SQL Server Risk Assessment – The PMP Way

Posted in: Technical Track

small__5537894072Recently I had a chance to speak with my friend and colleague, Ashish Sharma. We were discussing Project Management topics (he recently passed PMP and ACP). Our discussion ended on a very interesting topic – RISK Assessment.

Definition: According to PMBOK, projects can have unforeseen events or activities that can impact the project’s progress, result, or outcome in a negative or positive way. Further, a risk can be assessed using two factors – impact and probability. Determining the quantitative or qualitative value of risk related to a specific situation or recognized threat is known as Risk Assessment.

So, coming to my point, how do we apply a risk assessment framework for database systems, especially SQL Server?

I, myself, have never created or used a Risk Register for SQL Server. Hence, I decided to do a little more research on the subject. I found absolutely nothing on this particular topic. However, while searching for SQL Server security, I found an article I wrote in 2009 that provides tips on protecting data. 

After spending some time researching, I found a good sample Risk Register that we can use. You can download it here.

Now, this is what we have for a Risk Register. What about threats?

Below, I have identified all of the threats I can think of:

Possible Threats

Risk Mitigation

Virus AttackInstall AV on DB Server,however, do not forget to exclude SQL Server files
Unauthorized LoginsAlways use Audit (C2, Windows, SQL or both) failed login attempts and analyze them regularly. Always, rename SA / Admin account and use strong password mechanism for all the servers. If possible always try to use domain authenticated accounts.
MiM AttackTo mitigate a MiM attack do the following :

  1. Isolate database server from Application / IIS Server
  2. Configure SQL Server to use non-default port
  3. Use Encryption / SSL
  4. Use Firewall inbound / outbound rules
Root AccessTo avoid someone getting root access do following:

  1. Disable / Rename in-built Admin account
  2. Grant least access to Service Account
  3. Use strong / random password
SQL InjectionDo following:

  1. Avoid using Dynamic SQL when you can
  2. Use parameterized query / stored procedure
  3. Always validate the value at form level be

Interested in working with Hemantgiri? Schedule a tech call.

About the Author

I am a Database Administrator by profession, and a student of a university called life by heart. I am open and willing to learn things as it comes and is interest to me. I am passionate about SQL Server, photography, reading and sharing. During my professional life, I have privileged to work with some great a-like-minded people from whom I learnt a lot, technical as well as soft skills; I am trying and will continue to share what all I have learnt over the years by connecting a-like-minded via many technological forums.Currently, I'm Lead Database Consultant @Pythian. I have close to 17 years of experience, about which 15 years as hard core DBA. I have been a Microsoft SQL Server MVP for four years, and a published author of the book - SQL Server 2008 High Availability; a book for SQL Server DBA aspirants, System Administrators and Developers, it provides step-by-step information to get you through the installation of various SQL Server High Availability options like Clustering, Replication, Database Mirroring and Log Shipping. Sounds interesting, read more about me at http://www.sql-server-citation.com/p/about-me.htmlSpecialties: IT Project Management, SQL Server High Availability, Performance Tuning I have worked on IT Project Management using latest tools like Six Sigma, PMP and ITIL.Keep in touch with me: Twitter: https://twitter.com/ghemant Facebook: https://www.facebook.com/SQLServerCitation

No comments