SQL Server 2008 security and compliance features reduce security risks

Looking at this from a confidentiality, integrity and availability perspective – the essence of security and compliance – there are quite a few new selling points. Microsoft is pushing "near zero downtime" and has new availability and recovery features in SQL Server 2008 that have only been available in third-party solutions in the past. They include prioritization management and failover improvements such as hot-swap replication and the ability to recover off of a mirrored server. With such critical business applications depending on SQL Server, and all of the complexities associated with business continuity and recovery, anything Microsoft can do to help the process will be much applauded.

Another area Microsoft is touting is administrator productivity. This includes greater visibility into database health and surface area configuration policies that can scale across multiple SQL Server systems. Dubbed the Declarative Management Framework in SQL Server 2008, I think this alone could reduce security risks as much as any other new feature. One of the greatest security problems I've seen is the lack of consistent server configurations. The new framework will help fill in those configuration management and change management gaps. That is, if the features get used.

SQL Server 2008 has better security audit functionality via self-defined audit triggers. It also supports schema-based permissions capabilities that allow more granular control on existing objects

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SQL Server Security The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles Implementing security audit in SQL Server 2008 New security features in SQL Server 2008 leave some work for you Can I encrypt and restore a database backup in SQL Server 2005? FAQ: How to troubleshoot and grant SQL Server permissions Secure SQL Server from SQL injection attacks Microsoft SQL Server 2008 (Katmai) A first look at Microsoft SQL Server 2008 R2 Understanding transparent data encryption in SQL Server 2008 Working with sparse columns in SQL Server 2008 Implementing SQL Server 2008 FILESTREAM functionality Microsoft renames SQL Server release, adds data services New GROUP BY option provides better data control in SQL Server 2008 An overview of SQL Server Report Builder 2.0 Scaling up vs. scaling out with SQL Server 2008 New replication features in SQL Server 2008 and what they mean to you Migrating to SQL Server 2008 and leveraging new features SQL Server Database Compliance Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Sarbanes-Oxley compliance checklist: IT security and SQL audits Security testing for compliance – just how much do you need? Meet compliance with improved database security practices Logging for security compliance in SQL Server Wrangling the data behemoth Expert: Lengthy logs not always a good thing Licensing concerns when upgrading SQL Server Are you ready for a compliance audit?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

and will scale to new objects created in the future. SQL Server 2008 offers more encryption capabilities – which have been necessary evils for compliance but difficult to implement in the real world. With transparent data encryption, application modification is no longer necessary because encryption works at the file level. A database encryption key is used that applies across the entire database -- and that may just make encrypting the crown jewels relatively simple and practical once and for all. You can also digitally sign stored procedures to ensure that only valid code runs on the system.

SQL Server patches will be available via Windows Update and you'll be able to enforce Windows domain password policies on SQL Server accounts.

Managing SQL Server 2008 databases will also be possible via Windows PowerShell. That's good and bad. I'm now imagining the possibilities on a hacked server: Remote command prompt and full control via Metasploit anyone? That said, you"ll be able to define execution contexts for database modules, which means statements will run in the context you define instead of the permissions of the user making the call. It's certainly a formidable control to ward off hack and malware attacks. Again, if it's used.

I'll stay positive and give SQL Server 2008 the benefit of the doubt. SQL Server 2005 hasn't been too shabby on the security and compliance side. The new version looks even better. Microsoft can't fix business processes and the lack of security buy-in, so I suspect the basic vulnerabilities won't change much with SQL Server 2008. In other words, it will still be up to you. If you're proactive and take advantage of new security and compliance features in SQL Server 2008, you'll finally have a reasonable way to achieve and maintain database safety and confidentiality that has, up to now, been a gaping hole in most businesses.

Take the SQL Server 2008 CTP for a spin and see what you think. Now, stay tuned for the next step when we'll see just how it stands up to a few good vulnerability scanners and some manual poking and prodding.

[TABLE]

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.