Which of these is more secure?
It’s a trick question – the correct answer is “neither”.
Both castles and vaults have their strengths. Castles are built to withstand large-scale assaults and sieges, but an individual has a good chance of getting inside. Conversely, a vault effectively protects its contents against break-ins by individuals or small groups, but it would not last long against a full-scale military assault.
So what does this have to do with database security? Plenty. A castle is a pretty good analogy for perimeter security, which is the way IT has approached network security since the dawn of interconnected networks. Perimeter security works by restricting the number of entry points and fortifying the ones that remain. A vault complements this approach by protecting important assets against intruders that happen to slip past the perimeter.
The problem is that far too many companies focus almost entirely on perimeter security. Recommendations to secure databases directly are met with excuses – “it’s too inconvenient”, “we don’t have the time/money/people for that project”, “we trust our people”, and “it’s not necessary; we’ve never been hacked”, just to name a few. (Yes, there are companies that do secure their databases appropriately. From what I’ve seen, though, they’re a small minority.)
The question is no longer if your company will be hacked, but when. Don’t wait for that to happen. Protect your data by any means necessary. You have too much to lose.
I’m teaching a pre-conference session on creating a strategy to protect your data at SQLSaturday Minnesota on September 30. More information and registration is available on the event website.