• Home
  • About Us
  • Contact Us
  • Privacy Policy
  • Special Offers
Business Intelligence Info
  • Business Intelligence
    • BI News and Info
    • Big Data
    • Mobile and Cloud
    • Self-Service BI
  • CRM
    • CRM News and Info
    • InfusionSoft
    • Microsoft Dynamics CRM
    • NetSuite
    • OnContact
    • Salesforce
    • Workbooks
  • Data Mining
    • Pentaho
    • Sisense
    • Tableau
    • TIBCO Spotfire
  • Data Warehousing
    • DWH News and Info
    • IBM DB2
    • Microsoft SQL Server
    • Oracle
    • Teradata
  • Predictive Analytics
    • FICO
    • KNIME
    • Mathematica
    • Matlab
    • Minitab
    • RapidMiner
    • Revolution
    • SAP
    • SAS/SPSS
  • Humor

Tag Archives: Security

How Ubiq Security uses APIs to simplify data protection

November 28, 2020   Big Data
 How Ubiq Security uses APIs to simplify data protection

When it comes to customer expectations, the pandemic has changed everything

Learn how to accelerate customer service, optimize costs, and improve self-service in a digital-first world.

Register here

As cyberthreats continue to multiply, startups with tools to protect data are in high demand. But companies are now facing the growing complexity of managing security across their various data sources.

San Diego-based Ubiq Security believes APIs could play a key role in simplifying this task. The company hopes to encourage more developers and enterprises to build security directly into applications rather than looking for other services to plug the holes.

“How do you take the messy and complicated world of encryption and distill it down to a consumable, bite-sized chunk?” Ubiq CEO Wias Issa asked. “We built an entirely API-based platform that enables any developer of any skill set to be able to integrate encryption directly into an application without having any prior cryptography experience.”

Issa is a security veteran and said companies have generally been focused on security for their data storage systems. When they start layering applications on top, many developers find they haven’t built security into those products. In addition, the underlying storage is becoming a thicket of legacy and cloud-based solutions.

“You could have an Oracle database, an SQL Server, AWS storage, and then a Snowflake data warehouse,” Issa said. “You’ve got to go buy five or six different tools to do encryption on each one of those because they’re all structured differently.”

Even when encryption is included in the application, it can be poorly designed. Issa said cryptographic errors have typically been among the top three vulnerabilities in software applications over the past decade.

“When you’re a developer in 2020, you’re expected to know multiple languages, do front end, back end, full-stack development,” Issa said. “And on top of that, someone comes along and says, ‘Hey, can you do cryptography?’ And so the developer thinks, ‘How do I just get past this so I can go back to building a fantastic product and focusing on my day job?’ So key management is an area where developers either don’t understand it or don’t want to deal with it because it’s so complicated and so burdensome and, frankly, it’s very expensive to do.”

To cut through those challenges, Ubiq’s API-based developer platform lets developers simply include three lines of code that make two API calls. By handling encryption at the application layer with an API, the security works across all underlying storage systems as well.

“The application will handle all the encryption and decryption and simply hand the data in an encrypted state to the storage layer,” Issa said. “That allows them to not only have a better security posture but improve their threat model and reduce the overall time it takes to roll out an encryption plan.”

Customers can then use a dashboard to monitor their encryption and adjust policies without having to update code or even know the developer jargon. This, in turn, simplifies the management of encryption keys.

Lessons from the government

Among its more notable customers, Ubiq announced this year that it had signed deals with the United States Army and the U.S. Department of Homeland Security. While government buyers have their particular issues, in this case the military and civilian systems faced many of the same obstacles large enterprises encounter.

“The government is struggling with digital transformation,” Issa said. “They’re stuck on all these legacy systems, and they’re not able to innovate as fast as the adversaries. So you’re seeing the likes of Iran and Syria and China and Russia and other Eastern Bloc countries start to build these offensive cyber capabilities. All you need is an internet connection, a bunch of skilled, dedicated resources, and now an entire country’s military cyber capability can rapidly grow. We don’t want that to outpace the United States.”

Part of the obstacle here is systems that run across tangled legacy and cloud infrastructure and mix structured and unstructured data and a wide range of coding languages. While there have been big gains in terms of protecting the underlying storage, Issa said attackers have increasingly focused on vulnerabilities in the applications.

“Encryption is something that everybody knows they need to do, but applying it without tripping over yourself is hard to do,” Issa said. “They turned to us because they’ve got all these disparate data types and they have all these unique types of storage. The problem is how to apply a uniform encryption strategy across all those diverse datasets.”

Issa said the emergence of the API economy has made such solutions far more accepted among big enterprises. They see APIs in general as a faster, more efficient way to build in functionality. Issa said applying that philosophy to security seemed like a natural evolution that not only eases the task but improves overall security.

“One of the other traditional challenges with encryption is when you deploy it somewhere and it breaks something,” he said. “And then you can’t deploy it in some sectors because the system is old. So you just apply it in two areas and then realize you’ve only applied encryption to 30% of your infrastructure. We enable a much more uniform approach.”

Ubiq got a boost earlier this month with a $ 6.4 million seed round. Okapi Venture Capital led the round, which included investment from TenOneTen Ventures, Cove Fund, DLA Piper Venture, Volta Global, and Alexandria Venture Investments. Ubiq plans to use the money for product development, building relationships with developers, and marketing.

“Our core focus is going to be on growing the platform, getting customer input, and making sure that we’re making the changes that our customers are asking for so we can run a very resilient, useful platform,” he said.

Sign up for Funding Weekly to start your week with VB’s top funding stories.

Let’s block ads! (Why?)

Big Data – VentureBeat

Read More

DocuSign integration with SharePoint Security Sync for Dynamics 365 CRM

November 20, 2020   CRM News and Info

xDocuSign integration with SharePoint Security Sync for Dynamics 365 CRM 625x357.png.pagespeed.ic.SjmciHFCpQ DocuSign integration with SharePoint Security Sync for Dynamics 365 CRM

SharePoint Security Sync – one of our Preferred Apps on Microsoft AppSource – is a comprehensive solution for integrating Dynamics 365 CRM / Power Apps with SharePoint for document management. Now with its latest feature, SharePoint Security Sync has added yet another feather to its cap and is on the way of becoming one of the finest apps for managing and securing confidential data in SharePoint from within Dynamics 365 CRM.

So, what is this latest feature all about? (get a quick glance of the same in our teaser video)

With this new feature of SharePoint Security Sync, you can now avail the benefits of DocuSign to electronically sign Dynamics 365 CRM documents stored in SharePoint. Being a popular eSignature app, most of you would be already using DocuSign for your day-to-day business transactions. With SharePoint Security Sync and DocuSign integration, you can now make use of DocuSign features using our user-friendly UI to sign contracts/agreements stored in SharePoint sites without having to navigate from one UI to another.

Now, let’s see how you will benefit from using this feature in your day-to-day business activities.

