I’m introducing a new talk for 2016: Securing SQL Server. Here’s my abstract:
A default SQL Server installation is reasonably secure, but “reasonably secure” doesn’t cut it anymore in an era in which one bad line of code, one week password, or one open port can result in your customer database ending up on Pastebin. In this talk, we will look at different methods of securing a SQL Server instance, from venerable (principle of least privilege, Transparent Data Encryption) to novel (Always Encrypted, row-level security). These tools and techniques will show us ways for developers, database administrators, and network specialists to work together to secure corporate assets and prevent CISOs from ending up on the nightly news.
My plan is to hit on a few topics, introduce some resources to learn more about the topic, and move on. The goal is to provide an overview of some of the tools and technologies available, including:
- Applying the principle of least privilege to SQL Server logins, users, and roles.
- Implementing Transparent Data Encryption.
- Implementing Always Encrypted in SQL Server 2016.
- Implementing row-based security, both in SQL Server 2016 and prior to 2016.
- Using network segmentation to limit access to SQL Server instances.
- Writing good, parameterized SQL to prevent against SQL injection.
- Reducing the SQL Server surface area.
There are entire books on SQL Server security, so a one-hour talk can’t cover everything. Nonetheless, my intent with this talk is to give everybody who attends at least one new resource.