With the SQL Server 2008 release here (and the official shipment coming in Q3), there's a lot of buzz around the
more visible features and selling points of Redmond's latest. Things like the new data platform, business intelligence, and database consolidation are certainly appealing – especially to larger enterprises. But what about the "little stuff" like SQL Server database security and compliance? What's your incentive to upgrade to SQL Server 2008 from that perspective?
Looking at this from a confidentiality, integrity and availability perspective – the essence of security and compliance – there are quite a few new selling points. Microsoft is pushing "near zero downtime" and has new availability and recovery features in SQL Server 2008 that have only been available in third-party solutions in the past. They include prioritization management and failover improvements such as hot-swap replication and the ability to recover off of a mirrored server. With such critical business applications depending on SQL Server, and all of the complexities associated with business continuity and recovery, anything Microsoft can do to help the process will be much applauded.
Another area Microsoft is touting is administrator productivity. This includes greater visibility into database health and surface area configuration policies that can scale across multiple SQL Server systems. Dubbed the Declarative Management Framework in SQL Server 2008, I think this alone could reduce security risks as much as any other new feature. One of the greatest security problems I've seen is the lack of consistent server configurations. The new framework will help fill in those configuration management and change management gaps. That is, if the features get used.
SQL Server 2008 has better security audit functionality via self-defined audit triggers. It also supports schema-based permissions capabilities that allow more granular control on existing objects and will scale to new objects created in the future.
More on SQL Server security and upgrading
SQL Server 2008 offers more encryption capabilities – which have been necessary evils for compliance but difficult to implement in the real world. With transparent data encryption, application modification is no longer necessary because encryption works at the file level. A database encryption key is used that applies across the entire database -- and that may just make encrypting the crown jewels relatively simple and practical once and for all. You can also digitally sign stored procedures to ensure that only valid code runs on the system.
SQL Server patches will be available via Windows Update and you'll be able to enforce Windows domain password policies on SQL Server accounts.
Managing SQL Server 2008 databases will also be possible via Windows PowerShell. That's good and bad. I'm now imagining the possibilities on a hacked server: Remote command prompt and full control via Metasploit anyone? That said, you"ll be able to define execution contexts for database modules, which means statements will run in the context you define instead of the permissions of the user making the call. It's certainly a formidable control to ward off hack and malware attacks. Again, if it's used.
I'll stay positive and give SQL Server 2008 the benefit of the doubt. SQL Server 2005 hasn't been too shabby on the security and compliance side. The new version looks even better. Microsoft can't fix business processes and the lack of security buy-in, so I suspect the basic vulnerabilities won't change much with SQL Server 2008. In other words, it will still be up to you. If you're proactive and take advantage of new security and compliance features in SQL Server 2008, you'll finally have a reasonable way to achieve and maintain database safety and confidentiality that has, up to now, been a gaping hole in most businesses.
Take the SQL Server 2008 CTP for a spin and see what you think. Now, stay tuned for the next step when we'll see just how it stands up to a few good vulnerability scanners and some manual poking and prodding.
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.