Suppose you have both SharePoint Security Sync and DocuSign installed in your CRM. Now, to activate this feature all you have to do is to just check the field named ‘Enable DocuSign Integration’ while creating a new connector configuration in SharePoint Security Sync for your CRM.

xDocuSign integration with SharePoint Security Sync for Dynamics 365 CRM 1 625x486.png.pagespeed.ic.SOBx22XUBp DocuSign integration with SharePoint Security Sync for Dynamics 365 CRM

Once you have enabled this option, DocuSign button will be displayed on our user-friendly UI for your ready use. You have to just select the document and click on the ‘DocuSign’ button to sign or send the document for signature to the customers. Once you click the button, you will get the following two options – Get Signature&Sign Document.

xDocuSign integration with SharePoint Security Sync for Dynamics 365 CRM 2 625x425.png.pagespeed.ic.XQllmbfzev DocuSign integration with SharePoint Security Sync for Dynamics 365 CRM

Choose either of the options and you will be then directed to the DocuSign UI where you can make use of all DocuSign features.

xDocuSign integration with SharePoint Security Sync for Dynamics 365 CRM 3 625x339.png.pagespeed.ic.aa EALFSfB DocuSign integration with SharePoint Security Sync for Dynamics 365 CRM

Quite handy feature, isn’t it?

You can now culminate your daily activities pertaining to signing documents/agreements for contract renewal or closing business deals easily with just a few clicks.

No more navigating from one UI to another!

Everything is now available for you at our UI for your ready use.

So, wait no more! Grab this opportunity to download and explore this latest feature of SharePoint Security Sync from our website or Microsoft AppSource for a trial period of 15 days.

Also, have a quick glance at our popular document management app for Dynamics 365 CRM/Power Apps – Attach2Dynamics – which currently supports Dropbox, SharePoint, and Azure Blob Storage.

For any of your document management requirements, feel free to contact us at crm@inogic.com

Until then – Stay Safe, Stay Healthy!

Let’s block ads! (Why?)

CRM Software Blog | Dynamics 365

Read More

DBA in training: Security

October 18, 2020   BI News and Info

The series so far:

  1. DBA in training: So, you want to be a DBA…
  2. DBA in training: Preparing for interviews
  3. DBA in training: Know your environment(s)
  4. DBA in training: Security

By this time, we have discussed the importance of understanding your environment. You should have an idea of which databases support what applications, the SQL Server versions they run on, and the relative importance of each database and instance to the business.

Now, let’s talk about protecting the company from losing data due to security flaws.

Database security is a sub-specialty in and of itself, and you can read in-depth work by people like Denny Cherry, Robert Sheldon, Chip Andrews and numerous blogs. This will be a general discussion to help you get started. To begin the journey of a thousand miles, though, I will give you the first steps, and let you refer to the experts to address your individual needs. I’ll start with the mile-high view and work my way down, which should help you to provide the best measure of protection to your environments.

Physical security: Who can walk in the door?

Start with your physical security. Who has access to your physical servers or data centers? You need this list, and you want it to be as small as humanly possible. If there is no list, make one! Be sure to put policies in place to review this list on a semi-annual basis, and to review procedures for monitoring and auditing physical server/data center access. You should know who was in your server room, when and why. If your physical security is ever breached, your monitoring and auditing procedures will be instrumental in catching the culprit. Data is a company’s most valuable asset. This is worth the investment.

If you are completely in the cloud, you may think you are safe. You aren’t. Even if your servers are not physically accessible, it doesn’t mean they cannot be accessed. Whatever your physical setup, you should at least do an annual (unannounced!) penetration testing to see just how physically secure your company is. A good “pen tester” is worth every penny, because they will show you where the holes are in your security, giving you time to fix them before trouble really hits. You may think, “But I have a small company, where everyone knows everyone! What good will that do?” You will probably be very surprised. You can easily find stories of employees who, out of politeness, held a door open for the person who “just happened” to walk in behind them, thinking they are a new employee (or not noticing that they are unfamiliar at all). Other stories abound of employees who were careless with leaving their monitors unlocked or their badges unsecured at their desks. Perhaps you have heard the one about the person who kept the password to their computer on a Post-It on the monitor (or in their top desk drawer, etc.). Before you think it won’t happen to you, know that pen testers are very good at what they do; people are tricked all the time! So please make this an important line item on your list and do it at least yearly. People can become complacent over time with a false sense of security, so keeping awareness high is key.

Data file security: Who can get in your files?

Now that you are addressing your physical security, start thinking about the security of your data files. Your Infrastructure team may be handling this already. If so, it would be helpful to have an idea of what those measures are. At a minimum, it would be good to know who has access to your data and log files at any level – even if you have encrypted all of your data. What measures are in place to detect and alert you to unauthorized access into your data files? If you aren’t aware of any such measures, now would be the best time to work with Infrastructure to put those steps in place if possible.

What about backups files? Make sure that they are protected just as well as the data and log files. You also need to think about copies of production that might be made for development, QA, or testing. Are backups given to developers to restore on their laptops? To make sure that down level copies are production are protected, think about using a tool like Redgate’s Data Masker to sanitize sensitive data.

You also want to know what measures are in place to protect against malware, bots and the like. If your company allows pretty much anyone to download anything they like, the risk of these threats is higher to your data. The best hackers can get in and out with hardly a trace through some pretty stringent conditions, so don’t make it easier for them. Be the one to suggest some controls to keep at-risk software out of your corporate environment.

Keep your SQL Servers as current as possible

There is a very good chance that you will find a mixture of instances of SQL Server where you work. This is usually due to what vendors will support for their applications. You then ask the vendor to be able to upgrade the SQL Server instance or compatibility level for their database, only to hear a flat-out “no”, or “If you do this, you do it at your own risk – we won’t support it.” Accepting defeat, you go on with life and pray they will be ready to upgrade their product soon. The only problem is that if you run into trouble with the instance and have to open a ticket with Microsoft, the first question from the support staff is going to be, “What version of SQL Server are you running?” If you are running an instance that is in support but not current, they will likely first tell you to patch your instance and bring it current. If an instance is out of support, you are on your own.

Worse, you are vulnerable.

A couple of years ago, the discovery of a couple of processor security bugs called Spectre/Meltdown set the IT world on fire. Microsoft quickly responded with patches – but the patches only went back to 2008. If you had a 2005 instance that was not running on a 2008 + Windows server, you were out of luck. This situation strongly argues for isolating databases for older applications that will not support an upgrade – or for considering the possibility of a different product.

Keeping your patching as up to date as possible is one of the best things you can do to protect your servers. By saying that, I am not advocating to throw the patch on production the day after release. Start by waiting a week or so after the patch comes out to check for reported issues. If there are going to be problems, you should begin to hear about them online within that period, or you will see that Microsoft rolls out a new patch almost immediately. Then begin with a dev environment (after taking a server snapshot for rollback, if you can). See how things go for a week or so. Then patch test (if you have a test environment), and slowly move your way up. By the time you are ready for production, you will have a well-tested patch.

You might be wondering by now how to know when new patches are available. I like https://sqlserverupdates.com/ for this. This part of the site does a great job getting you started with patching and answers some frequently asked questions. Try to build a patching schedule (at least four times a year) and ensure that you stick to it. Your servers will thank you.

If you happen to use SQL Monitor, you can also use the Estate pages to keep track of updates and the current version of all your SQL Server instances.

word image 3 DBA in training: Security

Server and database security

You have done what you can to keep the criminals out of your physical environment and your files. It is time to begin looking to your server and database security.

In SQL Server, you have logins and users. Logins are groups, service accounts or individuals who can get into your server. Users are groups, service accounts or individuals who can access one or more databases. One login can have more than one user name, but they can only use one user name per database. This basic query will get you the login information on your servers:

SELECT *  

FROM sys.server_principals;  

Querying sys.database_principals will show your database users:

SELECT *  

FROM sys.database_principals;

Just as you can have logins who can access the server and users that can access one or more databases, you also have server-level roles, that apply to the whole server, and database-level roles and permissions, that apply only to their specific databases. Permissions may be given through role membership or individually. For instance, to give someone a server-level role:

ALTER SERVER ROLE sysadmin

ADD (DROP) MEMBER <member name here>;

To do a database-level role membership:

ALTER ROLE db_datareader

ADD (DROP) MEMBER <member name here>;

Alternatively, to grant a specific permission:

GRANT (DENY, REVOKE) SELECT ON dbo.Table to [user name here];

These operations can also be done easily through the GUI by going to the properties or a login or user, depending on your scope. Some DBAs prefer the GUI as it can help to reduce errors.

