INTRODUCTION
The integrity and effectiveness of the organizations use of Microsoft SQL Server heavily relies on the steps of the initial implementation. This encompasses many options that ensure security, including but not limited to encryption, authentication, user-defined roles, and auditing. The purpose of the following proposal is to suggest best practices of assuring security within Microsoft SQL Server 2012. Additionally, we will examine the functionality and reasoning behind each security best practice. The goal is to educate administrators and corresponding staff with not only best practices, but how they function and why they matter. Thank you in advance for your consideration.
As most security options are assumed to be strictly provided within the software, it is imperative to consider the physical components associated with SQL Server in that they are properly secured. This means keeping hardware locked away in an area only accessible to administrators. This is the first and most important step of ensuring security.
ENCRYPTION
Encryption is a necessary defense to assist with securing an instance of SQL Server. It is important to understand that there is not a specific algorithm that is right for all circumstances. However, Microsoft (2013) suggests that the following points are understood: that a longer key is more beneficial as they are generally stronger than short keys, strong encryption consumes more CPU, complex passwords are stronger than short passwords, block ciphers are stronger than stream ciphers, large amounts of data should be encrypted with a symmetric key and the symmetric key should be encrypted with an asymmetric key, and if compression is used, the data should be compressed before encrypting it (“Choose an encryption,” 2013).
A beneficial attribute, specific to the enterprise version of SQL Server 2012 is the transparent data encryption (TDE) feature. This feature assists with keeping data secure in the scenario that physical media are stolen. TDE preforms real-time I/O encryption and decryption of database and log files within a SQL Server instance (“Transparent data encryption,” 2013).
AUTHENTICATION
The enhancements in authentication features within SQL Server 2012 have greatly improved the method in which users are able to login. In prior versions, the login could be a windows user account, windows group account, or SQL Server account. This created dependency on individual logins which caused issues with portability (Mistry & Misner, 2012, p. 67). The solution is within Contained Database Authentication. With this feature, the user’s login is authenticated directly into a user database.
Asymmetric Encryption is used to protect the data while in movement. Asymmetric Encryption is also known as Public Key Encryption. It uses two related keys, a public key and a private key which is not shared with anyone. This pair of keys are developed by mathematical methods which can be solved in one direction. So anyone can encode a data using the public key but only the user with a private key can decode that specific data. The length of Asymmetric Key Encryption is normally 1024 or 2048 bits. However, in Asymmetric framework the keys with smaller than 2048bits are considered as not safe to use.
Security architecture is a major component and part of a system’s architecture and is usually designed to provide important guidance during the development of the system. It usually outlines the assurance level required and in the process outlines the possible impacts that this level of security might have on the development process of the actual system. Since security is a major component for the success of any given business unit, it is necessary to have a fully functional and operative security system that meets all the necessary requirements for any organization. Some leading business firms are usually faced with the task of achieving and maintaining high security measures and methods. SecureTek one of the leading provider of security solutions is faced with the challenge of redesigning their security architecture to assure security to the data and the other firm’s valuable assets as well as ensuring security to their customers and employees who encounter risky situations when visiting this business unit.
Security helps the organization meet its business objectives or mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets through the selection and application of appropriate safeguards. Businesses should establish roles and responsibilities of all personnel and staff members. However, a Chief Information Officer should be appointed to direct an organization’s day to day management of information assets. Supporting roles are performed by the service providers and include systems operations, whose personnel design and operate the computer systems. Each team member must be held accountable in ensuring all of the rules and policies are being followed, as well as, understanding their roles, responsibilities and functions. Organizations information processing systems are vulnerable to many threats that can inflict various types of damage that can result in significant losses (Harris, 2014). Losses can come from actions from trusted employees that defraud the system, outside hackers, or from careless data entry. The major threat to information protection is error and omissions that data entry personnel, users, system operators and programmers make. To better protect business information resources, organizations should conduct a risk analysis to see what
Due in Week Seven: Outline the Access Control Policy. Describe how access control methodologies work to secure information systems
Every organization, big or small, should have some level of security policy to protect their proprietary information. While the intensity and depth of an organization's security policy depends heavily on the nature of their business, common guidelines are mentioned in this paper that apply to all policies. One of the most important things to remember is that employees are a critical component to a successful security policy. It is the organization's job to ensure that their security policy is widely distributed and understood.
