Protecting SQL Server Data : LAYERING SOLUTIONS

View from the Top Floor

At the highest level, we would want to consider the protection of our database files, including the database backups. In the SQL Server 2005 world, native options for protecting our physical database files, transaction logs and TempDB system database are non-existent. We would need to depend on features of the operating system, and on third party tools, for this level of protection. For example, Red Gate's SQL Backup Pro offers encryption of the backup files. In the world of SQL Server 2008, Enterprise Edition, the Transparent Data Encryption feature would be implemented, offering full protection for the physical files of the database, as well as its backup files.

Design for Protection

Figure 1 illustrates how the HomeLending database is organized into logical groupings. For example, the borrower names reside in the Borrower_Name table and the borrower's employer data resides in the Borrower_Employer table.

Figure 1. Schema design of the HomeLending database.

The Borrower_Identification, Borrower_Income, Asset_Account, Liability_Account and Credit_Report tables all contain sensitive data. Through the normalized design of the database, this sensitive data is separated from the non-sensitive data. The Credit_Report table takes advantage of a linked server to further the separation of sensitive data that is contained within that table.

Applied Permissions and Database Objects

The HomeLending database contains the database roles Sensitive_high, Sensitive_medium and Sensitive_low, which provides us the means to control access to database objects. Each database user that exists in the HomeLending database is assigned membership to one of these database roles.

To further elevate the level of overall security for the database, we deny access to the tables within the database to all database users. Accessing the data that is contained within the tables is granted through the creation of views. All INSERT, UPDATE and DELETE commands are funneled through stored procedures.

Obfuscation

Underwriters would be a group of users that would fall into the Sensitive_high database role. These individuals review financial details and credit report details to determine if a borrower qualifies for the loan for which he or she has applied. Therefore, the Sensitive_high database role will be able to view the detailed credit report data contained in the Credit_Report linked table.

The Shipping Clerks represent a group of users that would fall into the Sensitive_medium database role. These individuals gather information about a loan that will be provided to potential investors. From this information the investors will decide to purchase the loan from the lender in the secondary market. There is no need for this group of users to view the details of the credit report. They are interested in aggregated versions of the data, such as the borrower's debt-to-income ratio, their credit score and the number of times that the borrower has been 30 days late with repayments. For the Sensitive_medium role, the obfuscation method of aggregation is a perfect solution. This would be offered through a view that is available to this database role.

Eyes in the Back of the Head

A honeycomb table, Customer_Information, and a database audit can be created to catch those who may snoop about for plain text sensitive data stored in the HomeLending database. Notification via database mail was set up to communicate the occurrence of any activity against this table to our DBA. For a bit of visual deterrence and intimidation, a silver hammer was provided to the DBA to whack anyone who may be found to have accessed the honeycomb table.

Good Habits

Performing regular backups of the database, as well as the encryption keys, will reduce the risk of data and key loss. Storing these backups separately will reduce the risk of theft of the data and the keys. Also, storing a duplicate copy of these backup files, at an offsite location, will reduce the risk of data loss due to a fire or natural disaster.

Educate, Educate, Educate

Once the sensitive data has been secured within the database it is important to educate the users on how to recognize sensitive data and how it should and should not be communicated. The users will be the target for those who aim to circumvent your security efforts through social engineering and phishing attempts. These efforts to glean sensitive data can come from an external as well as an internal source.

Strong sensitive data handling policies, enforcement of these policies and continual education are the keys to protecting the data that has been entrusted to your business, to protecting the reputation of your business and, most importantly, protecting your customers.