The Three A’s: Authentication

When I start talking with folks about security, one of the areas of confusion I often find has to do with the three A’s of security. Specifically, the difference between the first two: authentication and authorization. Let’s look at the first today. 

Authentication is simply proving who you are. With authentication we are confirming identity. We are not worried about permissions. That’s authorization and that’s separate from authentication. 

The traditional way we authenticate in the computer world is by specifying a username and password. However, because anyone can grab and store a password, we often rely on multi-factor solutions to prove identity. The traditional way to think of multi-factor is two or more of the following:

  • What you have
  • What you know
  • What you are

For instance, you enter a password, what you know, and then a pseudo-random series of letters and numbers either generated by an application, fob, or read from a grid card, which is what you have. 

There are other means by which we authenticate. For instance, the Kerberos security protocol uses a trusted 3rd party, in the Windows world that’s an Active Directory domain controller, to attest to the identity of both the client and the server. Client and server certificates work similarly, with a trusted 3rd party providing some measure of identity verification. 

To close, nothing thus far is about determining what you are allowed to do. Authentication is simply about proving identity. Permissions have nothing to do with authentication. Authentication is when you prove you are who you say you are, whether you are a person, a user account, a service, a computer, or a web site. 

#SQLChat on Performance Issues

Twitter can often be a great source of information for the SQL Community, especially with the #SQLHelp hashtag. Another resource that not everyone is familiar with is #SQLChat, which Idera runs periodically. There are moderators that helps keep things going, including at least one person from the SQL Server community, but otherwise it’s open to anyone on Twitter to participate. Just keep an eye on #SQLChat or @Idera_Software during the time one is going on.

The next #SQLChat is Wednesday, June 28, at 12 PM EDT. It’ll be covering performance issues. Each #SQLChat has its target and the moderator will ask a series of questions which folks are able to respond to. These usually result in a chain of questions and answers which are highly educational for those following along. Given that performance is always a big deal, the next #SQLChat is definitely one to put on your calendar and follow when it occurs.

If you happen to miss a #SQLChat, remember, it’s a series of tweets. You can search for those tweets after the fact, either by looking for #SQLChat or viewing the tweets & retweets of @Idera_Software. Therefore, you can still glean knowledge from this community event even if you have a conflict and can’t participate (or forget about it until after it happens).

PASS Security VC Presentation – The Dirty Business of Auditing

On Thursday, June 22, at 1 PM EDT / 10 AM PDT, I’ll be presenting for the PASS Security Virtual Chapter.

Registration Link

Here’s what I’ll be speaking on:

The Dirty Business of Auditing

Auditing is often a dirty word among DBAs because it equates to more work with little perceived business value. However, auditing is a necessary evil for most businesses and it usually falls to the DBA to ensure SQL Server is properly audited. In this session we’ll look at what the operating system and SQL Server provide for us in order to meet the requirements of internal and external auditors, regulatory legislation, and even overbearing system owners who want to know everything about what’s going on in their application. We’ll consider what tools to use to quickly implement the properly level of auditing to meet the need.

Speaking at Charleston PASS on May 18, 2017

During the day of the 18th I’ll be at the Syntax Code and Craft Conference in Charleston, SC. That evening I’m stopping by Charleston PASS to visit and give a presentation.

Register for Charleston PASS’ May 18th Meeting

I’m stepping away from my comfort zone of security and presenting on an important topic I see getting less and less attention nowadays: data modeling.


Introduction to Data Modeling

Improperly built bridges and buildings fail and collapse. Improperly built database do, too. Unfortunately, database design is becoming a lost art, leading to issues with both performance and data integrity. In this presentation we’ll look at the keys to proper database design. We’ll start with requirements gathering. Then we’ll tackle the logical design of the database. We’ll consider entities, domains, relationships, and proper normalization. Finally, we’ll move on to discussing how to implement our design, specifically using SQL Server.


I hope to see you there!

Slides from 24 Hours of PASS – Data Security

As promised, here are my slides from the 24 Hours of PASS on Data Security:

S1 – Brian Kelley_WhatYouAbsolutelyMustKnowAboutSQLServerSecurity (.pptx – 733 KB)

S7 – Brian Kelley_ProtectingDataAcrossTheEnvironment (.pptx – 1.3 MB)

Thanks for those who attended!

Slides from SSWUG 2017 Spring Virtual Conference

As promised, here are the slides for my two presentations from SSWUG’s 2017 Spring Virtual Conference:

SSWUG_Spring_Building an Auditing Framework for SQL Server (.pptx – 152 KB)

SSWUG Spring Performing a SQL Server Security Risk Assessment (.pptx – 265 KB)

Thanks to those who attended!

Additional Presentation at 24 Hours of PASS

I’ve had another presentation added for the 24 Hours of PASS; this one is the first session of the line-up, 12:00 GMT on May 3, 2017. You can register for this session and any of the others at the registration link.

Here are the details about the added presentation:

What You Absolutely Must Know about SQL Server Security

There are so many security tips out there for SQL Server. Almost all of them are rated as a best practice. What do you listen to? What do you focus on? In this session we’ll break down what you absolutely must know about securing SQL Server. We’ll look at the things to look for within SQL Server, including some of the nooks and crannies an attacker might use but what are rarely audited. You’ll leave with a checklist of what to investigate on your own systems.

Previous Older Entries