Granting permissions is easy. Keeping a tight lid on them is not so simple. You should regularly review who can do what on your servers. How often is a matter of how much time you have, but try to set a regular schedule if possible. Security monitoring and reporting (which we will discuss later on) can really help you here. Try to be one of the first to know if someone leaves the company, so that you can disable SQL Server access. This is not just a best practice, but also a practicality: disgruntled employees are responsible for some of the worst attacks, so staying on top of this could save you a very bad time later on.

Starting at the top: Do you know who has sysadmin on your servers? Whoever has sysadmin rights can do anything, including dropping databases and tables, among other disastrous things. These people could take the business down for a protracted length of time. There should be a documented list of who is in this server role and it should be very small, not to mention periodically reviewed.

Sysadmin may be the most dangerous permission, but it is not the only one. You want to know who has these, too:

  • serveradmin – Members of the serveradmin role can change your server configurations and shut it down.
  • securityadmin – Anyone in this role can assign most permissions and allow people on to your server in the first place.
  • processadmin – These guys can end anything running in SQL Server.
  • setupadmin – Members of setupadmin can spin up or remove linked servers with TSQL (but not using SSMS).
  • bulkadmin – Bulkadmins can bulk insert data.
  • diskadmin – Members of this role can manage your disk files.
  • dbcreator – Just what it says. Anyone in this role can create (but also alter or drop!) any database.
  • CONTROL SERVER – This is one level below sysadmin. There are some differences, but CONTROL SERVER encompasses all the roles listed above except for sysadmin.

Now, for the database-scoped roles:

  • db_owner – Can create and drop objects and change configuration and maintenance on the database.
  • db_securityadmin – Can modify custom role membership and manage permissions – including their own.
  • db_accessadmin – Can add/remove access for Windows and SQL Server logins/groups.
  • db_backupoperator – Can backup the database (possibly breaking your backup chains).
  • db_ddladmin – Can create objects (or remove them) in the database.
  • db_datawriter – Can INSERT, UPDATE or DELETE data in all user tables.
  • db_datareader – Can read anything in any user table.
  • db_denydatawriter – Cannot INSERT, UPDATE or DELETE data in any user table.
  • CONTROL DATABASE: Encompasses everything in the database roles above.

Note: Server and database roles are fixed by Microsoft and cannot be changed.

These roles apply to every database, but there are some roles that you will only find in the msdb database. The msdb is part of the system databases, which we will discuss in more depth in another article. The msdb controls all agent jobs and stores information on your backups, SQL Server Integration Services (SSIS), data collector, policy-based management and database mail information. The msdb is a unique database for this reason. Because of all of the things it stores and controls, msdb needs some special roles of its own:

  • db_ssisadmin – Can do anything to any package. Could possibly elevate their own permissions to sysadmin.
  • db_ssisltduser – Can enumerate all packages, but only view, execute, export, own or delete their own packages. May import packages.
  • db_ssisoperator – Can see, execute, export and enumerate all packages. Can execute any package in SQL Server Agent.
  • SQLAgentUserRole – Can create/modify/delete their own local jobs and schedules. They cannot control ownership, and their role does not extend beyond the server where their role membership exists. They can enable or disable their own jobs and schedules, and edit their properties, as well as execute, stop and start them. They cannot delete job history on their own jobs unless they are granted that permission.
  • SQLAgentReaderRole – Members of the SQLAgentUserRole, the SQLAgentReaderRole can create/modify/delete their own jobs and schedules. They can enable or disable their own jobs and schedules, and edit their properties, as well as execute, stop and start them. They cannot delete job history on their own jobs unless they are granted that permission.
  • SQLAgentOperatorRole – Also a member of SQLAgentUserRole, the SQLAgentOperator has all of the permissions of the User and Reader roles, and can also view properties for operators and proxies, and see available proxies and alerts. They can start, stop or execute any local job, and they can delete the job history. They have do not have access to the Error Logs.

Finding permissions

I may have frightened you enough by now that you do not even want to give db_datareader permissions. Good! There is a concept called the Principle of Least Privilege which (put succinctly) says not to give any more permissions than what is absolutely needed. So role membership should be sparing!

Now, you may be wondering: how do I find out what permissions everyone has? After all, permissions don’t (and shouldn’t) just come through role memberships, and you may be scaring yourself imagining what your users are doing in your databases – or worse, what they could do, without realizing the danger. For server-level roles, you can use this query from Books Online:

SELECT sys.server_role_members.role_principal_id,

    role.name AS RoleName,  

    sys.server_role_members.member_principal_id,

    member.name AS MemberName  

FROM sys.server_role_members  

JOIN sys.server_principals AS role  

ON sys.server_role_members.role_principal_id = role.principal_id  

JOIN sys.server_principals AS member  

ON sys.server_role_members.member_principal_id = member.principal_id;

For the database permissions and roles, I have a script that can help. It’s based on one that I found on Stack Overflow some time ago, but I modified it to look throughout an entire instance and to allow me to query it by database(s) or user(s). That way, you can get all the permissions on an instance (or database(s)) for a user or group. It will take you all the way down to the column level.

Now, here is the script. It is not fast, especially if you run it with the WHERE clause commented out. You’ve been warned.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

IF OBJECT_ID(‘tempdb..#t’) IS NOT NULL

    DROP TABLE #t;

CREATE TABLE #t

(

    DatabaseName sysname NULL

  , UserName sysname NULL

  , UserType NVARCHAR(MAX) NULL

  , DatabaseUserName sysname NULL

  , Role sysname NULL

  , PermissionType NVARCHAR(MAX) NULL

  , PermissionState NVARCHAR(MAX) NULL

  , ObjectType NVARCHAR(MAX) NULL

  , ObjectName NVARCHAR(MAX) NULL

  , ColumnName NVARCHAR(MAX) NULL

);

DECLARE @dbName sysname;

DECLARE @dbCursor CURSOR;

DECLARE @sql NVARCHAR(MAX);

SET @dbCursor = CURSOR FOR

SELECT name

FROM sys.databases

WHERE source_database_id IS NULL

      AND database_id > 4

      AND is_read_only = 0

      AND state_desc = ‘ONLINE’

ORDER BY name;

OPEN @dbCursor;

FETCH NEXT FROM @dbCursor

INTO @dbName;

WHILE (@@FETCH_STATUS = 0)

BEGIN

    SET @sql = N‘

   USE [‘ + @dbName + N‘]

  

   INSERT INTO #t

   SELECT ‘‘[‘ + @dbName + N‘]’‘ As DatabaseName,

      [UserName] = CASE princ.[type]

      WHEN ‘‘S’‘ THEN princ.[name]

      WHEN ‘‘U’‘ THEN ulogin.[name] COLLATE Latin1_General_CI_AI

      WHEN ‘‘G’‘ THEN ulogin.[name] COLLATE Latin1_General_CI_AI

      WHEN ‘‘R’‘ THEN ‘‘Database Role’‘

      ELSE princ.[type]

      END,

      [UserType] = CASE princ.[type]

