but when I drop the code into SQL Server to check its I get no errors. Below is a section of the script that has the nested comments.  The Closing comment marker in the last row […]
SQL Server 2019 - Administration
ODBC Connectivity - I am running SQL Server 2019 on my local PC - Windows 10 pro x64. I have an MSAccess application that uses a ODBC DSN to connect to the database. I am trying to connect instances of this application from other PCs running Windows 11.  I cannot create a ODBC DSN from those machines to […]
Adding Database to AG After Adding A New Master Key To Database - I have a database i need to add to AG. lets name it "TestDB", now TestDB already has a master key and i do not have the password for it, so i add a new database master key to it using the following query - USE [TestDB]; ALTER MASTER KEY ADD ENCRYPTION BY PASSWORD = […]
Adding Database to AG After Adding A New Master Key To Database - I have a database i need to add to AG. lets name it "TestDB", now TestDB already has a master key and i do not have the password for it, so i add a new database master key to it using the following query - USE [TestDB]; ALTER MASTER KEY ADD ENCRYPTION BY PASSWORD = […]
SQL Server 2019 - Development
Operand data type varchar is invalid for sum operator - I have this view [dbo].[Asset Metrics - Client(Rama -Client-Test)], which makes use of multiple tables/views Below: The only change that was made in the underlying data was [Prod].[IMETA - Global Field Flows and Holdings (Period and client)_model_SAP BW]. The Value column in source contained a non numerical value "X", i removed it and replaced it […]
SSIS Package error when running through SQL Agent job - Hi, Can someone please help me resolve below error. To run a SSIS package outside of SQL Server Data Tools you must install Standard Edition (64-bit) of Integration Services or higher. End Error DTExec: The package execution returned DTSER_FAILURE (1). I'm running my package using SQL Server agent Job. But it is throwing error as […]
Reporting Services
Upload report fails (SSL/TLS) but "Save As" from Report Builder works - When I use the "Upload" button from the SSRS website it fails and I get the following error in the logfile: OData exception occurred: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. However, if I open the same report in Report Builder and use "Save As", it […]
General
Why does SSMS always pop up this window every time I get into it? - For the last few weeks every time I get into SSMS 20.2 I am presented with this window: I always select the Copy button, which supposedly would copy the top of my user settings file a new version. I would think that would take care of it, but no, the next time I get into […]
Strategies and Ideas
Date Type ETL Question - I'm not sure that I'm posting this in the right section, so please mods please move if that is the case. Anyway, what are the best practices for ETL jobs that move Date fields? Let's say I'm going from Oracle to SQL Server. Is it best to land the data in SQL server in some […]
Integration Services
Converting Non Numeric to Null - I have a numeric column called "Value" in a flat file, which contains both numeric data and non-numeric values, such as "X". I'm using the Derived Column Task in SSIS to convert the non-numeric "X" values to NULL. However, I am encountering an error during this process. Could you please assist me in resolving this […]
Converting Non Numeric to Null - I have a numeric column called "Value" in a flat file, which contains both numeric data and non-numeric values, such as "X". I'm using the Derived Column Task in SSIS to convert the non-numeric "X" values to NULL. However, I am encountering an error during this process. Could you please assist me in resolving this […]
Working with Oracle
Sql server 2005 cpu spiking issue - Hi everyone, new to this sub but I was wondering what you guys would do to check on a sql server that goes from 5% cpu utilization to 99% back down to 5% every 4 seconds. I checked if it was a job and the closest one is a simple insert that runs every minute. […]
SQL Server 2022 - Administration
Database backup and restore questions. - Hello: I’m not one hundred percent sure on database backup and restore and have questions. Scenario ·        A developer accidentally deleted the production database on  January 21st at 10 AM. ·        Questions: o   How can I recover the database point of time? o   Can I restore or recover the production database point of time if […]
Possible oddity in msdb.dbo.backupset - Hi all   I've written a script to keep track of how long backups are taking, which databases got a full or differential backup, and a few other bits. I'm using msdb.dbo.backupset as my base table but I think I've found something strange. According to that table, we managed to backup a 300GB database in […]
SQL Server 2022 - Development
how to solve a conversion failure error - Sample query reply appreciated Getting the following error: Conversion failed when converting the varchar value 'VZ34-031' to data type int. This is my query that produced the error: select count(t1.shipqty), t3.description from sales t1 left outer join return t2 on t1.company = t2.company and t1.invoicenum = t2.invoicenum left outer join reason t3 on t2.company = […]
 

 

RSS FeedTwitter

This email has been sent to newsletter@newslettercollector.com. To be removed from this list, please click here. If you have any problems leaving the list, please contact the webmaster@sqlservercentral.com. This newsletter was sent to you because you signed up at SQLServerCentral.com.
©2019 Redgate Software Ltd, Newnham House, Cambridge Business Park, Cambridge, CB4 0WZ, United Kingdom. All rights reserved.
webmaster@sqlservercentral.com

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -