Security – Don’t overlook the obvious!
June 22, 2009 3 Comments
In real estate there’s an old saying: the three most important things about any property are location, location, and location. Yeah, I know, I find it pretty silly too. But redundancy aside, that saying goes a long way to emphasis that a property’s true value really comes down to one fairly simple thing – it’s location.
But in today’s IT world, where everything is seamlessly connected via the Internet, location has been relegated to nearly a non-concern. Just ask anyone who’s been called to resolve a production issue at work while on vacation if location really matters.
The Benefits of Remote Access
Routinely, we manage servers half-way across the country if not half-way around the world. And that can be a wonderful thing. I can provide better service to my clients regardless of where I happen to be at the moment. When I’m traveling, I can remote into a client’s server and resolve an issue or diagnose a problematic query. I can even do so from my iPhone during 5-minute break while teaching a class.
Additionally, remote access allows us to create much more robust disaster recovery scenarios where servers in one part of the world are connected to fail over servers in another part of the world, just in case a disaster strikes.
Of course, with all of this remote access comes a need for increased security. If we’re allowing remote access, we need to ensure that only those authorized can indeed access the system remotely. So we implement multiple layers of security using multiple technologies that allow us to authenticate and audit, secure and scrutinize our database access attempts.
Let’s Get Physical
But all of focus on location-independence can sometime cause us to neglect a fairly simple security concern – physical security. The most perfect, detailed, and diligent security measures are all for naught if the servers are not physically secure. And though I’m stating the obvious, it bears mentioning.
I was reminded of the need for physical security this past week. Fortunately, it wasn’t a negative experience for me!
I was asked by a client to remove all information from a set of hard disks prior to re-purposing a server. The server, which had been supplanted by a younger, faster, and better looking replacement earlier this year, was going to be donated to another facility. In preparation, we needed to make sure that all data, sensitive or not, was permanently and irreversibly removed from the set of hard disks that the server contained.
There are many ways to do this so I won’t going into the details here, but it’s sufficient to say that with direct physical access to the server, it’s extremely easy to permanently destroy the information it contains.
In this case the server did not have the BIOS settings password protected. Fail! So I rebooted the server and changed the BIOS to allow me to boot from an external device such as a CD-ROM, Floppy Disk, or USB device. Next I downloaded a bootable utility from the Internet that seeks out all hard drives on the computer and automatically and completely erases the data on them. After booting to the external device, the process was amazingly simple and relatively fast considering the size of the hard drives.
Now to be fair, I had administrator privileges on the server so I certainly had an advantage. But I really could have accomplished the same ends without domain level security since the server was not protected and the BIOS was left open. So, the point remains that without physical security, it was trivial to permanently wipe out vital company information.
Security, Security, Security
I hope this post states the obvious. But, in many small businesses physical security is an after thought at best. In more cases than not, however, it’s given no consideration at all. If you have access to the building or suite, you have access to the server “area”. There is no additional physical security protecting the company’s second most valuable assets from malicious or unintentional damage. (A company’s most valuable asset is its people, remember?) Yet, many of those same companies have spent a good deal of money on firewalls and virtual private networks to allow remote access as needed by key personnel in other locations.
Larger companies tend to do a better job at physical security, by and large. However, there are still instances where employees transfer or resign and their security badges are never revoked or denied access to the server room.
As database professionals, it’s our responsibility to protect the data on the servers, and this starts with ensuring that the server itself is secure. So remember the old real estate adage and consider Security (physical), Security (network), and Security (SQL Server) for all your databases.
Have an interesting security story that you can share (changing the names to protect the innocent…er…those involved, I’d love to hear it.