      WHEN ‘‘S’‘ THEN ‘‘SQL User’‘

      WHEN ‘‘U’‘ THEN ‘‘Windows User’‘

      WHEN ‘‘G’‘ THEN ‘‘Windows Group’‘

      WHEN ‘‘R’‘ THEN ‘‘Database Role’‘

      ELSE princ.[type]

                END,

      [DatabaseUserName] = princ.[name],

      [Role] = NULL,

      [PermissionType] = perm.[permission_name],

      [PermissionState] = perm.[state_desc],

      [ObjectType] = obj.type_desc,–perm.[class_desc],    

      [ObjectName] = OBJECT_NAME(perm.major_id),

      [ColumnName] = col.[name]

   FROM   sys.database_principals princ

   LEFT OUTER JOIN sys.login_token ulogin ON princ.[sid] = ulogin.[sid]

   LEFT OUTER JOIN sys.database_permissions perm

   ON perm.[grantee_principal_id] = princ.[principal_id]

   LEFT OUTER JOIN sys.columns col ON col.[object_id] = perm.major_id

      AND col.[column_id] = perm.[minor_id]

   LEFT OUTER JOIN sys.objects obj ON perm.[major_id] = obj.[object_id]

   WHERE   princ.[type] IN ( ‘‘S’‘, ‘‘U’‘, ‘‘G’‘ )

   UNION

   SELECT    ‘‘[‘ + @dbName + N‘]’‘ As DatabaseName,

      [UserName] = CASE memberprinc.[type]

      WHEN ‘‘S’‘ THEN memberprinc.[name]

      WHEN ‘‘U’‘ THEN ulogin.[name] COLLATE Latin1_General_CI_AI

      WHEN ‘‘G’‘ THEN ulogin.[name] COLLATE Latin1_General_CI_AI

                END,

      [UserType] = CASE memberprinc.[type]

      WHEN ‘‘S’‘ THEN ‘‘SQL User’‘

      WHEN ‘‘U’‘ THEN ‘‘Windows User’‘

      WHEN ‘‘G’‘ THEN ‘‘Windows Group’‘

      WHEN ‘‘R’‘ THEN ‘‘Database Role’‘

                END,

      [DatabaseUserName] = memberprinc.[name],

      [Role] = roleprinc.[name],

      [PermissionType] = perm.[permission_name],

      [PermissionState] = perm.[state_desc],

      [ObjectType] = obj.type_desc,  

      [ObjectName] = OBJECT_NAME(perm.major_id),

      [ColumnName] = col.[name]

   FROM   sys.database_role_members members

   INNER JOIN sys.database_principals roleprinc

   ON roleprinc.[principal_id] = members.[role_principal_id]

   INNER JOIN sys.database_principals memberprinc

   ON memberprinc.[principal_id] = members.[member_principal_id]

   LEFT OUTER JOIN sys.login_token ulogin

   ON memberprinc.[sid] = ulogin.[sid]

   LEFT OUTER JOIN sys.database_permissions perm

   ON perm.[grantee_principal_id] = roleprinc.[principal_id]

   LEFT OUTER JOIN sys.columns col ON col.[object_id] = perm.major_id

      AND col.[column_id] = perm.[minor_id]

   LEFT OUTER JOIN sys.objects obj ON perm.[major_id] = obj.[object_id]

      

   UNION

   SELECT    ‘‘[‘ + @dbName + N‘]’‘ As DatabaseName,

      [UserName] = ‘‘{All Users}’‘,

      [UserType] = ‘‘{All Users}’‘,

      [DatabaseUserName] = ‘‘{All Users}’‘,

      [Role] = roleprinc.[name],

      [PermissionType] = perm.[permission_name],

      [PermissionState] = perm.[state_desc],

      [ObjectType] = obj.type_desc,–perm.[class_desc],  

      [ObjectName] = OBJECT_NAME(perm.major_id),

      [ColumnName] = col.[name]

   FROM   sys.database_principals roleprinc

   LEFT OUTER JOIN sys.database_permissions perm

   ON perm.[grantee_principal_id] = roleprinc.[principal_id]

   LEFT OUTER JOIN sys.columns col ON col.[object_id] = perm.major_id

      AND col.[column_id] = perm.[minor_id]

   INNER JOIN sys.objects obj ON obj.[object_id] = perm.[major_id]

   WHERE   roleprinc.[type] = ‘‘R’‘

      AND   roleprinc.[name] = ‘‘public’‘

      AND   obj.is_ms_shipped = 0′;

    PRINT @sql;

    EXECUTE sp_executesql @sql;

    FETCH NEXT FROM @dbCursor

    INTO @dbName;

END;

CLOSE @dbCursor;

DEALLOCATE @dbCursor;

SELECT @@SERVERNAME AS ServerName

     , DatabaseName

     , UserName

     , UserType

     , DatabaseUserName

     , Role

     , PermissionType

     , PermissionState

     , ObjectType

     , ObjectName

     , ColumnName

FROM #t

WHERE

    –(DatabaseName = ‘[DatabaseNameHere]’

    –AND

    DatabaseUserName = ‘UserNameHere’

    –OR (DatabaseName = ‘[DatabaseNameHere]’

    –AND DatabaseUserName LIKE ‘%UserName’)

    –OR (DatabaseName = ‘[DatabaseNameHere]’

    –AND DatabaseUserName LIKE ‘%UserName’)

    AND PermissionType <> ‘CONNECT’

ORDER BY DatabaseName

       , DatabaseUserName;

REVERT;

If you want to get an overall picture of where things stand with all your databases, you might consider running this with the WHERE clause commented out, so you get everything. Between these two queries, you should begin to build a picture of who can do what.

The first thing you want to look for is sysadmin permissions. Whenever a user or an application insists that it needs sysadmin permissions, question it. Often, that is not the case. For instance, the account running the Agent jobs will need sysadmin. You as a DBA will sometimes need sysadmin (i.e., when working with replication, viewing error logs, reading audit logs in SSMS, etc.). Even then, you will want to restrict when you use those rights, so consider having an alternate account for yourself that has sysadmin for only those occasions, and give your regular account reduced permissions to allow you to do your everyday tasks. If nothing else, it will make you think about what you are doing when you use that sysadmin account and lessen the risk of you making a mistake. Try to narrow that sysadmin membership as low as you possibly can. I have spoken to DBAs who work at companies where everyone has sysadmin. That means every one of those people could, by either mistake or design, drop every table in the enterprise or mess the data up badly enough to bring the business to a halt. If that does not scare upper management, I don’t know what will.

Once you have reviewed the sysadmin membership list, look at the other server role permissions and narrow those down. Then go on to the database permissions. The ultimate goal is to classify your end users into logical groups and give the collective groups only the permissions they need rather than to do individual permissions. In that way, if a person leaves or switches job positions in the company, they can be removed or added to the groups they need without having to do individual permissions auditing. Keep records of your SQL Server users (including any linked server users and the distributor admin for replication) and their passwords securely stored and access to them tightly controlled.

Depending on the state of your instances and databases, this step can take a good deal of time. Be patient – and persistent. Your data’s safety depends on you.

Be your authentic(ated) self

In a perfect world, you would only use Windows authentication on SQL Server. Using Windows authentication means that Windows verifies the user’s credentials in order to log into SQL Server. It is the safer way to go, and what you should do whenever possible.

If you are not there yet, then try to minimize the number of SQL Server accounts you have. Enforce your password policies when you make the accounts and make them change their passwords at least yearly if you can. Disable the sa user if at all possible.

