SQL Vulnerability Assessment

SQL Vulnerability Assessment is a feature available in the latest versions of SQL Server Management Studio (SSMS). This feature is very easy to use and it will show you all the security vulnerabilities and deviations in your SQL database. This is something you can run on your most critical databases to ensure you’re properly following strict security practices and that your client’s databases are in safe hands. In this article, we will describe the process of running these scans against your databases. With the amount of data growing with each year, database security is an important aspect every DBA needs to take care of. The consequences of data breaches are severe, so they may affect your future as a DBA and severely damage your firm’s reputation. Read More

In-depth Exploration of Row Level Security

Introduction

Organizations are becoming more and more concerned about how to reduce the cost of licensing database solutions using consolidation. Some consolidation can be achieved in SQL Server simply by taking advantage of the existing one-to-many relationship between instances and databases. However, there are cases where the solution demands that data is consolidated into one table. In such a case, there may be concerns about how to restrict access to the data.

Row Level Security was introduced in SQL Server 2016 as a solution to scenarios similar to the above. It allows you to restrict access to rows in a table based on conditions defined in an inline Table Valued Function called a Predicate Function. When a Predicate Function is applied to a user table containing consolidated data, the system can be configured to return different data sets to different users depending on their roles which in turn depends on their job descriptions or departments for example.

Read More

Introduction to Row-Level Security in SQL Server

Problem

Prior to SQL Server 2016, table-level security was the default lowest level of security for a database. In other words, a user could be restricted to access a table as a whole. However, in some cases we need users to have access to a table, but not to specific rows within the table. Prior to SQL Server 2016, this required custom stored procedures to be written for the provision of such fine-grained security. However, such stored procedures are prone to SQL injection and other security caveats.

Read More

Oracle Database Security: Database Auditing

In this article, I will continue with Oracle Database Security and I will present some important facts about standard database auditing, audit triggers, and audit policies in Oracle. Database auditing has two components: monitoring and persistent registration of established database activity sets and events. The purposes of database auditing are non-repudiation, investigation of suspicious activities, detection of problems generated by configurations regarding authorization (resources access), compliance with actual legislation and control. Read More

Database Security in Oracle

There is no secret that information makes the world go around currently. If an enterprise takes care of its intellectual property and each employee can easily get the necessary information, the enterprise can hope for the growth. If there is chaos in data, the enterprise will fail despite the team spirit.

In this article, we are going to explore the database security basics and examples of information protection in Oracle. Actually, the theoretical basics for protecting information in the database, which we are going to consider in this article, will be also useful to people working with other databases.

Read More

Setting Database Access Permissions

Server security mainly depends on how correctly you can configure access permissions on objects. Providing a user with excessive permissions may cause many issues. No, a user will not use your errors. Instead, any hacker or I will do this. In this case, you can forget about your tables with data or the whole database.

For some reason, the security of the database is protection from the outside, such as a hacker. However, this happens very seldom. I am a programmer in a big company and an administrator does not even think about protecting the server ports, where everything is open. There is a bunch of databases, programs, and even an FTP server on a single server and it has never been hacked over the past 5 years. Fortunately, I persuaded the administrator to deploy the WEB server on a separate hardware. Otherwise, if someone knew the IP address of our main server, any slacker would be able to hack it. Neither the database nor Windows has been patched for several years.

Read More

SQL Server Security Ponderings – Part 2 | Database owner + TRUSTWORTHY

This article is the second one of the three articles devoted to a particular security configuration combination of database security.

In my previous article, I presented a scenario in which we were able to compromise data in a SQL Server database.

I would like to note that the knowledge of this configuration combination is critical. In this article, I am going to provide further information and reasons for the importance of this issue. Read More

SQL Server Security Ponderings – Part 1 | DMI – Bobby Returns

Nowadays security and data privacy are in special focus. When I deliver a training, I always refer to a DBA as the “guardian of the data.” There are two aspects of being a guardian.

The first one is integrity. It includes tasks like checking database consistency, creating backups and in case of problems being prepared to fix the database by having well designed, comprehensive DR plan.

Read More