How secure is MS SQL on the Internet vs behind firewall inside a LAN 1

[Steve Yu]

Hello,

Our main concern is hacker.
I understand there are many access control mechanisms within MS SQL to control user access.
Bur what if a hacker somehow figured out the sa credentials, or otherwise gained access to the file system of the server from the public web portal on the Internet ?
None of these will likely happen with a MS SQL housed behind a firewall on a LAN with local access only.
Worldwide accessibility is a very desirable feature but need to consider the risk first.
Are our worries warranted ?
Comments and suggestions appreciated.

 

[Chris Miller]

https://www.tek-tips.com/forums/microsoft-sql-server-setup-and-administration.962/ is the more appropriate forum for such a question.

While nobody here is even pointing that out, it's even less active than this. You might ask at https://www.sqlservercentral.com/, stackexchange's https://dba.stackexchange.com/, or google about SQL Server resources online.

Regarding your question I'd first point out the Security paragraph of this artile: https://www.apriorit.com/dev-blog/web-sql-on-premises-vs-cloud
Though it doesn't get very deep, it points out two major issues on premise security has vs cloud security:
1. CON: You have to have your own dba. You sketch your idea of security by mentioning the firewall. It surely is one instrument and in all simplicity you can close the port used by your on premise SQL Server making it unavailable from outside your LAN, that does not hinder a hacker interested in your data to hack from inside, i.e. with a trojan approach working from inside within software you don't even suspect hacking your on premise database or other resources.
2. PRO: "you can implement custom security measures tailored to your specific needs and compliance requirements." With the CON that it "will require significant resources."

A problem is that a small and even medium-sized business has no place for a full time cybersecurity employee, which speaks for a cloud solution. MSSQL has implemented security features to conform to many policies requirements like HIPAA and data privacy policies like the GDPR of the EU by offering data encryption protection at rest and in transit from endpoint to endpoint. If such things and terms are new to you and a dba you may have, it's a strong pro for seeking a cloud solution, because since SaaS and IaaS are well established services there are professional solutions that make cloud resources easier to secure than on premise solutions, especially with no on premise employee having the necessary knowledge and keeping it up to date.

No matter what, endpoint security always is an issue, and the database server is not the only endpoint. It turns out, for example, that humans are bad at reading encrypted data on displays, so it's served in decrypted clear text form to users on their client endpoints. If you think that's obvioulsy unavoidable you're right. If you think that poses no risk, as it always only shows partial data portions you only think of a hacker as a person, not the software they use to scrape data they want on all clients and over long terms, but ideally that's the only security problem you can't solve any way and then - besides a security suite that also detects such client endpoint malware - it becomes most important to make your eployees aware of social engineering/hacking approaches like phishing and other trickery in that direction of fraud.

 

[Steve Yu]

https://www.tek-tips.com/forums/microsoft-sql-server-setup-and-administration.962/ is the more appropriate forum for such a question.

While nobody here is even pointing that out, it's even less active than this. You might ask at https://www.sqlservercentral.com/, stackexchange's https://dba.stackexchange.com/, or google about SQL Server resources online.

Regarding your question I'd first point out the Security paragraph of this artile: https://www.apriorit.com/dev-blog/web-sql-on-premises-vs-cloud
Though it doesn't get very deep, it points out two major issues on premise security has vs cloud security:
1. CON: You have to have your own dba. You sketch your idea of security by mentioning the firewall. It surely is one instrument and in all simplicity you can close the port used by your on premise SQL Server making it unavailable from outside your LAN, that does not hinder a hacker interested in your data to hack from inside, i.e. with a trojan approach working from inside within software you don't even suspect hacking your on premise database or other resources.
2. PRO: "you can implement custom security measures tailored to your specific needs and compliance requirements." With the CON that it "will require significant resources."

A problem is that a small and even medium-sized business has no place for a full time cybersecurity employee, which speaks for a cloud solution. MSSQL has implemented security features to conform to many policies requirements like HIPAA and data privacy policies like the GDPR of the EU by offering data encryption protection at rest and in transit from endpoint to endpoint. If such things and terms are new to you and a dba you may have, it's a strong pro for seeking a cloud solution, because since SaaS and IaaS are well established services there are professional solutions that make cloud resources easier to secure than on premise solutions, especially with no on premise employee having the necessary knowledge and keeping it up to date.

No matter what, endpoint security always is an issue, and the database server is not the only endpoint. It turns out, for example, that humans are bad at reading encrypted data on displays, so it's served in decrypted clear text form to users on their client endpoints. If you think that's obvioulsy unavoidable you're right. If you think that poses no risk, as it always only shows partial data portions you only think of a hacker as a person, not the software they use to scrape data they want on all clients and over long terms, but ideally that's the only security problem you can't solve any way and then - besides a security suite that also detects such client endpoint malware - it becomes most important to make your eployees aware of social engineering/hacking approaches like phishing and other trickery in that direction of fraud.

Thanks for the direction, will re-post to the right forum; my apology.
Actually I did find that forum, but very little activities over there.

 

[Chris Miller]

Actually I did find that forum, but very little activities over there.

A post in a forum a user is subscribed to can trigger a mail informing about a new post. And in general, even without such a mechanism a new post in a forum is shown to the experts subscribed to it. In MSSQL the setup and adminstration, the design of a server computer with hardware, the licensing and hardening are really all topics that a database developer is not necessarily an expert of.

I hope you were active elsewhere, at least, and came to a conclusion anyway.