Security monitoring

Now that you know who should be able to do what, think about how you will know if someone is trying to do something on your servers that they shouldn’t. What if a pen tester tried to get into one of your SQL Servers – would you know? Write jobs that look for failed logins and alert you regularly. I am a huge fan of Brent Ozar’s First Responder Kit. Among many other issues, it will catch elevated permissions and other security-related concerns and put them in a table for you to review. You can then report or alert on that data to help keep yourself on top of things.

If you are not ready or able to buy security monitoring tools, you might check out the EPM Framework. It is a free and easy way to set policies in SQL Server and ensure compliance. There is a good course in Pluralsight that will walk you through everything you need to know, should you have questions.

If you do have SQL Monitor in place, you can monitor when an account is added to sysadmin, failed login attempts, or anything you can think of with a custom metric.

word image 4 DBA in training: Security

Dangerous coding practices

Some practices can undermine all the careful work you have done so far without proper precautions. While I do not recommend saying no to all of these out of hand, you should know the risks they can present, and how to use them properly. This list is by no means comprehensive but should get you started.

Dynamic SQL

As a DBA, I have written a metric ton of dynamic SQL over the years. What is dynamic SQL? It is when you use a mixture of parameters and strings to construct and run a query. Sometimes, it is the best way to get things done. I happen to like it for optimizing some problem queries as well. You saw me use it in the query above to get all the permissions on an instance.

The risk here lies not the use of dynamic SQL itself, but in using it wrong. What is the wrong way to write dynamic SQL? This can go off the rails in a few ways:

  • Using EXEC (string). This is only there for backward compatibility. Use EXECUTE sp_executesql instead. It can be much safer.
  • Using unparameterized statements.
  • Using dynamic SQL in ad-hoc statements.
  • Not reviewing code to find vulnerabilities

Dynamic SQL needs to be tightly controlled, preferably executed by a login-less user that has very tightly restricted permissions and parameters that are sanitized with checks for things like semicolons, double dashes, asterisks, pound signs and keywords like DROP, DELETE, ALTER, TRUNCATE, GRANT, FROM, UPDATE, CREATE, etc.

Why? Two words. SQL Injection.

Unfortunately, if your company is hacked because of SQL injection, the hackers will not be the first to be blamed. You will. Spare yourself a bad day at the office. Erland Sommarskog and Bert Wagner have some great explanations and demos to share if you want to learn more.

xp_cmdshell

Think of granting access to xp_cmdshell as granting access to SQL Server’s OS. Unless there is a good reason to use it (and your security around it is good), this should be disabled in the configuration settings. However, this still requires monitoring (even after disabling). Steve Stedman has a good demo explaining how xp_cmdshell can still be used after disabling it and some preventative measures you can take to reduce your risks.

Remote queries

Any time you allow one SQL Server instance to query another one, you have opened a potential vulnerability for a hacker to jump servers. You may or may not be able to say no to this. If you cannot, ensure that your linked server security is as good and controlled as it can be, and that your network security is as solid as possible, making it as close to impossible for the black hats and the script kiddies as you can. Certainly, try to avoid allowing anyone to do anything but read across a linked server.

CLR

CLR stands for Common Language Runtime. CLR is a way to host .NET code in SQL Server. The possible danger comes as an added vector into your instance and not necessarily knowing what code is executed. You will want to monitor for these (again, sp_Blitz will catch them) and check them to ensure they are expected (and performant).

User-owned schemas, jobs, databases (or anything)

SQL Server users shouldn’t own anything. They are there to work with data, not to own it. When the end-user inevitably leaves the company, at the very least, you won’t be able to drop their accounts until you fix this, but at worst, it gives them a level of access that they just do not need – and you don’t want. Make a low-privileged user without a login or a (disabled!) sa the owner of databases and database objects whenever you can. It’s also possible to rename the sa, disabled or not.

Auditing

SQL Server auditing has been available in all editions at the server level since 2012, and fine-grained auditing became available in all editions with the release of SQL Server 2016 SP1. Take advantage of this feature in SQL Server and keep those records so that you know who did what, when and why. They will be invaluable if something goes wrong, if you are asked who dropped that table, or if other mischief occurs. This article will walk you through it!

Were you born in a barn? Shut the door!

How many times did you hear your mom or dad say that to you when you were a kid? They didn’t want flies in the house (and they certainly didn’t want the electric bill). Do not give the criminals more ways of getting in your servers than you must. Disable SQL Server browser (unless you have more than one instance on a server, in which case it must be on). Additionally, do not install every available feature when you install SQL Server – only put on what you need. You can go back and easily install other features such as Analysis Services or SSIS later, but there is no reason to have them on and to maintain them if no one is using them.

From a different perspective, if you have any individual permissions or users in your databases, you need to know when that person leaves the company, and have their access removed as soon as possible. This includes either disabling or – preferably – dropping the login and user. You have to do both. Dropping the login doesn’t drop the user from the databases; you are better off writing a script to drop the user where it exists in all the databases, then finally dropping the login. This is where you will be glad you didn’t allow users to own objects, because you won’t run into the “Cannot drop schema because it is being referenced by object”, “The database principal owns a schema in the database and cannot be dropped” and the “Login granted one or more permissions” messages that can be painful to unwind after the fact.

What do I do if my company has a data breach?

What if, despite your best efforts, you find that there has been a data breach? As DBAs, we plan for backups to go bad, and we layer our backups to cover it. We plan for disaster recovery, and we have availability options to cover that scenario. Have you ever thought about what to do if you are hacked?

First, if there is not one already, collaborate with other teams to come up with a run book, just as you would for disaster recovery and start writing your steps down. If possible, a response team consisting of people from infrastructure or network services, the DBA team, and business management should spring into action if a suspected breach occurs. This same team should meet periodically to review security standards and practices, to identify holes and how best to fix them, and to ensure that your security is in line with best practices. The Federal Trade Commission has a good set of guidelines to help you get started with your run book. Have the names of some forensic investigators handy so that you can quickly contact them. You want to quickly stop the breach and prevent anything else from happening. Then you are going to be very thankful for all the auditing and monitoring you have set up because it will be vital information to help determine what happened, how it happened, and how to prevent it from happening again.

Conclusion

Believe it or not, this will only get you started. Your server security will never be perfectly where you want it to be. You will find it is an ongoing process – you will no sooner wind up one round of server hardening than new applications, or features come out, or new vulnerabilities are discovered, and you are starting all over again. This is one of the most important parts of the job, though – if the data is hacked or ransomed, it will either not be available, or it will be useless. This makes security worth every bit of time you devote to it.

Let’s block ads! (Why?)

SQL – Simple Talk

Read More

Sonrai Security raises $20 million to protect public clouds with automation

October 15, 2020   Big Data

Automation and Jobs

Read our latest special issue.

Open Now

Public cloud security provider Sonrai Security today announced a $ 20 million round that will be used to accelerate R&D and boost global sales and marketing for its identity and data governance products.

Roughly 83% of enterprise workloads have moved to the cloud, according to a 2020 survey from LogicMonitor. But the cloud remains vulnerable to cyberattacks. IBM found last year that the average time to identify a breach was 206 days. Meanwhile, security breaches have increased by 11% since 2018 and 67% since 2014, Accenture reported in a recent study.

Sonrai offers a platform called Sonrai Dig to help companies stay ahead of threats. The platform is built on a graph that identifies and monitors relationships between entities (e.g., admins, roles, compute instances, serverless functions, and containers) and data within public clouds and third-party data stores. An engine automates workflow, remediation, and prevention across cloud and security teams to provide baseline security. At the same time, it provides critical data in object stores like AWS S3 and Azure Blog priority to address suspicious activity and access rights monitoring.

