Sherpa of Data

Category: SecurityAudit

  • Stop Guessing: Build a “Who Has Access to What” Dashboard

    by

    Kevin
    in

    By now, a few things should be clear: Your access model isn’t a hierarchy – it’s a graph.That graph contains hidden exposure paths.And those paths can be measured using real signals. That’s a solid foundation. But there’s still a gap: You can’t manage what you can’t see. SQL queries are great for analysis.They’re terrible for…

  • You Can’t Fix What You Can’t Measure: Introducing the Access Risk Score

    by

    Kevin
    in

    By this point, two things should be very clear: Your access model is not a clean hierarchy.It behaves like a graph of inherited, interconnected permissions. Which leads to a practical problem: If access is a graph… how do you measure risk inside of it? Because listing roles doesn’t work.Auditing permissions doesn’t scale.And “review everything quarterly”…

  • Your Role Hierarchy Is Probably Lying to You

    by

    Kevin
    in

    Most data platforms look clean on paper. Roles are defined.Permissions are assigned.Access flows in a structured hierarchy. It’s logical. Predictable. Auditable. At least, that’s the idea. In reality, the access model you think you have and the access model you actually have are more than likely two very different things. And the gap between them…

  • Security Audit – Part 4

    by

    Kevin
    in ,

    So, since it has been some time since we looked at our Security Audit, let’s review what we’ve gone over so far: And We’re Back! Security Audit – Part 2 Security Audit On our next look at the Security Audit, let’s look at the server itself – SELECT COUNT(*) FROM sys.servers WHERE is_linked =’1′ This…

  • And We’re Back!

    by

    Kevin
    in ,

    So, as you can tell from the lack of posts over the past few months, I have been more than just busy. Between moving into a new house, moving my son into a college dorm, several SQL Saturdays, and just general work items, it has been extremely hectic. But, I am back now, and my…

  • Security Audit – Part 2

    by

    Kevin
    in

    Once again, we delve deep into what is part of a security audit and why each part is important. One part that I like to look at is the default directories where certain types of files are kept. To do this – on SQL Server 2012 and above – we simply run the following commands:…

  • Security Audit

    Security Audit

    by

    Kevin
    in

    The words that many a person dreads hearing – Security Audit. Whether you’re the one having to perform the audit or just having to deal with the aftermath of one, it is never fun. Over the next few blog posts, we’re going to look at a few common points that are included in security audits,…