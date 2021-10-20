Test your security regularly: You can have the best possible intentions and build your databases securely, but things change around you all the time. A new piece of software may get introduced. Who knows. You have to plan for regular security checks to ensure that, after all the hard work you’ve done, you’re still secure.

As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Grant Fritchey.

Grant Fritchey has worked for more than 30 years in IT as a developer and a DBA. He has built systems from the major enterprise to distributed systems to small boutique companies. Grant writes articles on various data-related topics for the #1 SQL Server education and community site, SQLServerCentral and Redgate’s technical journal, Simple Talk. He is the author of multiple books including SQL Server Execution Plans and SQL Server Query Performance Tuning. He develops and presents complete structured learning plans to teach Azure, AWS, and other data-related topics to developers and other IS personnel. Grant is a Microsoft Data Platform MVP and an AWS Community Builder.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

My mother and I moved around a bunch when I was a kid, but we finally settled in Tulsa, Oklahoma, where I called home and ran wild through the creeks & woods.

Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.

Not so much inspiration as a failure to notice what I was walking into. I was working for a startup as a developer. We had a database that was a wreck. One day, I hit a problem and just lost my mind. I went in to the boss and declared we needed a database expert. I started in on all the problems. My boss started writing them down on the white board. After we had about 5 or 6 things listed, he turned to me and said “OK. Which one are you going to start with?” From that day forward, I specialized in databases.

Can you share the most interesting story that happened to you since you began your career?

I worked for a dot com that failed. However, the owners took the tech we had developed, which monitored web pages and collected data, and started committing crimes. They got caught and were prosecuted. I was contacted by the prosecution who said, “We’re told that you can’t link an individual to the information collected, is that true?” Well, it wasn’t. I had the data model and explained to them exactly how it was possible. It was really wild to see something that was originally benign turned to bad deeds.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Early in my life, before I started doing IT full time, I was working doing data entry and typing as a temporary worker. The agency I worked with also provided personnel for development and support roles. You had to test out on software to prove you knew it. I was reading manuals over the weekend and then testing on Mondays and passing. The head of development, a wonderful woman who actually worked for a time with Grace Hopper, spotted me learning different software programs really quickly and decided to mentor me into a development role. I moved fully into IT and never looked back.

Are you working on any exciting new projects now? How do you think that will help people?

Absolutely! Redgate Software is building a multi-platform solution for database deployment that will create a process that uses both state-based (comparing two structures to find the differences) and migrations (a manifest of changes) to automate database deployments. Combining these two methods through an automated process just has never been done before. It’s going to radically improve the way databases get deployed.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Movement. Whether you’re doing some high intensity workouts, or just taking a stroll around the back yard, getting away from your computer and moving your body does more for recharging your mind than anything else.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?

The best way an organization can protect people’s information is to change their thoughts around who owns the data. Instead of being the owner of a person’s email after they give it to you, think instead that you’re simply the steward of that information. It’s been placed into your care, for a time, and then you’re going to pass it back, intact, protected, the whole time you managed it. This fundamental shift in thinking will do more to move the organization into a safe space when it comes to the law than anything else.

Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?

This is hard for existing data structures and applications, but every new piece of data management and storage code must be designed, from the start, with two things in mind. First, you have to have a way to remove or anonymize people’s information. Second, you must build your systems with security in mind at the start. Doing these two things will help you get where you need to be. Now, older systems, they simply have to go through update processes to arrive at the same spot.

In the face of this changing landscape, how has your data retention policy evolved over the years?

Forever is just no longer how long data is kept. It just isn’t. Now, you plan on removing information that is older than whatever legal requirement there is for keeping it (tax purposes, things like that, drive the length of retention of some data).

Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?

Well, the GDPR was the wake up call for data privacy and retention. However, the real worry is the fact that it doesn’t look like the United States is going to have a federal law governing data. Instead, there are likely to be 50 individual sets of law. This means that an organization is going to have to research to find the most stringent of the 50 sets of laws and follow that. Plus, track how all 50 sets of laws changes over time. This makes for a pretty frantic situation when it comes to data management.

In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?

Yes. They really have. I would suggest your readers take a look at Redgate’s Data Masker. It’s currently just for SQL Server, but will be multi-platform in the future. It allows you to programmatically take control of ensuring that protected information doesn’t get into non-production, unsecure environments. This enables you to use production-like data in development and testing while still protecting the information in your care.

There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?

Honestly, no. They are simply reinforcing an attitude I developed years and years ago. We must be secure by default. There is no longer any excuse for not ensuring all standard security has been implemented. Putting databases outside of a firewall and leaving off the password, as has happened numerous times in just the last few weeks, not to mention over the past few years, is criminal, literally. All this has just strengthened my resolve to ensure we have secure information.

Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)

Test your backups by running a restore: There are simply legions of stories about people who thought they had backed up their data, but never tested that supposition. I think my favorite though was the organization that thought their RAID setup on their SAN meant they data was backed up. When the database got corrupted, they realized that redundant storage just meant redundant corruption. They went out of business because all the information was lost. Create a plan for patching and upgrades on your applications and servers: My own personal blog was hacked because I had delayed implementing a patch. I was aware that a vulnerability had been exposed, and fixed, in WordPress, but I assumed I’d have a few weeks to get it implemented. My web site was taken over by hackers. Happily, I was alerted before they did too much damage and I was able to get a backup in place (see rule #1) to get the blog back online. I then, of course, immediately patched the server. You must be able to delete customer information: An organization I know, who will remain very nameless, had a database where personally identifying information was the primary and foreign keys in the relational data structure. They literally could not remove a piece of private information without removing all the information about the client, whether it was private or not. A complete rebuild of the database was necessary. Development is inherently insecure, so you must have methods in place for ensuring production information isn’t used in development: My favorite story here is a pretty simple one. A developer had the complete copy of the production data on their laptop. They lost the laptop. Another person found it, was able to get on to it (it wasn’t secured at all by a password), and read all the data. They actually advertised the laptop on eBay and included the fact that you’d be getting the company information along with the laptop. Test your security regularly: You can have the best possible intentions and build your databases securely, but things change around you all the time. A new piece of software may get introduced. Who knows. You have to plan for regular security checks to ensure that, after all the hard work you’ve done, you’re still secure.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

Fast Fixes: We set up a system that monitors our OS and services to ensure we know the moment a patch is available. Then, we test and implement that patch. Simple.

How can our readers further follow your work online?

I write for Redgate Software at the Redgate Blog and I write articles, record videos and do presentations through the Redgate Hub. I also blog at ScaryDBA.com and, as mentioned earlier, regularly contribute to SQLServerCentral and Simple Talk.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!