 Sonrai Security raises $20 million to protect public clouds with automation

Sonrai’s data governance automation solution helps integrate teams via analyses, alerts, and actions that align with the way organizations use the public cloud. The platform allows customized monitoring and views for development, staging, and production workloads and an API architecture that can be integrated into a continuous integration/continuous development process. Dig also automatically dispatches prevention and remediation bots and provides safeguards in the form of code promotion blocks to provide end-to-end security in public cloud platforms.

Sonrai CEO Brendan Hannigan, formerly a general manager of security at IBM, says improperly configured cloud interdependencies and inheritances can lead to significant security risks. These include excessive access paths to data, over-permissioned identities, and an unwieldy separation of responsibilities. Hannigan estimates that enterprises’ public cloud utilization generates hundreds of cloud accounts, thousands of data stores, and tens of thousands of ephemeral pieces of compute — complexity that legacy cloud security tools have failed to address.

Hannigan won’t disclose Sonrai’s customers, but he says the platform can scale to thousands of roles and compute instances across hundreds of corporate accounts. “The increasing frequency of cloud breaches caused by identity and data access complexity has driven significant traction for our … platform among large enterprises,” Hannigan added. “They see it as the basis of their cloud security model.”

Menlo Ventures led today’s series B round, with participation from Polaris Partners and Ten Eleven Ventures. It brings the New York-based company’s total raised to over $ 38.5 million, following an $ 18.5 million series A round in January 2019.

Sign up for Funding Weekly to start your week with VB’s top funding stories.

Let’s block ads! (Why?)

Big Data – VentureBeat

Read More

What are Windows virtualization-based security features?

October 11, 2020   BI News and Info


bigelow stephen What are Windows virtualization based security features?

By

Published: 17 Feb 2020

Windows administrators must maintain constant vigilance over their systems to prevent a vulnerability from crippling their systems or exposing data to threat actors. For shops that use Hyper-V, Microsoft offers another layer of protection through its virtualization-based security.

Virtualization-based security uses Hyper-V and the machine’s hardware virtualization features to isolate and protect an area of system memory that runs the most sensitive and critical parts of the OS kernel and user modes. Once deployed, these protected areas can guard other kernel and user-mode instances.

Virtualization-based security effectively reduces the Windows attack surface, so even if a malicious actor gains access to the OS kernel, the protected content can prevent code execution and the access of secrets, such as system credentials. In theory, these added protections would prevent malware attacks that use kernel exploits from gaining access to sensitive information.

Code examining, malware prevention among key capabilities

Virtualization-based security is a foundation technology and must be in place before adopting a range of advanced security features in Windows Server. One example is Hypervisor-Enforced Code Integrity (HVCI), which examines code — such as drivers — and ensures the kernel mode drivers and binaries are signed before they load into memory. Unsigned content gets denied, reducing the possibility of running malicious code.

Other advanced security capabilities that rely on virtualization-based security include Windows Defender Credential Guard, which prevents malware from accessing credentials, and the ability to create virtual trusted platform modules (TPMs) for shielded VMs.

In Windows Server 2019, Microsoft expanded its shielded VMs feature beyond the Windows platform to cover Linux workloads running on Hyper-V to prevent data leakage when the VM is both static and when it moves to another Hyper-V host.

New in Windows Server 2019 is a feature called host key attestation, which uses asymmetric key pairs to authenticate hosts covered by the Host Guardian Service in what is described as an easier deployment method by not requiring an Active Directory trust arrangement.

What are the virtualization-based security requirements?

Virtualization-based security has numerous requirements. It’s important to investigate the complete set of hardware, firmware and software requirements before adopting virtualization-based security. Any missing requirements may make it impossible to enable virtualization-based security and compromise system security features that depend on virtualization-based security support.

At the hardware level, virtualization-based security needs a 64-bit processor with virtualization extensions (Intel VT-x and AMD-V) and second-level address translation as Extended Page Tables or Rapid Virtualization Indexing. I/O virtualization must be supported through Intel VT-d or AMD-Vi. The server hardware must include TPM 2.0 or better.

System firmware must support the Windows System Management Mode Security Mitigations Table specification. Unified Extensible Firmware Interface must support memory reporting features such as the UEFI v2.6 Memory Attributes Table. Support for Secure Memory Overwrite Request v2 will inhibit in-memory attacks. All drivers must be compatible with HVCI standards.


Dig Deeper on Microsoft Hyper-V management



Related Q&A from Stephen J. Bigelow

Regression testing vs. UAT: Goals and techniques

Regression tests and UAT ensure software quality and both require a sizeable investment. Learn when and how to perform each one, and some tips to get…
 Continue Reading

Functional vs. nonfunctional requirements in software engineering

Learn the meaning of functional vs. nonfunctional requirements in software engineering, with helpful examples. Then, see how to write both and build …
 Continue Reading

Software performance testing requirements and prerequisites

Just because software passes functional tests doesn’t mean it works. Dig into stress, load, endurance and other performance tests, and their …
 Continue Reading


Let’s block ads! (Why?)

SearchSQLServer

Read More

China proposes global data security standards

September 8, 2020   Big Data
 China proposes global data security standards

Automation and Jobs

Read our latest special issue.

Open Now

(Reuters) — China announced an initiative on Tuesday to establish global standards on data security, saying it wanted to promote multilateralism in the area at a time when “individual countries” were “bullying” others and “hunting” companies.

The announcement, by State Councillor Wang Yi, comes a month after the United States said it was purging “untrusted” Chinese apps under a program dubbed “Clean Network”.

China’s initiative calls for technology firms to prevent the creation of so-called backdoors in their products and services that could allow data to be obtained illegally, as well as for participants to respect the sovereignty, jurisdiction and data management rights of other countries.

It also calls for participants to not engage in large-scale surveillance of other countries or illegally acquire information of foreign citizens through information technology.

It did not detail the nature of the initiative or say whether any other country had joined.

“Global data security rules that reflect the wishes of all countries and respect the interests of all parties should be reached on the basis of universal participation by all parties,” Wang said.

“Some individual countries are aggressively pursuing unilateralism, throwing dirty water on other countries under the pretext of ‘cleanliness’, and conducting global hunts on leading companies of other countries under the pretext of security. This is naked bullying and should be opposed and rejected.”

China tightly controls and censors its own cyberspace through the popularly dubbed Great Firewall, which has for years restricted access to firms such as U.S. majors Twitter, Facebook and Google owner Alphabet.

The administration of U.S. President Donald Trump has taken aim at Chinese giants such as Huawei Technologies, Tencent Holdings and TikTok owner ByteDance, citing concerns over national security and the collection of personal data, which the companies have rejected.

It has blocked U.S. exports to Huawei and plans to ban TikTok in the United States this month unless ByteDance sells TikTok’s U.S. operations.

(Reporting by Gabriel Crossley and Ryan Woo in Beijing, Brenda Goh in Shanghai; Editing by Muralikumar Anantharaman and Christopher Cushing)

Let’s block ads! (Why?)

Big Data – VentureBeat

Read More

Defund Your Social Security?

August 25, 2020   Humor

Donald Trump recently said that if he gets reelected, he would terminate the payroll tax.

There’s just one tiny little problems. It is the payroll tax that funds both Social Security and Medicare.

