Logging for security compliance in SQL Server

What's right for your business?
The word "reasonable" is tricky too because everyone has their own definition of what should be logged and how logs should be managed. In the end, reasonable logging will likely end up being defined by the courts. What you can do in the meantime though is to make sure you're in "the middle of the herd" and do not stand out. The first thing is to determine what servers and specific databases actually contain sensitive information that must be protected. This may be something you do on your own or something that has already been done in a recent information risk assessment. Keep in mind, you'll likely have some servers in development or testing that house sensitive information, and therefore, won't need any level of log.

Every environment is different and all businesses have varying levels of risk, but at least consider the following logs:

When delving into audit logging and system monitoring, do yourself a huge favor and inve

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Database Compliance Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Sarbanes-Oxley compliance checklist: IT security and SQL audits SQL Server 2008 security and compliance features reduce security risks Security testing for compliance – just how much do you need? Meet compliance with improved database security practices Wrangling the data behemoth Expert: Lengthy logs not always a good thing Licensing concerns when upgrading SQL Server Are you ready for a compliance audit? SQL Server Security The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Implementing security audit in SQL Server 2008 New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions Secure SQL Server from SQL injection attacks SQL Server Management A first look at Microsoft SQL Server 2008 R2 Maintaining high availability of SQL Server virtual machines Creating fault-tolerant SQL Server installations Using Microsoft Hyper-V for SQL Server consolidation Scaling up vs. scaling out with SQL Server 2008 Migrating to SQL Server 2008 and leveraging new features Testing a SQL Server environment before an upgrade Does upgrading to SQL Server 2008 fit your business? Meeting business needs with SQL Server full-text search Using dynamic management views to improve SQL Server index effectiveness

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

st in a third-party logging and event management application such as GFI's EventsManager, or for plain SQL Server log auditing ApexSQL Log is an option. Visit LogAnalysis.org for a list of other commercial products. These tools will save you tons of time and effort. I also recommend guidance provided by NIST's Guide to Computer Security Log Management.

Proceed with caution
Any administrator that's enabled logging knows it can create a significant impact on system performance and storage requirements. I've heard legal experts, less-experienced administrators and others that don't understand the negative impacts of logging make logging recommendations. I've heard poor recommendations including: 'when in doubt more is better,' 'log everything' and 'keep your logs forever.' Certain database security auditing tools even recommend enabling various SQL Server logging features such as C2 audit mode to track misuse. All of this sounds good on paper and will obviously please regulators, auditors, and investigators, but at what cost?

The problem with blindly following these idealistic recommendations of vendors, auditors and the uninformed instead of planning out what you need based on business risk is that you'll create a situation where logging actually has a negative impact on your business. Whether it is eating up memory, requiring too many processor slices, or perhaps worst of all, gobbling up storage space faster than you can say petabyte. I've seen Windows and SQL Server logging enabled that has caused local system partitions to fill up in a matter of minutes and which have also created situations where the SQL Server stops responding altogether. Of all the servers on your network, your SQL Servers are likely the last ones you want to make hang or reboot. Talk about too much security getting in the way of business! Besides the technical issues, another thing to keep in mind is that logging everything and keeping the logs indefinitely can introduce legal liabilities and huge discovery expenses as well. Do I even need to mention the administrative burden and inability for the average human to get anything worthwhile out of too many logs?

Don't worry as much about what the privacy and security laws and regulations say. They certainly don't delve into logging specifics. By all means, don't try to manage audit logging and monitoring requirements for each law/regulation separately. Instead, perform a risk assessment and align your compliance initiatives with one of the information security frameworks or standards such as ISO/IEC 17799, CoBIT, or ITIL. If IT and compliance are managed at that level and done the right way, your organization should be able to meet all the compliance requirements across the board without having logs for HIPAA, logs for SOX, logs for PCI and so on.

Whatever you do, don't go at this alone. You don't want to bear the burden of making the critical business decisions associated with audit logging. This will be especially obvious when something bad happens and a regulator, auditor, or forensics investigator pins you down wanting to know your reasoning and business justification for logging what you did (or didn't do). If you and your IT colleagues are bearing a large part of the compliance burden (as is the case in most organizations), run your logging decisions by your organization's legal counsel or compliance manager. Ideally, determining what to log and how to manage logs should be mandated and supported by a compliance or IT governance committee. What I'm trying to say is get and keep others involved. You won't regret it.

[TABLE]

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.