Encryption: - Data encryption is the best way to reduce risks associated with misplaced, lost or stolen data.
This will allow for data to be analyzed and placed on a separate non-operational database. Essentially this will be synced version of the operational database and will provide a centralized view of the main database. This could also be used as a backup to the original database.
Substantially, to fundamentally elucidate an information system, it is essentially a connected set of elements produced by people and managed through computers which allows the collection and distribution of data, to summarise the term it is generally a database. Data is a plural for datum which are elementary recognisable facts, information is datas that has been correlated so that context is formulated. To interpret data security, it is an assortment of facts which is translated to information secure on an encrypted server due to its personal state. In addition, the majority of security systems within modern technology are encrypted with pass-codes. However, database management systems (DBMS) can be breached in several ways including weak
Data encryption refers to the process of transforming electronic information into a scrambled form that can only be read by someone who knows how to translate the code. In nowadays business world, it’s the easiest and most practical way to secure the information that we stored and processed, and it’s significant for our sensitive information. For example, as electronic commerce is popular now, the vendors and retailers must protect the customers’ personal information from hackers or competitors. They also have many business files or contracts that need to be strictly protected. Without data encryption, these important information may fall into wrong hands and be misused by others. Besides, data encryption may be used to secure sensitive information that exists on company networks, or create digital signatures, and help to authorize in business. No one should underestimate the importance of encryption. A little mistake in encryption may make sensitive information revealing, or even result in illegal and criminal accuse.
The evolution and understanding of the importance of information security and risk management originates from the awareness for the potential of IT in business functions and as a business enabler. This was then followed by the realization that the risks brought about by this boundless facilitator must be appropriately understood and addressed. The essence of information security and risk management is to identify low vs. high-risk systems and processes, followed by appropriately addressing those risks.
Encryption means data that is encoded into a code, this is mainly effective for data security. In other words, not any user can access through the database but only authorized users with password may access through the database.
Security includes several areas such as personal security, organizational security and among others. Security access control is an important aspect of any system.it is act of ensuring that an authenticated user accesses only what they are authorized to and no more. Nearly all application that deal with financial, privacy, or defence include some form of access control .Access control is concerned with determining the allowed activities of legitimate uses mediating every attempt by a user to access a resource in the system.
Inconsistently storing organization data creates a lot of issues, a poor database design can cause security, integrity and normalization related issues. Majority of these issues are due to redundancy and weak data integrity and irregular storage, it is an ongoing challenge for every organization and it is important for organization and DBA to build logical, conceptual and efficient design for database. In today’s complex database systems Normalization, Data Integrity and security plays a key role. Normalization as design approach helps to minimize data redundancy and optimizes data structure by systematically and properly placing data in to appropriate groupings, a successful normalize designed follows “First Normalization Flow”, “Second Normalization Flow” and “Third Normalization flow”. Data integrity helps to increase accuracy and consistency of data over its entire life cycle, it also help keep track of database objects and ensure that each object is created, formatted and maintained properly. It is critical aspect of database design which involves “Database Structure Integrity” and “Semantic data Integrity”. Database Security is another high priority and critical issue for every organization, data breaches continue to dominate business and IT, building a secure system is as much important like Normalization and Data Integrity. Secure system helps to protect data from unauthorized users, data masking and data encryption are preferred technology used by DBA to protect data.
In the world, where security breaches and information stealing occurs more frequently, a service offering a secure data storage is a significant factor of a security arrangement. Encryption is simply stated as the practice of systematic information scrambling, so that it can be unscrambled later [10]. Data encryption interprets data into a different form, or cryptograph, so that a person holding a secret key (i.e. a decryption key) or password can access that data. The encrypted data is known as cipher text, whereas the unencrypted data is termed as plaintext. Presently, encryption is considered as one of the most effective data security technique and is widely used by a number of organizations for the purpose of secure and reliable transmission of data containing secret information. Asymmetric encryption and Symmetric encryption are two main types of encryption techniques.
In our world, people rely heavily on the power of technology every day. Kids are learning how to operate an iPad before they can even say their first word. School assignments have become virtual, making it possible to do anywhere in the world. We can receive information from across the world in less than a second with the touch of a button. Technology is a big part of our lives, and without it life just becomes a lot harder. Just like our phones have such an importance to us in our daily lives, database management systems are the same for businesses. Without this important software, it would be almost impossible for companies to complete simple daily tasks with such ease.