Today, the chief actuary of the Social Security Administration said that if the payroll tax is terminated and Trump doesn’t find another source of money to fund it, then Social Security benefits could stop by mid-2023. So all of that money that Americans have been putting into Social Security would just go bye-bye, and retirees would be screwed.

Not word yet on what would happen to Medicare.

This is not the first time that Republicans have tried to cut or outright eliminate the social safety net. Anyone who thinks they wouldn’t do it simply isn’t paying attention.

 If you liked this, you might also like these related posts:
  1. Trump wants to kill Social Security
  2. Defund vs Reform
  3. Damaging our Security
  4. Rudy Giuliani, Security Threat
  5. Security Theater

Let’s block ads! (Why?)

Political Irony

Read More

Security and PowerPack Add-ons

August 22, 2020   Microsoft Dynamics CRM

As part of PowerObjects’ ongoing commitment to quality and service, we review our systems on a regular schedule to keep up with security changes in the Dynamics 365 platform. In today’s blogpost, we’re outlining upcoming changes to our PowerPack add-ons that will allow us to meet the current Dynamics 365 security requirements and TLS 1.2 (Transport Layer Security, version 1.2) security protocols.

Source

Let’s block ads! (Why?)

PowerObjects- Bringing Focus to Dynamics CRM

Read More

Storage 101: Data Security and Privacy

July 23, 2020   BI News and Info

The series so far:

  1. Storage 101: Welcome to the Wonderful World of Storage
  2. Storage 101: The Language of Storage
  3. Storage 101: Understanding the Hard-Disk Drive 
  4. Storage 101: Understanding the NAND Flash Solid State Drive
  5. Storage 101: Data Center Storage Configurations
  6. Storage 101: Modern Storage Technologies
  7. Storage 101: Convergence and Composability 
  8. Storage 101: Cloud Storage
  9. Storage 101: Data Security and Privacy 

Most discussions around storage inevitably lead to the topics of data security and privacy. You cannot operate in today’s climate without careful attention to both. If data protection is not built into your storage infrastructure, you’re doing something wrong.

Data protection is an ongoing, organization-wide effort in which storage plays a key role. A secure storage infrastructure is essential to safeguarding sensitive information. Even so, it takes more than secure storage to guarantee the data’s safekeeping throughout its lifespan. For that, an organization needs a comprehensive data protection strategy that takes into account all aspects of data management, including how data is stored.

Securing Data and Protecting Privacy

For many organizations, their most important asset is their data, the bulk of which must be protected against unauthorized access. The data might include intellectual property, legal documents, passwords, encryption keys, personally identifiable information (PII), or a variety of other sensitive material.

An organization that handles sensitive data should have a comprehensive data protection strategy in place to contend with potential threats. Unfortunately, the exact meaning of data protection is not always clearcut and can vary depending on usage and circumstances. It might refer to securing data, safeguarding privacy, protecting storage systems, implementing disaster recovery (DR), or any combination of these.

According to the SNIA (formerly the Storage Networking Industry Association), data protection is the “assurance that data is not corrupted, is accessible for authorized purposes only, and is in compliance with applicable requirements.” In other words, data protection goes beyond just encrypting data or guaranteeing its availability. Data protection ensures that the data remains viable, is safeguarded against all unauthorized access at all times, and is controlled in a way that adheres to applicable compliance laws and regulations, e.g., local, provincial, and federal.

In this view of data protection, storage security is only part of a larger effort to keep sensitive data out of the wrong hands, while ensuring its accuracy and availability to authorized users. To this end, you’ll sometimes see storage security described in terms of confidentiality, integrity, and availability—or CIA—which go hand-in-hand with the larger goal of data protection.

A comprehensive data protection strategy ensures both data security and data privacy. Although the two are related, they’re not the same. Data security protects sensitive information from unauthorized access and from loss and corruption, whether intentional or accidental. Data privacy refers to the appropriate handling of PII and the rights of individuals to control and access their personal information.

With the increasing number of regulations that govern PII, organizations are under greater pressure than ever to protect confidential information and provide a full accounting of how it’s managed. Regulations can vary from region to region and differ significantly. Many organizations operate across multiple regions, making them subject to a mix of governing laws. The General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA), and California Consumer Privacy Act (CCPA) are only some of the regulations that organizations now face. Even if an organization operates in only one region, they can still be subject to a confusing mix of laws.

Despite the differences between regulations, however, they all have one thing in common: to implement strict security controls that ensure personal information cannot be compromised when under the organization’s control. Most also define other obligations, such as retention or auditing requirements, but data protection lies at the heart of each one, which is why data security and privacy are intrinsically linked.

The Cybersecurity Threat Landscape

Data is not only an asset. It’s a burden. A data breach can lead to lost revenue, stiff penalties, downtime, legal liabilities, loss of intellectual property, unexpected expenses, and a tarnished reputation from which a company might never recover. No organization is immune to the potential threats that await them, from both inside and outside their domains.

External threats can come from governments, organized crime, terrorists, cybercriminals, competitors, or everyday hackers looking for a bit of sport or profit. And threats can arrive in many forms, often implemented through social engineering strategies that attempt to introduce malware or ransomware or steal user credentials.

word image 48 Storage 101: Data Security and Privacy

Figure 1. The challenges of data security (image by madartzgraphics)

Attackers might also go after an organization’s networks or systems directly, leveraging vulnerabilities to carry out SQL injections, denial-of-service attacks, or other nefarious acts in an attempt to steal data or bring down operations. Their reasons for attacking an organization can vary. They might want to damage the organization’s credibility, acquire sensitive information for competitive advantages, access government secrets, or make money by selling stolen data or locking up systems until a ransom is paid.

Many organizations and even people have fallen victim to cybercrime, ranging from individuals, household, and small municipalities to multinational corporations, including Twitter, Facebook, Yahoo, Equifax, eBay, LinkedIn, and Marriot International. And the threats don’t only come from external players. Organizations must also guard against internal threats, whether from disgruntled or greedy employees, malicious insiders, or careless staff falling victim to weak IT security policies. Data compromised as a result of internal behavior can be just as devastating as an external attack.

Many organizations are also turning to the cloud to store data and support their workloads. Although cloud platforms can often be more secure than an organization’s own environment, they also add storage and data complexity, while increasing data exposure. An organization must rely completely on the provider to ensure that data is being protected from internal and external threats. At the same time, the cloud raises compliance concerns, especially when spanning multiple regions.

Organizations must also contend with the increased risks that come with a remote workforce, whose numbers have grown dramatically with COVID-19. The more people working offsite, the more difficult it becomes to ensure that sensitive data is not being exposed when it is transferred or stored. A home worker might use an unsanctioned cloud service, mislay a peripheral device that contains business data, collaborate on a project through an unsecure platform, or engage in other risky behavior. Even under the best circumstances, few home offices can achieve the same level of physical security you get in a data center.

Implementing a Data Protection Strategy

To ensure data security and privacy, you need a comprehensive plan that specifies how data will be protected both at rest and in motion. As part of this process, you should develop policies that define where data can be stored, who can access it, and what levels of protection the data requires. The policies should also address such issues as when data is deleted, what happens when an employee is terminated, how to handle a data breach and any other issues related to data protection.

Another important part of the planning process is to conduct a thorough assessment of your current data environment to identify potential risks and the steps that must be taken to mitigate those risks. You need to know where sensitive data is located, how it’s being used, and who can access it. You should also look for issues such as whether sensitive data is being transmitted as cleartext, credentials are being sent in an unencrypted format, or users are accessing internal web services via insecure HTTP.

