SQL Server 2008 security and compliance features reduce security risks

With the SQL Server 2008 release here (and the official shipment coming in Q3), there's a lot of buzz around the more visible features and selling points of Redmond's latest. Things like the new data platform, business intelligence, and database consolidation are certainly appealing – especially to larger enterprises. But what about the "little stuff" like SQL Server database security and compliance? What's your incentive to upgrade to SQL Server 2008 from that perspective?

Looking at this from a confidentiality, integrity and availability perspective – the essence of security and compliance – there are quite a few new selling points. Microsoft is pushing "near zero downtime" and has new availability and recovery features in SQL Server 2008 that have only been available in third-party solutions in the past. They include prioritization management and failover improvements such as hot-swap replication and the ability to recover off of a mirrored server. With such critical business applications depending on SQL Server, and all of the complexities associated with business continuity and recovery, anything Microsoft can do to help the process will be much applauded.

Another area Microsoft is touting is administrator productivity. This includes greater visibility into database health and surface area configuration policies that can scale across multiple SQL Server systems. Dubbed the Declarative Management Framework in SQL Server 2008, I think this

    Requires Free Membership to View

alone could reduce security risks as much as any other new feature. One of the greatest security problems I've seen is the lack of consistent server configurations. The new framework will help fill in those configuration management and change management gaps. That is, if the features get used.

SQL Server 2008 has better security audit functionality via self-defined audit triggers. It also supports schema-based permissions capabilities that allow more granular control on existing objects and will scale to new objects created in the future.

More on SQL Server security and upgrading:

 SQL Server 2008 offers more encryption capabilities – which have been necessary evils for compliance but difficult to implement in the real world. With transparent data encryption, application modification is no longer necessary because encryption works at the file level. A database encryption key is used that applies across the entire database -- and that may just make encrypting the crown jewels relatively simple and practical once and for all. You can also digitally sign stored procedures to ensure that only valid code runs on the system.

SQL Server patches will be available via Windows Update and you'll be able to enforce Windows domain password policies on SQL Server accounts.

Managing SQL Server 2008 databases will also be possible via Windows PowerShell. That's good and bad. I'm now imagining the possibilities on a hacked server: Remote command prompt and full control via Metasploit anyone? That said, you"ll be able to define execution contexts for database modules, which means statements will run in the context you define instead of the permissions of the user making the call. It's certainly a formidable control to ward off hack and malware attacks. Again, if it's used.

I'll stay positive and give SQL Server 2008 the benefit of the doubt. SQL Server 2005 hasn't been too shabby on the security and compliance side. The new version looks even better. Microsoft can't fix business processes and the lack of security buy-in, so I suspect the basic vulnerabilities won't change much with SQL Server 2008. In other words, it will still be up to you. If you're proactive and take advantage of new security and compliance features in SQL Server 2008, you'll finally have a reasonable way to achieve and maintain database safety and confidentiality that has, up to now, been a gaping hole in most businesses.

Take the SQL Server 2008 CTP for a spin and see what you think. Now, stay tuned for the next step when we'll see just how it stands up to a few good vulnerability scanners and some manual poking and prodding.

Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummiesand Hacking Wireless Networks For Dummies(Wiley). He's also the creator of the Security on Wheels information security audio books and blogproviding security learning for IT professionals on the go. Kevin can be reached at  kbeaver@principlelogic.com.

This was first published in March 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.