Webcast Recording – Building a Proper SQL Server DB Security Model

The recording for my presentation on Building a Proper SQL Server DB Security Model is now available. It’s right at an hour long and in it I present a framework if you’re building your own model from scratch as well as a short portion on how to handle third party solutions.

Registration (free) for Building a Proper SQL Server DB Security Model recording

Webinar – Building a Proper SQL Server Database Security Model

Tomorrow, March 9, 2020, at 3 PM EST, I will be giving a presentation on how to build a database security model in SQL Server. We’ll primarily focus on if you’re developing a homegrown application/system and what rules you should follow as well as a framework which helps reduce the security complexity. However, we’ll also cover at the end what you can do about 3rd party products. Sometimes, there, the right approach pays dividends. If you’re interested, here’s the webinar information:

MSSQLTips – Building a Proper SQL Server Database Security Model Registration Page

Here’s the description:

You’ve been asked to assist with designing or improving the security model for a SQL Server database. How do you go about doing this? What are the things you should look at? What can make a tangible difference?

In this webinar we’ll look at the two paths for securing a database: a home-grown application versus supporting the database for a third-party application.

We’ll first walk through the home-grown application where we are designing the database from scratch. In this design phase we’ll talk through the important features SQL Server gives us which allows us to build the security model we need. Then, with an understanding of those features, we’ll look at how to apply those design principles to existing databases, whether they are home-grown and already deployed or belong to third-party applications. As part of considering that third-party application scenario, we’ll also talk about the options your organization has based on actual practice.

In both paths we’ll focus on the Principle of Least Privilege while attempting to keep the security model as simple as possible. In addition, we’ll talk about what you can do to protect sensitive or PII data, whether through permissions, encryption, or a combination of both.

[Coping] Hidden Wounds

Through high school and college, I carried deep wounds due to what was going on at home. Only a handful of people outside of my family knew what what was happening. I didn’t want to share what was occurring for a number of reasons: thinking about it brought more pain, it was deeply embarrassing, and I partially blamed myself even though logically I knew I had no part in causing those wounds.

We’ve had almost a full year of dealing with COVID as it exploded in the world. Many of know at least one person who has passed because of this disease. Here in the USA there has been tremendous social unrest and unprecedented political turmoil. There are a lot of wounds being taken, some of them deep. Most all of them are hidden.

And that’s the problem. When we know a co-worker’s parent passed away, for instance, we expect them to have periods where they aren’t their normal selves. If the death was unexpected, even more so. But with hidden wounds, someone may act in a manner that is aggressive, uncooperative, or belligerent, seemingly without cause. Perhaps they seem extremely pompous or arrogant. Or they may act burnt out or disinterested. There are other behaviors, but those were the ones I exhibited the most when I was there. It’s a dark, dark place, especially if you don’t have any idea of how to begin healing.

If we knew someone was hurting and they acted in any of these ways, we’d likely respond in a compassionate and understanding way. Or at least, we’d hope to be the type of person who does. But if the wounds are hidden, we don’t know. Likely until the person is either forced to reveal the wounds or they begin healing and can speak about them, we won’t know. Even in cases where it would seem that a person has to say something about what’s hurting them, they may not. In fact, they might sabotage further. I know. I did. Repeatedly.

So how do you deal with people who may be carrying hidden wounds? The people who helped me the most were the ones whose default behavior was compassion and understanding. They didn’t assume anything. That’s the way they were. They knew some folks were hurting. They knew some folks were just that jerks or didn’t care. Either way, they were committed to act the way they did consistently towards everyone.

One could say let a person’s actions over time be the deciding factor. But the problem with that is how long the person could be taking wounds and then how long it takes to heal after that. There was a strong five year period where I suffered those deep wounds I kept hidden. But it was about 10 years later before I finally began to heal. Key word: began. It was years later before I had better acceptance and control over what I went through. In total, 20+ years.

So as you are coping, remember there are others who are coping, too. If you have hidden wounds, you understand how hard it can be to share what’s hurting. And also how hard it can be to control your emotions and behavior when that pain flares. Recognize that others may be, and likely are, dealing with hidden wounds, too. Respond to them how you would want to be treated, too. That may be what starts or accelerates your healing process. It was for me.

[Coping] Dum Spiro Spero

Dum Spiro Spero – “While I breathe, I hope.”

Because it’s the motto for South Carolina, it’s on the state seal. As a result, it is part of The Citadel’s hat brass. As I knob I shined at least 3 different pieces of hat brass every day. And every day I saw that motto.

The South Carolina Governor’s School for Science and Mathematics and The Citadel, the Military College of South Carolina, are both difficult places by design. How they are difficult is different: SCGSSM is academic and The Citadel is military. My time at both was harder because of things going on out of my control outside of school that deeply impacted me. Only a handful of people were aware of it all. I am grateful for them.

During that time, I never lost hope. Maybe it was the motto. Maybe it was I too stubborn to give up. But the motto is one to take to heart. While we have breath, we can still see things change for the better. While we breathe, we can be a part of that change. Don’t let the current situations around you discourage you to the point of giving up or believing there’s nothing you can do. You can, as long as you don’t give up hope.

[Coping] The Five Minute Journal

Reading Steve Jones’ posts about daily coping and seeing how it has affected me in a positive way, I’ve decided to share some of the things I’ve done to try and not let the negativity of our current circumstances and politics overwhelm me.

One of the easiest things I’ve found thus far is the Five Minute Journal. Never heard of it? Here’s a short video (less than 2 minutes) that describes what it’s about:

At the start and end of your day, you respond to the same questions. They focus you on gratitude, on envisioning what would make for a great day, what went well, and what you would do different. Short and sweet, it doesn’t take any longer than five minutes on a daily basis. Overall, it has changed my perspective to be more positive.

