MSSQLTips Webcast on Security

On February 11, 2016, at 3 PM EST, I’ll be giving a security webinar for MSSQLTips. It’s titled Performing a SQL Server Security Risk Assessment. Here’s the abstract:

You have one or more SQL Servers and you want to assess the security of each. What’s a priority? What puts your organization at the greatest risk? What should you attack first?

In this presentation, we’ll look at how to do a security risk assessment of SQL Server. We’ll cover all the common big ticket items, the ones that could lead to a server breach, data loss, or a system becoming unavailable due to mismanagement. Also, we’ll discuss how to assess other items which you may find and how to rank and prioritize them. Armed with this information, you’ll be better equipped to provide a to do list to your management with justifications and relative impact for each proposed change.

If you’re interested in attending the webinar, it’s free but you’ll need to register.

Advertisements

Midlands PASS February 2016 Meeting

Midlands PASS has changed its meetings from the 2nd Thursday to the 2nd Tuesday of each month. This takes effect with this month’s meeting. We are still meeting at the same location in West Columbia, SC. However, the name of the organization has changed: Microstaff IT has become We Know IT!

For this month’s meeting on February 9th we are looking at improving queries. Here’s the abstract:

We want queries to run fast. The faster queries run, the less likely they are to get in the way of other queries (blocking). The faster queries run, the less likely they are to collide where one will have to be rolled back (deadlocking). And the faster queries run, the more queries we can pump through the system, thereby improving performance. In this presentation we’ll look at how the SQL Server query engine works: how it breaks down a query, how it uses indexes, and how it puts all this together to produce an execution plan. By understanding how the engine works, we’ll understand how to improve our queries.

If you can make it out, please RSVP so we’ll know how many refreshments to bring.

Midlands PASS Meeting: 2016 SQL Server Security Refresher

The Midlands PASS Chapter will hold its next meeting on January 14, 2016 at Microstaff IT. We start the meet and greet at 5:30 PM and the main topic usually kicks off around 6 PM.

2016 SQL Server Security Refresher

Midlands PASS Chapter’s annual SQL Server security refresher! This is an open-ended discussing hosted by Data Platform MVP and resident SQL Server security expert, Brian Kelley. Bring your scenarios and questions and we’ll work through the best ways to build security solutions for and using Microsoft SQL Server.

You can RSVP here so we know how much food and refreshments to bring.

Getting the Degree and Debt

Yesterday I said to just get the four year degree. It’s a checklist item and I’ve had several folks comment about how it is a limiting factor in job searches.

One of my friends asked an important question: should you go into debt to get that four year degree?

My initial thought is, “No.” If you’re already gainfully employed, not having the degree isn’t worth going into debt over. Avoiding debt is generally a good idea, as espoused in sites like Mr. Money Moustache. Stop and think about the fact that we’re complaining about crippling student loan debt here in the United States. Debt and having to pay interest on that debt hurts.

But what if your company reimburses? Should you put the course(s) on your credit card or get a second mortgage? The problem with depending on the reimbursement is it might not be there at the end or you may choose not to take the reimbursement. There’s a whole host of reasons why that I won’t get into here. So if it’s not there, you’re stuck with that debt. Better to save up and have the money to pay up front for the hours and if you can and choose to get the reimbursement, you’re in the clear (and can use that money to help with the next round of courses).

Get the Degree

Fake diplomaRecently, a friend of mine with a lot of experience in her field was back on the job search. She is good at what she does, the local community (related to IT) knows she is a senior-level professional, but there was one big problem: she didn’t have a four year degree. As a result, there were some folks who wanted to hire her but couldn’t get past the mandatory HR checklist. She has a good job now, but her job search took longer than it should have because of that degree requirement. And it wasn’t that she didn’t have a degree at all. She had a two year degree. But the HR checklists all said, “Bachelor’s degree.”

I’ve asked a few other friends who don’t have four year degrees and their experience has been the same. Yes, they’ll eventually land a great job, but they’ve been turned down for opportunities because they don’t have a bachelor’s level degree. Keep in mind that rarely does the subject of the degree matter. I happen to have two technically related degrees: B.A. Mathematics and B.S. Physics. I don’t have a computer science degree. That has never come up as an issue. The fact that I have the four year degree is enough to check the check box and continue on. I know others who have a degree in music, in public administration, in elementary school education, and in other fields that aren’t “cousins” with computers. The subject hasn’t mattered. The fact that they had a four year degree did.

When it comes to who I work with, I don’t care if you have a degree. I care about whether or not you can do the job. Most IT pros I know feel the same way. However, we’re not the entry point in the hiring process. As a result, my perspective has changed on whether or not to get a degree. Before, I was of the opinion that if it’s meaningful to you, if you want to go into management, etc., then go ahead and get the degree. However, given my friend’s case, my opinion has changed to recommend folks get the four year degree, period.

The degree isn’t just about having better prospects on the job market. I know of specific cases where not having a degree meant a lower salary for excellent professionals, even architecture-caliber folks. Even if you’re gainfully employed now, you could be leaving money on the table by not having a four year degree. Yes, in my opinion this is unfair, but it’s the reality in a lot of organizations.

So should you try and get a computer science degree if you’re in the IT field? You’ll certainly pick up things you likely won’t come across in day-to-day work but which could influence things if you knew about them (like O(n) notation and algorithm analysis). However, whether or not you have a bachelor’s degree, any bachelor’s degree, is what is on the checklist the vast majority of the time. Therefore, get a degree in what you’re interested in (and what work will pay for, if you have that option and choose to take it), and get it done as quickly as possible. Simply get the checklist item out of the way. Hopefully, you’ll have fun and learn some interesting things along the way, but the main thing is to get the degree.

SQL Server Encryption Presentation on July 9, 2015

I will be giving a presentation on SQL Server Encryption through MSSQLTips. It’s at 3 PM EDT on July 9, 2015.

You can register through the MSSQLTips.com page for the webinar.

This sign-up page will allow you to sign up for multiple future webinars.

A rough outline of the presentation:

Data in the Database

  • The case for partial encryption (some data unencrypted)
  • The datatypes we use for encrypted data
  • The options available and who can see decrypted data
  • How we use SQL Server’s built-in functionality
  • Addressing Performance Issues

Encrypting the Whole Database (Transparent Data Encryption)

  • How it works
  • What you need to make it work
  • How do you handle recovery / disaster recovery

Encrypting Backups

  • Don’t wait until after it’s written to disk
  • TDE to the rescue
  • Encrypted backups in SQL Server 2014
  • Don’t reject 3rd party products

Encrypting Connections to SQL Server

  • The options
  • What about POODLE?
  • What about IPSEC?

Speaking at Charlotte BI Group Tomorrow

Tomorrow, Tuesday, April 7, 2015, I’ll be speaking at the Charlotte BI user group. The meeting starts at 5:30 PM.

Here’s the info:

RSVP Link

Topic: Securing the ETL Pipeline

We’re going to look at typical ETL (Extract, Transform, Load) pipelines and consider the weak points an attacker might go after. Our goal in this isn’t to cause FUD (Fear, Uncertainty, and Doubt), but to discuss risks at each point, options for protecting the vulnerability, and what we’ve seen typically done (if anything). While this talk primarily focuses on Microsoft SQL Server, especially the database engine and SSIS, many of the points covered will be applicable to any solution set.

Location: 8055 Microsoft Way, Charlotte NC 28273

Previous Older Entries