SQL Server MVP Deep Dives 2, Chapter 11
This chapter is a high level, easy to read explanation of PID (Personally Identifiable Data) and why it is our job as the DBA to protect that information. If you have not come across this concept yet, PID is typically things like Social Security Number, Date of Birth, Driver’s license number, and images of fingerprints.
Protecting this data is such an important job that John says this is the work of a superhero. He evokes our memory of Saturday morning cartoons stating that the lineup of the Justice league today would need to include the DBA. What powers would the DBA need to protect this personal information. The powers he lists are not technical in nature. John wants us to know that “these superpowers are data conservation and ambassadorship.” It is the job of the DBA to be the steward of the data and to be the bridge between the business and the IT department to figure out how best to meet the guidelines for your industry. He argues that we have the technical knowhow and familiarity with the data to be in a unique position to help with these types of problems.
I was sort of hoping for super speed and a Datamobile, but his powers sound good too.
Of course no good hero would be caught without his utility belt and John lists the tools that we can use to help protect our data.
- Retention policies – Only keep data as long as you need it and in some cases as long as you are allowed to. Some PID information can only be kept for a certain time frame or while it is considered “active.”
- Role-based permission – This could be a whole deep dive on its own and in fact John links to an MSDN article on the subject for more information. The basics are set up roles and only allow access to what people need to access
- Data Separation – Hand in hand with roles is to keep the data in separate schemas so that it is easy to grant access only to what those roles need.
- Obfuscation – No talk about PID would be complete without talking about encryption. He also recommends using hashing, character masking and encoding to obscure data.
He summarizes the chapter by reminding the reader that the tools are only as good as what we are allowed/required to do in our environment.
“Among all the tools we’ve discussed there is one that’s a matter of passion and awareness. It’s a tool that doesn’t require a computer, a policy, or a single digit of code. It’s the education and evangelism of data conservation.”
Mr. Magnaboscp does a good job of outlining PID concerns in this chapter, but If you don’t have a copy of Deep Dives II or just want to read more about this topic you can download a free copy of John Magnabosco’s book, Protecting SQL Server Data, from Simple-Talk.
One last observation. As a rule I put people’s Twitter handle and blog page next to their name when I am writing about them. I found it very satisfying that Mr. Magnabosco is the first author to have his Twitter account locked down. Given his concern for PID and knowledge of data security it makes me wonder if I should emulate him?
Chapter Eleven SQL Server MVP:
John Magnabosco (B|T) Data Coach at Defender Direct in Indianapolis, is passionate about the security of sensitive data that we all store in our databases. He’s the author of Protecting SQL Server Data, published by Simple Talk Publishing. Additionally, he cofounded IndyPASS and IndyTechFest. In 2009 and 2010, John was honored to receive the SQL Server MVP designation. When his attention is drawn to recreation, he enjoys writing, listening to music, and tending to his chile garden.