Security Features (OLTP)---a Technical Reference Guide for Designing Mission-Critical OLTP Solutions

Want more guides like this one? Go to Technical Reference Guides for Designing Mission-Critical Solutions.

Microsoft SQL Server has many security features, including (but not limited to) authentication, authorization, encryption, auditing, policy-based management, and Transparent Data Encryption (TDE). Database security is only one aspect of securing the platform and the application. Security features beyond the database range from firewall, anti-malware, antivirus programs, and Windows security updates, to end-to-end application auditing and packet sniffing. Microsoft software includes many of these security features, so it can be used to build end-to-end secure environments.

Best Practices

The following resources provide some general information about compliance and security features.

  • The web site SQL Server 2008: Compliance1 is the main site for information about SQL Server compliance, including an overview of governance. The following sections on the site are of particular interest:

    • Encrypting database dataGuidance and references for protecting sensitive data using encryption.

    • Auditing sensitive informationGuidance and references for monitoring database events.

    • Securing the platform Guidance and references for securing the platform, end to end.

    • Using policy-based management to define, deploy, and validate policies Guidance and references for using policy-based management to address compliance requirements.

    • Controlling identity and separation of dutiesGuidance and references about the basics of identity and access control in addition to the policies surrounding the separation of duties.

  • The white paper Reaching Compliance: SQL Server 2008 Compliance Guide2 includes a deep dive into understanding compliance and its impact through regulatory requirements and organization policies.

  • The Enterprise Policy Management Framework3 (EPM) is a CodePlex project that provides an end-to-end working framework for using SQL Server Policy-Based Management features to reach compliance goals. A key contribution of the EPM is that it allows the inclusion of SQL Server 2000 and 2005 servers into the framework.

  • The Centralized Auditing Framework4 is a CodePlex project that provides an end-to-end working framework for using SQL Server XEvents-based auditing feature to reach compliance goals.

Case Studies and References

Questions and Considerations

This section provides questions and issues to consider when working with your customers.

  • Understanding compliance governance requirements allows you to determine the necessary IT features. It is important to research the specific local requirements in each location that the organization operates in.

  • An important consideration is how does Microsoft get them to all work together? A potential solution is to work with outside vendors to provide end-to-end compliance solutions using SQL Server security features.

  • Note that to truly secure the database, the entire platform must be secure.


Following are the full URLs for the hyperlinked text.

1 SQL Server 2008: Compliance

2 Reaching Compliance: SQL Server 2008 Compliance Guide

3 Enterprise Policy Management Framework

4 Centralized Auditing Framework

5 ParenteBeard: Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS). Note: if the link does not open when clicked, copy the URL into a browser.

6 TechNet Webcast: SQL Server 2008 Capabilities for Meeting PCI Compliance Needs

7 Beth Israel Deaconess Medical Center: Major Hospital Enhances Auditing Infrastructure using SQL Server 2008

8 TechNet Webcast: Supporting HIPAA Compliance with SQL Server 2008

9 Jefferson Wells: Supporting HIPAA Compliance with Microsoft SQL Server 2008