There is also a weekly assignment for you to do. By design, you won’t always encounter it on the same day of the week. The assignments aren’t hard. They are rewarding. They fit with the overall theme and purpose of the Five Minute Journal.

Now, before starting there is about a 10-15 minute period to read through how to best utilize the journal. That time is spent learning how the process works, a summary of the research which led to the development of the journal, and how you’ll use it each morning and evening. It’s a small investment and will set you on the path to making the most of the journal. Also, there’s a commitment where you specify a penalty and a reward for a goal: to complete five straight days of filling out the journal. That helps get you started.

Webcast – Principles of Data Modeling

Tomorrow, June 11, 2020, at 3 PM Eastern I’m giving a webcast on the Principles of Data Modeling.

Sign up link: https://www.mssqltips.com/sql-server-webcast-signup/?id=822

Here’s what we’ll be covering:

You’ve been tasked with coming up with a data model for a system. Where do you start? What do you need to know? What should you expect from a solid data model?

In this webinar we’ll look at:

  • The process of converting ideas and concepts into data structures.
  • What normalization is and why we use it.
  • How to move from the logical model to the physical model.
  • What specifically to consider when implementing a physical data model on SQL Server.

Armed with this information, you’ll be able to start the process of creating a data model or tweaking an existing data model. You’ll also have some areas to look for within SQL Server when a database with an implemented data model isn’t performing well.

Watch out for your own confirmation bias

First, a true story:

I was a senior in high school, applying for college. One of the colleges I applied for was the Naval Academy. As part of the process, the Navy sent a Blue and Gold Officer (BGO) to interview me and answer any questions that I might have. As the interview proceeded, the BGO learned my father was a Marine avionics chief. He learned that I had a lifelong fascination with aircraft. He also learned that I wanted to be an aerospace engineer. This interview happened as the market plummeted in the military aerospace industry. What he said next surprised me.

“You can be a test pilot!” he exclaimed.

At that time, my left eye was 20/100 with astigmatism. Pilot slots were hard to come by. Getting one as a newly commissioned officer meant you had to have at least 20/20 vision in both eyes. I was already having to go through a medical waiver process to be accepted into Annapolis because of my left eye. Therefore, I knew what he told me wasn’t true. I had done the research. I knew the numbers. I knew that I couldn’t be a test pilot. However, he continued on that thread for about five minutes, telling me that it was possible. I really wanted to believe what he told me.

I didn’t. However, the temptation to believe him was strong. In the end, it didn’t matter. I was accepted to the US Naval Academy (USNA). I chose to go to The Citadel instead. The Citadel was the correct path for me. My conversation with the BGO didn’t sway me to attend USNA. However, if I had let my confirmation bias win, I would have. I would also have chosen the wrong path.

As I see the latest news stories roll out, I see a lot of messages, each targeted to one side or the other of a particular issue. It has become particularly easy to find a message that agrees with one’s position, given by someone who looks to have enough valid credentials. It’s amazing how many times I see the same message reposted on social media as “the truth of the matter.” In reality, the majority of these aren’t the “truth, the whole truth, and nothing but the truth.” There’s often a lot of opinion presented as facts. There are too many cases where key facts that are in conflict with the position are not disclosed. Context is often shaped to promote the “truth” of the message. I’ve seen this irregardless of issue and/or side. Why do these stories, clips, and talking points keep getting posted? The answer is simple: confirmation bias.

Confirmation bias can get all of us. We like hearing messages that reinforce what we believe. We like being told that we are correct. Therefore, it’s easy to give in to confirmation bias. Resist that temptation. Spend some time digging a little deeper. Find messages which disagree with the position you think is correct. See if anything presented in those messages are factual and if so, do any of those facts contradict the position you agree with. Likely you’ll see that the truth is somewhere in the middle between the two opposing positions. Oh, and this doesn’t just apply to social media. We have the same issue wherever we have passionate, committed people: such at information technology.

New Webinar with Kevin Kline: Learning from Data Breaches, a Deeper Dive

I’ve done a follow-on to my webinar with Kevin Kline on Learning from Data Breaches. Here we’ll talk about some specific technologies that come out of the box with SQL Server that you can use, especially to audit activity. A lot of times, detecting the adversary is the hardest step. That’s what this webinar focuses on.

This is scheduled for tomorrow, May 13th, at 11:00 AM Eastern.

Information Link (and registration): https://info.sentryone.com/webinar-learning-from-data-breaches-deeper-dive

 

New Article: Understanding SQL Server Ownership Chaining

Back in January I gave a presentation to a small group of folks on foundational SQL Server security items. The last thing I covered was the concept of ownership chaining. I was surprised that most in the room weren’t familiar with it and how it worked. That led me to write the following article at MSSQLTips.com:

Understanding SQL Server Ownership Chaining

I’m working on the follow-on article now, which gives practical uses for ownership chaining scenarios. That will hopefully be completed and posted soon.

 

Upcoming Webinar: Learning from Data Breaches

Recently I partnered up with Kevin Kline (SentryOne blog | twitter) and SentryOne to record a webinar on learning from data breaches. We start by talking about Mitre’s ATT&CK framework. Then we move in to a selected set of data breaches applying the ATT&CK framework to understand the basic tactics and techniques which were successful in each breach and what mitigation steps could have been taken to prevent the unintended access, or at least, make it more difficult. This is the first of a two part series, so this is an overview of what were the issues, what were done, and how generally accepted security best practices could have made a huge difference.

For the US, the initial presentation will be April 15 at 11:30 AM Eastern. For EMEA, it’ll be April 16 at 11:00 AM Central European Summer Time.

Registration Links:

Previous Older Entries