From this assessment, you’ll have a good sense of what data you have and where it’s located. You can then classify the data based on security and compliance requirements. This will help you determine what levels of access to assign to each data type, as reflected in your security policies. Public data, for example, requires far less security than data covered by HIPAA or the GDPR or data governed by national security laws.

If your organization is subject to multiple regulations, you might consider a protection-by-default approach for personal data, rather than trying to create too many data classifications. For example, one regulation might require that you protect user IP addresses, while another does not. It might be better to create a single category that covers both. Too many data categories, which can complicate data management, may lead to a greater risk for regulatory violations.

A simpler category structure can also make it easier to address other compliance-related issues, such as providing users with visibility into their PII or supporting their deletion requests. At the same time, you must still take into account issues such as data retention and disposal requirements, which might force you to create additional categories.

Another part of the planning process is to ensure that you have the tools you need to safeguard your systems and their data. For example, you might implement a data loss prevention (DLP) solution to help automatically discover, monitor, and protect sensitive data. You might benefit from an intrusion detection system (IDS) that identifies traffic anomalies and warns you if something doesn’t look right.

Essential tools for protecting your data include anti-malware, anti-ransomware, and anti-spyware, as well as protections such as firewalls and proxy servers. And, of course, you want to be sure you deploy the proper storage protections. For example, you might implement RAID and other redundancies to provide storage fault tolerance, which can help protect against intentional or unintentional data destruction.

There are plenty of other tools as well. Just remember that no one solution can address all your data protection requirements, and you’ll have to come up with just the right mix to meet your specific needs.

Protecting Data and Privacy

Data protection must take into account both physical and operational security. Physical security ensures that unauthorized individuals cannot access the physical structures where the data is housed or the equipment within those structures. It also protects against circumstances that could lead to data loss, such as power failures or natural disasters. To implement physical security, an organization might employ backup and restore protocols, CCTV monitoring, biometric readers, geofencing, backup generators, and numerous other protections.

Organizations must also protect the individual systems within their secure structures, such as servers or workstations. No one on the inside should be able to walk off with equipment or get at their internal workings unless they’re authorized to do so. IT teams must also take steps to protect portable devices that leave the premises, such as laptops, tablets, or cell phones. This typically means implementing a mobile device management strategy that supports such features as remote lock or remote wipe.

In addition to ensuring the physical security, organizations must implement operational protections, which provide the technical safeguards necessary to protect the data itself. This starts with using advanced algorithms to encrypt sensitive data both at rest and in motion. In addition, IT teams might consider such tools as tokenization or data masking for further protection. They should also have in place a system for securely storing and managing encryption keys.

Another important component of operational security is role-based access control, which determines who can and who cannot view or modify specific sets of data. Access should be based on the principle of least privilege, that is, individuals should be granted only the access they need to do their jobs—and no more. In conjunction with access control, IT should also implement such safeguards as multi-factor authentication or virtual private networks (VPNs), as appropriate, to further protect data access.

An effective data protection strategy also requires a comprehensive infrastructure for continuously monitoring sensitive data, issuing real-time alerts, and generating comprehensive reports on-demand. All data access and modifications should be logged, with an auditing system in place to determine who accessed what data and when that access took place.

Operational protections also include DR systems that ensure data can be made available in the event of data loss or corruption, no matter what the cause. At the same time, IT must be careful that their DR mechanisms, such as backups or replication, don’t violate applicable regulations. Also, they must ensure that PII can be accessed in a timely manner, if required by law, and that it adheres to retention and disposition rules.

The Ongoing Challenges of Data Protection

To implement effective data protections, an organization must take into account the entire data lifecycle, regardless of how the data is being used or where it resides—whether on a remote workstation, on a mobile device, in a data center, on a cloud platform, at a remote facility, or on a server in an office corner. Data protection must be a unified effort that moves beyond infrastructure boundaries to ensure that data is secure, and privacy is protected at all times and under all circumstances.

One of the most important tools that organizations have for protecting data is an effective training and education program that helps employees understand the risks involved with handling data and the steps they can take to minimize those risks. Everyone in an organization should have a clear understanding of that organization’s data usage policies and how best to protect sensitive data. All it takes is one careless act to create a data nightmare.

Data protection is an ongoing, all-encompassing process that extends from the backend storage systems to the smartphones that employees carry in their pockets. Storage security is an integral part of this process and can serve as your last line of defense against intrusion. That said, storage security cannot protect against all risks, just like a firewall alone can’t eliminate all network threats. Any place where data might reside or that provides a means for its access should be considered a potential risk and dealt with accordingly.

Let’s block ads! (Why?)

SQL – Simple Talk

Read More

Why Millennials Prefer the Security of Microsoft Dynamics Over Other CRM Systems

May 16, 2020   CRM News and Info

With so many privacy scandals making headlines, the current workforce well understands the importance of security. Choosing a system that provides this protection for employees and customers is essential for Millennials, who make up the majority of modern employees.

Microsoft Dynamics is a leader in global security. Microsoft delivers layered security in all applications to allow workers to do their best work anywhere with full confidence. Consider briefly how Microsoft Dynamics provides the security needed for any company:

Security anywhere

Microsoft Dynamics provides physical and virtual security. These include access control, encryption, and authentication. This helps protect data on all devices whether it be mobile phones, tablets, or computers. Role-based security defines access to system data no matter where they are working.

Intelligent security

As security risks continue to rapidly grow, modern workers not only want but expect the systems they work with to be protected. Microsoft Dynamics meets these expectations by using billions of data points globally to engineer techniques and apply intelligence to progressively improve security.

Protect customer data

Employees today want to be confident that the data they collect from customers is secure and fully protected. Microsoft Dynamics keeps this data safe by preventing the disclosure of all personal and financial information. This makes it easy to maintain customer loyalty and comply with industry regulations.

Thomas Berndorfer, CEO of Connecting Software trusts Microsoft Dynamics to be completely secure in handling his company’s sensitive information. He says: “Dynamics 365 provides a robust data security model, and add-on products ensure data protection between D365 and other Microsoft apps.”

Would you like to see how they use Microsoft Dynamics’ security could benefit your business?

Read this and 18 other reasons why Millennials prefer Microsoft Dynamics in the workspace by downloading the full eBook “21 Reasons Millennials Prefer Microsoft Dynamics” at www.crmsoftwareblog.com/millennials to read 17 more reasons why Millennials prefer Microsoft Dynamics in the workspace.

Find a Microsoft Dynamics 365 Partner

By CRM Software Blog Writer, www.crmsoftwareblog.com

Let’s block ads! (Why?)

CRM Software Blog | Dynamics 365

Read More
« Older posts
  • Recent Posts

    • Rickey Smiley To Host 22nd Annual Super Bowl Gospel Celebration On BET
    • Kili Technology unveils data annotation platform to improve AI, raises $7 million
    • P3 Jobs: Time to Come Home?
    • NOW, THIS IS WHAT I CALL AVANTE-GARDE!
    • Why the open banking movement is gaining momentum (VB Live)
  • Categories

  • Archives

    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    • December 2016
    • November 2016
    • October 2016
    • September 2016
    • August 2016
    • July 2016
    • June 2016
    • May 2016
    • April 2016
    • March 2016
    • February 2016
    • January 2016
    • December 2015
    • November 2015
    • October 2015
    • September 2015
    • August 2015
    • July 2015
    • June 2015
    • May 2015
    • April 2015
    • March 2015
    • February 2015
    • January 2015
    • December 2014
    • November 2014
© 2021 Business Intelligence Info
Power BI Training | G Com Solutions Limited