SQL Server Database Security Audit

Let us ask you a simple question: Is your data secure?

The High Cost of an Unsecure System... Did You Know the Average Cost for EACH Compromised Customer Record is $188? (src: Ponemon)

Depending on your business, a data breach could cost you millions. If your business deals with protected health information (PHI), chances are you’re subject to HIPAA regulations that require you to protect health records. Do you know what counts as PHI? PHI can be medical records of course, but for example also cell phone numbers and even license plates.

It’s the law that this information is encrypted and protected. Plus, ensuring it is encrypted can protect you if the worse does happen. You can read more about why to encrypt your PHI here.

But even if you are not working with PHI, there are other types of information that have to be protected by law. This includes payment information (PCI data) and, depending on your company, could include any form of personally identifiable information (PII).

Too many companies ignore database security until it is too late.

Does this sound familiar? The IT department is rushing to implement functionality and fixing the problems to get the system running smoothly. They have good intentions to tighten security later, of course, but time gets away from them with the fast approaching deadline.

Before you know it, the new database installation goes live without any security best practices in place. No one means to leave security gaps... it just happens.

Yet, security is critical. Nothing can bring your business to a screeching halt faster than a hacked database.

Consider a recent Whitehat Security Statistics Report that found 86% of websites had a minimum of one serious security vulnerability. Where could your site’s vulnerabilities lie?

There are primarily three types of hackers:

  1. An inside job – disgruntled employee or ex-employee. I know, you don’t want to think about it but it happens.
  2. Random attack – more common than you think. There are automated programs on the web looking for vulnerabilities. When they find one, they may install a virus, malware or another insidious piece of software.

    Do you know one of the most common ways these guys infiltrate your data? It is SQL Injection. If you allow SQL Injection in your code, then you are vulnerable.
  3. Targeted attack – this is the hardest form of attack to protect yourself from, but it is also the least common. While you might not be able to completely prevent a targeted breach, the harder you make it, the more likely “they” will give up and select a different target.

Your Database is Your Business

It’s where your customers’ information resides. The database controls your orders, streamlines your reports and keeps your office humming along … but only when it’s working properly.

If your database goes down, you will lose a lot of money. You might not be able to make any money at all. A security breach might not be on top of your mind when thinking about system uptime. But often, intruders leave a mess behind, causing your data to be inaccessible until you clean it up. It also costs a lot more to fix it. Let’s be proactive. Let’s make sure that this does not happen to you. offers a Security Audit in which we will review your overall database security implementation and make recommendations in areas where security could be improved.

  • We review the security of your SQL Server installation to uncover any gaps. We will review your permission management, your granted permissions and security related database and server settings. Did you know for example that the common practice to set a database to “trustworthy”, can make your system vulnerable because of silent permissions. Insufficient permission management or misunderstood settings can put your information is at risk.

Think of it as a form of insurance. A business wouldn’t operate without business insurance. Ensuring your database security is simply another form of insurance.

Are you ready to get started? Contact us today.

Our Database Security Philosophy

At, our philosophy is that every business should operate on the least privilege principle.

This means any data access is governed by the actual access requirement. Employees can access only the data they need to do their jobs and nothing more. Application accounts should not have administrative access to you SQL Server Instance or even the server. Think about it, why would the marketing team need access to HR records? Why would developers need access to customer credit card information? They don’t of course and this level of accessibility can create vulnerabilities in the system.

Our experience includes compliance with PCI (payment card industry), Sarbanes-Oxley and HIPAA requirements. When hiring, you can be assured you’re getting a thorough database security check up. We’ve worked with many businesses to improve their database security, from small businesses with a single database to large-scale database installations for a Fortune 50.

Let’s find out if your database is secure. Call 832-377-5489 or email us now.