Export (0) Print
Expand All

Security Features (OLTP)---a Technical Reference Guide for Designing Mission-Critical OLTP Solutions

SQL Server 2012

Want more guides like this one? Go to Technical Reference Guides for Designing Mission-Critical Solutions.

Microsoft SQL Server has many security features, including (but not limited to) authentication, authorization, encryption, auditing, policy-based management, and Transparent Data Encryption (TDE). Database security is only one aspect of securing the platform and the application. Security features beyond the database range from firewall, anti-malware, antivirus programs, and Windows security updates, to end-to-end application auditing and packet sniffing. Microsoft software includes many of these security features, so it can be used to build end-to-end secure environments.

Best Practices

The following resources provide some general information about compliance and security features.

  • The web site SQL Server 2008: Compliance1 is the main site for information about SQL Server compliance, including an overview of governance. The following sections on the site are of particular interest:

    • Encrypting database dataGuidance and references for protecting sensitive data using encryption.

    • Auditing sensitive informationGuidance and references for monitoring database events.

    • Securing the platform Guidance and references for securing the platform, end to end.

    • Using policy-based management to define, deploy, and validate policies Guidance and references for using policy-based management to address compliance requirements.

    • Controlling identity and separation of dutiesGuidance and references about the basics of identity and access control in addition to the policies surrounding the separation of duties.

  • The white paper Reaching Compliance: SQL Server 2008 Compliance Guide2 includes a deep dive into understanding compliance and its impact through regulatory requirements and organization policies.

  • The Enterprise Policy Management Framework3 (EPM) is a CodePlex project that provides an end-to-end working framework for using SQL Server Policy-Based Management features to reach compliance goals. A key contribution of the EPM is that it allows the inclusion of SQL Server 2000 and 2005 servers into the framework.

  • The Centralized Auditing Framework4 is a CodePlex project that provides an end-to-end working framework for using SQL Server XEvents-based auditing feature to reach compliance goals.

Case Studies and References

Questions and Considerations

This section provides questions and issues to consider when working with your customers.

  • Understanding compliance governance requirements allows you to determine the necessary IT features. It is important to research the specific local requirements in each location that the organization operates in.

  • An important consideration is how does Microsoft get them to all work together? A potential solution is to work with outside vendors to provide end-to-end compliance solutions using SQL Server security features.

  • Note that to truly secure the database, the entire platform must be secure.

Appendix

Following are the full URLs for the hyperlinked text.

1 SQL Server 2008: Compliancehttp://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx

2 Reaching Compliance: SQL Server 2008 Compliance Guidehttp://sqlcat.com/whitepapers/archive/2008/11/15/reaching-compliance-sql-server-2008-compliance-guide.aspx

3 Enterprise Policy Management Frameworkhttp://www.codeplex.com/EPMFramework

4 Centralized Auditing Frameworkhttp://sqlcat.codeplex.com/wikipage?title=sqlauditcentral&referringTitle=Home

5 ParenteBeard: Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS). Note: if the link does not open when clicked, copy the URL into a browser.http://www.parentebeard.com/Uploads/Files/Deploying_SQL_Server_2008_Based_on_PCI_DSS.PDF

6 TechNet Webcast: SQL Server 2008 Capabilities for Meeting PCI Compliance Needshttp://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032404174&CountryCode=US

7 Beth Israel Deaconess Medical Center: Major Hospital Enhances Auditing Infrastructure using SQL Server 2008http://www.microsoft.com/canada/casestudies/Case_Study_Detail.aspx?casestudyid=4000003892

8 TechNet Webcast: Supporting HIPAA Compliance with SQL Server 2008http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032441700&Culture=en-US

9 Jefferson Wells: Supporting HIPAA Compliance with Microsoft SQL Server 2008http://www.jeffersonwells.com/mssql2008hipaa

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft