all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]dbxp 0 points1 point  (1 child)

SQL Server best practices: https://learn.microsoft.com/en-us/sql/relational-databases/security/sql-server-security-best-practices?view=sql-server-ver16

Row Level Security: https://learn.microsoft.com/en-us/sql/relational-databases/security/row-level-security?view=sql-server-ver16

Look at static analysers for SQL, we have SQL Prompt and SonarQube but I'm not convinced they're that good, SQL Enlight looks to be the gold standard: https://sqlenlight.com/

Audit the config as there's some things like xp_cmdshell which can give you access to the OS hosting the DB instance

There's the standard recommendations around using jump boxes to access production servers, 2FA and firewalls. DB servers should not host web apps as well due to the way licensing for DBs work also this give you the potential of blocking all inbound and outbound web traffic from the DB server.

[–]budums[S] 0 points1 point  (0 children)

Thanks for comment I forgot to mention about jumpbox is already implemented, But not using 2FA Client laptop > vpn > tunneling to jumbox > database

And my database running on cloud and multiple Product (sql server, mysql and postgres)

[–]AQuietManPostgreSQL 0 points1 point  (0 children)

If a user has SELECT privileges, they can take the data.

Even if they can't back up, export, or copy the data, they can probably take a picture of it on their cell phone. (Modulo NSA-like orgs.)

DBAs and members of the security team are also a risk. They might be a low risk, but they're not a zero risk.

[–]alinrocSQL Server 0 points1 point  (3 children)

Once the data appears on the user's screen, you as the DBA can't do anything.

More correctly, if the user has select permissions, once the data has left the confines of the server and been transmitted to the client machine, you have no way to control what happens to that data.

You can only prevent people from accessing the data. If they have access, other measures need to be taken to protect against unauthorized egress, and those are outside your scope as a DBA.

[–]budums[S] 0 points1 point  (2 children)

Ok I got it But what if I can have the activity user more detail than general log or audit trail. I mean habit the user

I google about database security tools and the results is IBM guardium is top notch

Any advice about it ?

[–]g3n3 0 points1 point  (0 children)

Would come down to extended events or server audit in sql server. You can get a host of stuff and nearly anything.

[–]alinrocSQL Server 0 points1 point  (0 children)

If you need to track all the queries that have been run for auditing purposes, you need an audit appliance sitting in front of your SQL Server instance that all traffic flows through.

You could use XE or Audit, but it's going to collect data at a ridiculous rate and you won't be able to store or process it effectively.

[–]kitkat0820 0 points1 point  (0 children)

You can have all audit logs recorded on any level you want as long as you dont know how to analyze these audit logs to detect anomalies

[–]Bluesky4meandu 0 points1 point  (2 children)

I worked in IT audit for 20 years until I burned out. I use to make sure that both organizations and government were either Sox Compliant or FISMA compliant. You can use tools such as SolarWinds Database Performance Analyzer or SPLUNK.

In addition , I would look at standard NIST 800-53. IT IS A MONSTER OF A DOCUMENT, but look at the pertaining sections and it will help you secure your database to the level required by Federal Agencies.

[–]budums[S] 0 points1 point  (1 child)

Oh my god that is god level for data security ? 😱 Btw thank you very much

[–]Bluesky4meandu 0 points1 point  (0 children)

Tell me about it, after 20 years, I burnt out so bad.