7 Best Practices for Managing SQL Access in Outsourced and Virtual Assistant Teams
Outsourcing work and utilizing virtual assistants have become extremely common for businesses looking to reduce costs. However, providing external teams access to sensitive company data in databases comes with risks. SQL databases often house private customer information, financial records, intellectual property, and more that require thoughtful access control policies.
Implementing the following 7 best practices will allow your business to securely grant limited access to SQL for outsourced and virtual assistant teams:
Table of Contents
1. Principle of Least Privilege
The principle of least privilege is vital when determining appropriate SQL access levels. This principle dictates that users should only be granted the bare minimum database permissions necessary to complete an assigned task.
For example, if a virtual assistant only needs to pull basic customer address records, read-only permissions would suffice. They would not require write, edit, or delete clearance to the other sensitive data contained in the database. Always ask:
- What is the specific role and task being assigned?
- What schema, tables, views, stored procedures, etc., need to be accessed to fulfill it?
- What CRUD (Create, Read, Update, Delete) permissions are essential?
By limiting privileges according to need, the risk of outsiders accessing, modifying, or removing data should not be greatly reduced.
2. Temporary Access
All user permissions in SQL should have an expiration date, especially regarding outsourced assistance. When initially granting permissions, set an end time frame for access to expire unless explicitly renewed automatically.
You may provide permissions to external users for that instance only for one-off requests. For ongoing virtual assistant work, consider access that expires monthly or quarterly and requires manual renewal if responsibilities continue.
Automated expiration of permissions forces the database owner to regularly review who has access and what data they can view. This ensures visibility and the continued appropriateness of assigned access levels.
3. SQL User Access Reviews
In addition to expiring access, businesses should conduct user access reviews for SQL databases at least quarterly. This involves auditing all active user accounts, their permissions, and validating whether they should continue to retain clearance.
As outsourced teams rotate members or take on new assignments, you don’t want credentials lingering once they are no longer necessary. A quarterly user access review requires deliberate re-approval of external team access rather than keeping them indefinitely grandfathered in.
4. Unique SQL User Accounts
Never permit external teams or assistants to share SQL user accounts. Each individual should be provisioned with their own unique user account for auditing and accountability purposes.
Generic or shared credentials essentially render SQL access controls meaningless. With no way to distinguish between outsourced team members, you cannot monitor individual activity nor restrict or revoke clearance on a per person basis.
Additionally, if credentials somehow leak beyond the outsourced group, there is no way to identify the source without unique accounts. Always provision individual accounts assigned to specific external team members.
5. Secure Password Requirements
When creating SQL user accounts for external teams, be sure to enforce strong password requirements. Especially with outsourced access, you want authentication credentials that would be extremely difficult for bad actors to crack.
Enforce requirements like:
- Minimum 12-character passwords
- Mandatory inclusion of special characters
- Forbidding previous passwords or variations
- Regular password expiration (every 90 days)
- Account lockout after a set number of incorrect login attempts
The more complex the password expectations, the better protected the SQL database will be against unauthorized use of outsourced credentials.
6. VPN Access Only
Never allow an outsourced or virtual team direct access to internal SQL servers. Instead, configure a VPN (virtual private network) that external teams must connect through before being able to query the database.
VPN access adds an extra layer of security to your SQL infrastructure. All queries by outsourced teams first route through the business’s network protections before reaching the database servers. This allows activity to be monitored through the VPN rather than permitting external access directly to sensitive SQL servers.
7. Query Monitoring & Alerts
Finally, take advantage of query monitoring and alerts on SQL databases, especially those granting some external access. Native database tooling records all SQL queries executed against the system along with the user account, timestamp, retrieved data, and more.
Set up alerts for query monitoring that notify administrators or database owners whenever:
- An unusual volume of data is pulled from the system
- Access occurs outside of expected hours
- Queries return unusually large data sets
- Failed access attempts reach a set threshold
Alerting provides visibility whenever abnormal or suspicious activity occurs so it can be addressed immediately. Monitoring SQL queries allows quick identification of outsourced teams attempting to access or pull data they should not have the privilege to see.
Establishing SQL Access Policies
Formalizing the above guidelines into established SQL access policies is highly recommended. Documented policies codify database security standards for granting any external team or contractor access in the future.
Well-constructed policies should specify:
- Criteria for determining minimum necessary privileges
- Requirements for temporary access expiration
- Frequency of user access reviews
- Protocol for new user account provisioning
- Password complexity standards
- Approved SQL connectivity methods (VPN)
- Query monitoring criteria and alerts
Ideally, policies should be version controlled so they can be updated as technology changes or new threats emerge. Approval workflows should also be outlined for granting SQL permissions if not directly handled by IT administrators.
Following Industry SQL Security Standards
In developing formal access policies, consider adhering to some common industry standards around securing SQL databases:
SQL Server Security Technical Implementation Guide
Microsoft provides cybersecurity configuration guidelines for locking down SQL Server in their SQL Server Security Technical Implementation Guide. It offers prescriptive guidance on:
- Authentication protocols
- Password policies
- Permission assignments
- Internet connectivity
- Auditing/alerting
Review the recommendations against your existing SQL Server environment when establishing formal policies.
CIS SQL Server Benchmarks
The Center for Internet Security provides consensus-created CIS SQL Server Benchmarks around effective database hardening. Their benchmarks guide on:
- Enforcing password complexity for SQL accounts
- Removing unnecessary access privileges
- Recording login audits
- Configuring CPU throttling to protect against DoS attacks
Periodically check your own SQL infrastructure against CIS benchmarks to identify potential gaps.
NIST 800-53 Rev 5 Controls
NIST’s industry-standard 800-53 Rev 5 outlines comprehensive controls around access management, encryption, auditing, infrastructure protection and more. Specifically regarding database security, it recommends:
- Separating production/non-production environments
- Isolating public-facing interfaces
- Scrubbing sensitive data in non-production systems
- Conducting code reviews for SQL stored procedures
- Encrypting data flows between servers
Map your internal SQL access policies against NIST framework controls to validate coverage.
Conclusion
Allowing outsourced and virtual assistant teams access to internal SQL servers enables important business process efficiencies. However, without proper permissions and controls in place, sensitive customers’ financial and intellectual property are at risk.
By enforcing least privilege permissions, temporary credential expiration, access reviews, unique accounts, strict passwords, VPN-only connectivity and query monitoring, external SQL access can be provisioned more securely. Formalizing database access policies provides ongoing governance as outsourced needs change over time.
What best practices does your business currently employ to manage SQL access for external teams? What policy enhancements may be beneficial to research further? Consider auditing your controls against industry standards for a hardened SQL security posture.