This blog posting is meant to bring attention to the fact that I'm doing a preconference talk, "A Day of SQL Server Security" at TechEd 2010 in New Orleans in June. OK, the TechEd folks asked me to publicize it. I'm also doing two breakout sessions, one on "Entity Framework and LINQ2SQL vs. Stored Procedures", and the other on "Integrating Microsoft SQL Server Event Tracing with OS-Level Events and Database Client Events".
Although I've done individual topics of SQL Server Security before (e.g. Auditing, at TechEd Europe 2009) you might be saying to yourself, "this Beauchemin guy is known for database development, what's his background in security anyhow?". Well, I did write the "SQL Server Security Best Practices Whitepaper" for SQL Server 2005. But there's a better story.
In 1992, I made my one-and-only foray into the world of startup companies, when I joined (as employee #2) a company called Open Computing Security Group (OCSG). This company eventually grew and changed its name to CyberSafe, and it's still around today. At "the beginning" we concentrated on Kerberos software, releasing commercial versions of Kerberos for 5-6 Unix variants and Kerberos clients for Windows (3.1) and Mac. This included SDKs, like the GSSAPI, and clients like klogin/klogind. My first Kerberos port was targeted at the NeXT computer.
The new company was going strong and, in addition to the products, we did security audits and taught classes on Kerberos protocol and implementation. The very first class I ever taught was on Kerberos; students seemed to like it, although I immediately went back to being "that geek in the corner who wrote code, and spoke to no one". Other classes came along post-OCSG.
When Kerberos R5 was released, I was asked to brainstorm a list of products where Kerberos could be integrated. I came up with about 25 ideas (probably not new ideas, but they were new to me) including using Kerberos for database authentication/authorization and using a database as a repository for the KDC. Eventually, I split with the company as it grew.
I've always had a fondness for computer security ever since. And I've been implementing, studying, and teaching anything to do with SQL Server security. Hence, the preconference talk. Be you DBA, developer, architect, or anything in between, I think it will be worth your while.