Security Features (OLTP)---a Technical Reference Guide for Designing Mission-Critical OLTP Solutions

Microsoft SQL Server has many security features, including (but not limited to) authentication, authorization, encryption, auditing, policy-based management, and Transparent Data Encryption (TDE). Database security is only one aspect of securing the platform and the application. Security features beyond the database range from firewall, anti-malware, antivirus programs, and Windows security updates, to end-to-end application auditing and packet sniffing. Microsoft software includes many of these security features, so it can be used to build end-to-end secure environments.

Best Practices

The following resources provide some general information about compliance and security features.

• The web site SQL Server 2008: Compliance1 is the main site for information about SQL Server compliance, including an overview of governance. The following sections on the site are of particular interest:

  • Encrypting database dataGuidance and references for protecting sensitive data using encryption.

  • Auditing sensitive informationGuidance and references for monitoring database events.

  • Securing the platform Guidance and references for securing the platform, end to end.

  • Using policy-based management to define, deploy, and validate policies Guidance and references for using policy-based management to address compliance requirements.

  • Controlling identity and separation of dutiesGuidance and references about the basics of identity and access control in addition to the policies surrounding the separation of duties.

• The white paper Reaching Compliance: SQL Server 2008 ComplianceGuide2 includes a deep dive into understanding compliance and its impact through regulatory requirements and organization policies.

• The Enterprise Policy Management Framework3 (EPM) is a CodePlex project that provides an end-to-end working framework for using SQL Server Policy-Based Management features to reach compliance goals. A key contribution of the EPM is that it allows the inclusion of SQL Server 2000 and 2005 servers into the framework.

• The Centralized Auditing Framework4 is a CodePlex project that provides an end-to-end working framework for using SQL Server XEvents-based auditing feature to reach compliance goals.

Case Studies and References

• PCI Compliance:

  • Customers have indicated that the white paper ParenteBeard: Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards5 is useful in providing developers and senior technology leaders with technical solutions on how to proactively achieve PCI compliance when deploying SQL Server 2008 to support and protect key business processes within an organization and avoid security and fraud risks.

  • The webcast TechNet Webcast: SQL Server 2008 Capabilities for Meeting PCI Compliance Needs6 provides insight into confirming PCI requirements are applied when implementing SQL Server 2008 technology.

• Health Insurance Portability and Accountability Act (HIPAA)/HealthAct Compliance:

  • The case study Beth Israel Deaconess Medical Center: Major Hospital Enhances Auditing Infrastructure using SQL Server 20087 illustrates how Beth Israel Deaconess Medical Center was able to enhance its governance, risk management, and compliance efforts by upgrading to SQL Server 2008 Enterprise.

  • The webcast TechNet Webcast: Supporting HIPAA Compliance with SQL Server 20088 provides insight into using SQL Server 2008 to meet HIPAA compliance requirements.

  • Customers have indicated that they found the white paper Jefferson Wells: Supporting HIPAA Compliance with Microsoft SQL Server 20089 useful in providing guidance on specific SQL Server 2008 features, and how they may be implemented to support the goals and technical safeguard considerations of HIPAA.

Questions and Considerations

This section provides questions and issues to consider when working with your customers.

• Understanding compliance governance requirements allows you to determine the necessary IT features. It is important to research the specific local requirements in each location that the organization operates in.

• An important consideration is how does Microsoft get them to all work together? A potential solution is to work with outside vendors to provide end-to-end compliance solutions using SQL Server security features.

• Note that to truly secure the database, the entire platform must be secure.

Appendix

Following are the full URLs for the hyperlinked text.

1 SQL Server 2008: Compliancehttps://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx

2 Reaching Compliance: SQL Server 2008 Compliance Guidehttp://sqlcat.com/whitepapers/archive/2008/11/15/reaching-compliance-sql-server-2008-compliance-guide.aspx

3 Enterprise Policy Management Frameworkhttps://www.codeplex.com/EPMFramework

4 Centralized Auditing Frameworkhttp://sqlcat.codeplex.com/wikipage?title=sqlauditcentral&referringTitle=Home

5 ParenteBeard: Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS). Note: if the link does not open when clicked, copy the URL into a browser.http://www.parentebeard.com/Uploads/Files/Deploying_SQL_Server_2008_Based_on_PCI_DSS.PDF

6 TechNet Webcast: SQL Server 2008 Capabilities for Meeting PCI Compliance Needshttp://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?culture=en-US&EventID=1032404174&CountryCode=US

7 Beth Israel Deaconess Medical Center: Major Hospital Enhances Auditing Infrastructure using SQL Server 2008https://www.microsoft.com/canada/casestudies/Case_Study_Detail.aspx?casestudyid=4000003892

8 TechNet Webcast: Supporting HIPAA Compliance with SQL Server 2008http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032441700&Culture=en-US

9 Jefferson Wells: Supporting HIPAA Compliance with Microsoft SQL Server 2008http://www.jeffersonwells.com/mssql2008hipaa