Often I am asked about the importance of a security audit, with the majority of these questions being asked by representatives of smaller organizations. The questions are centered around if there is a need to perform a security audit when the organization has taken some measures to protect themselves on the network in one fashion or another. For example I was recently asked why a company should perform a security audit when the SQL Server they have is behind a firewall and the company is small enough that everyone knows all the staff.
I recommend security audits for all SQL Servers in my care. Let me explain why…
Security can be very complex with multiple layers, yet even the most complex systems can be as risk and sometimes even from their own complexity. If the data in the database is important enough to keep around it is important enough to secure. The responsibility is multiplied when the data contains sensitive information or Personally Identifiable Information (PII). As a database professional, I want to know that even if a layer of security is breached at points where security is intended to protect the database server that I still have a layer of protection. In other words, if for some reason the firewall were to be circumvented or compromised the database still has its own layer of protection. According to statistics from datalossdb.org almost 40% of data breach incidents come from lost, stolen or fraud to obtain access to physical media such as a lost or stolen laptop, or lost or stolen backup tape, none of these methods protected by a firewall.
At one point during a Sarbanes Oxley audit I was asked why management of our company determined that the data should be easily accessible by IT and Development staff. I learned a great lesson when the auditor explained to me that security is not a matter of trust. Security also protects from legitimate mistakes when no malicious intent is involved. The statistics from datalossdb.org reflect that 38% of data loss incidents come from internal to the organization. 21% of all incidents are accidents from internal sources with 10% of all incidents as being malicious in nature from internal sources. Just over half of the incidents come from outside the organization, how does this reflect on completing a security audit? By completing a security audit and making appropriate changes a company can limit its risk by nearly 50%.
The scary part as a database administrator is the fact that as a whole we have only seen the decrease in the number of incidents once over the last 9 years, 2012 had the most incidents with a drastic increase over 2011. If the trend holds true, as a database professional I urge organizations complete audits on a regular basis.
Our Configuration and Performance Review for SQL Server can be focused on security. Contact us for more information through our web site or by sending an email to firstname.lastname@example.org. Or you can reach out to me via email at email@example.com.