A database is a structured set of data, stored on a computer or on a server made accessible in various ways. Database management systems (DBMS) are software that has been designed to allow for the definition, creation, querying, update, and administration of databases. There are numerous well known DBMS, including, but not limited to, MsSQL, MySQL, Microsoft Access, Oracle, SQL 2012, and Microsoft SQL Server. As society moves more and more towards a digital world, the threats and risks to databases have increased drastically, placing an ever growing importance on the use of database security itself.
SQL 2012 has made many different modifications and improvements to their integrated tools for database security since their last release, SQL 2008; the security enhancements that have been added and improved upon in SQL 2012 are many, including security manageability improvements, audit enhancements, database authentication enhancements, crypto changes, and new permissions settings, just to name a few (Mistry & Misner, 2012). Depending on the information contained in the database itself, depends in large part on how elaborate the system administrators will want to make their database security, however, regardless of how beefed up their security will become, there are five different key aspects that should be implemented for all databases in order to keep data secure; logins, user roles, permissions, and database encryption.
Logins require the simple setup of a username and password in order to access the database itself. Depending on how the database is accessed, this information may need to be entered by the user themselves, or this information may be tied to one of their other logins, giving them access to the database by virtue of having logged into an intranet portal. In the instance of using SQL 2012, either is a possibility, depending on how the database is used, and what, if any programming has been done in house. This works to ensure that only the person who is authorized to access the database, and has been verified via their specific username and password is able to access the data.
User defined server roles are the next level of database security that should be setup. A company will not want their basic employee to have the same level of access to the database as their system administrator. The user does not have the same technical level of knowledge as the system administrator and may inadvertently cause data loss; in addition, this works to ensure that competitor’s may not have someone hired on and then be able to have full and complete database access. Essentially, the idea behind these roles is to limit system access to reduce security threats, compromises, and operational mistakes while still working to ensure that users have the appropriate level of manageability and permissions for their specified tasks (Mistry & Misner, 2012).
Permissions are set for each user of the database stating what they are able and unable to access, and what they are able and unable to modify. SQL 2012 has implemented new permissions for securing and managing elements within their databases, including grant, revoke, and deny permissions on a search property list, and new grant, revoke and deny permissions for the create server role and alter server role options (Mistry & Misner, 2012).
Database encryption refers to the process of converting data within a database into a cipher text through the use of an algorithm. It requires a specific code to decrypt the data in order to turn it back into usable text. SQL 2012 has made specific cryptographic enhancements in order to ensure that its encryption methods are top of the line; Advanced Encryption Standard (AES) surpasses the industry standard encryption algorithms, and has been implemented in SQL 2012. In addition, they have expanded the certificate key length used to generate certificates themselves, switched to more advanced hashing algorithms for encryption, and added in binary support for certificate creation to ensure the greatest security (Mistry & Misner, 2012).
In order to work to prevent SQL injection attacks, the database should not necessitate login in order to access the database and database encryption, the database should be setup with parameterized queries, requiring the database to use parameters instead of injections (Mackay, 2005).
It is essential to create and implement a security policy for all databases as a means of protecting data from accidental or malicious destruction of data, or database infrastructure damage. Database security insures the prevention of unauthorized data observation and modification, ensures that the data stays confidential, and that the integrity of the data is preserved, and ensures that only authorized users have access to the data. SQL 2012 shows that it is able to not only meet those specific requirements, but rise above the competition in many areas, and allows database security to be done with ease without compromising strength.
- Mackay, C. (2005, January 23). Sql injection attacks. Retrieved from http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev
- Mistry, R., & Misner, S. (2012). Introducing microsoft sql server 2012. Microsoft. Retrieved from http://blogs.msdn.com/b/microsoft_press/archive/2012/03/15/free-ebook-introducing-microsoft-sql-server-2012.aspx
- Techtopia. (2012). Creating databases. Retrieved from http://www.techotopia.com/index.php/Creating_Databases_and_Tables_Using_SQL_Commands