Q&A
The Database Admin's Security Burden
Security is everyone's job, but in a time when data is king, SQL Server admins play a more critical role than ever in their organizations' security postures.
How well do you know your SQL Server environment's security defenses? With data breaches dominating headlines, it's more important than ever for database admins to stay vigilant and proactive in the face of modern security threats. Sometimes, that calls for a full-blown security audit.
In his upcoming Live! 360 session titled "SQL Server Security Ground to Cloud," speaker Buck Woody will show DBAs how they can put their organizations' data through the security paces. An applied data scientist in Microsoft's Azure Data Services team, Woody is all too familiar with the kinds of security pitfalls that DBAs frequently fall prey to. Good news is, he knows how to climb out of them.
Ahead of his session, Woody answered some of our questions about the role DBAs play in cybersecurity today.
Redmondmag: How has the security burden on DBAs changed in the last couple of years, given how much and how quickly the technology landscape has changed?
Woody: As I look back over my 40-plus years in data, it actually has changed back. I used to be the administrator for a "hardened" Oracle database running on an HP-7000 system. Back then, security was squarely in the DBA's purview, since I actually owned the whole classified system. Users accessed the database directly, so it was up to me to ensure the highest level of data classifications and access.
Now that the industry has matured, like any industry, we have specialized. The data professionals have often been allowed to relax a bit on the security side of things. And of course, the security footprint in the cloud is so much larger and interconnected than it was on-premises.
But we have swung back now to the data professional being asked to know a lot more about security. That's why I built this course, and the session that covers it.
In general, how good are organizations at remembering to prioritize SQL Server security? How can they be better at prioritizing it?
I would say not very good -- until there is a breach. Then, leadership often expects that it was always handled.
I think the best way for data professionals to assist their organization in doing better on security is to explain what the risks are, and the impact of those risks.
How different are on-prem SQL Server and Azure SQL when it comes to recommended security approaches?
In general, very similar, in terms of surface area, access level, granularity. In practice, any cloud provider's security environment is going to be so much more complex.
Microsoft is consistently pushing organizations to adopt zero trust security practices wherever they can. How does zero trust apply to database security?
It's actually a great way to think about it -- and the database engines have had this idea for a long time. From object access down to row- and column-level security, we check at each point for rights and permissions.
What tools and resources would you recommend for organizations looking to stay on top of SQL Server security trends, emerging threats, etc.?
So many -- from Microsoft Learn to conferences like Live! 360 and many more. I'll point out the Azure Security Center as a great place to get started.