Database administrators (DBAs) wary of additional security headaches when running SQL Server in a virtualized environment should relax, according to database experts. SQL Server security issues in the virtualized world pretty much mirror the security challenges of traditional database environments.
Typically, SQL Server is one of the last applications to be virtualized, mostly because DBAs have been reluctant to put what is perceived as a highly demanding application in an environment where it might suffer from performance bottlenecks, not to mention confront unfamiliar security challenges.
Yet the same advantages that virtualization delivers for other applications -- primarily, reducing hardware requirements, the promise of less downtime and easier maintenance, in addition to reduced power and cooling needs in the data center -- are prompting companies to look at SQL Server virtualization as both an economical and still highly secure way to deploy applications.
"From a security perspective, there are no unique challenges -- you're running on a Windows box with another layer underneath that is running the hypervisor," noted Denny Cherry, an independent SQL Server consultant and the author of the book Securing SQL Server. "There's really nothing different to worry about between the virtual SQL Server and the physical one. Really, traditional SQL Server best practices stand."
In part, the security concerns stem from a lack of familiarity with virtualized environments and the perception that the extra layers of technology complicate the security equation and open the door to holes in the SQL Server architecture. That's just not so, experts say.
In fact, Brent Ozar, a consulting specialist in SQL Server technologies and founder of Brent Ozar PLF, agreed that the same risks exist whether you're talking SQL Server in a virtual or physical server environment. "If you're using a SAN [storage area network], then the data is already sitting on a shared set of drives -- a malicious SAN administrator can take a snapshot of that data at any time, copy it to other hard drives and then walk off with it," he explained. "This same security concern exists whether we're dealing with virtual or physical servers."
Standard security guidelines
AgFirst Farm Credit Bank, based in Columbia, S.C., didn't let security concerns stop it from deploying SQL Server in a virtualized environment. AgFirst, which leverages virtualization for all its applications, was primarily looking to get high availability for its SQL Server databases, particularly those with a smaller footprint, without having to spend a lot of money on hardware, said K. Brian Kelley, the company's DBA and architect.
"Some people think virtualization offers less security overall, but that's a misperception," he said. "The weakest points are usually through the operating system or in the application deployed with SQL Server. In either case, those are in place whether we're talking a virtual system or a physical system."
The best way to ensure SQL Server security, regardless of the environment, is to apply the standard set of security guidelines. In a physical environment, network administrators and DBAs will periodically review who has access to the data center. Those same controls, Kelley said, should translate to the virtual world with administrators performing regular checks on who has access to the virtualized servers. Same on the networking side for segmenting SQL Server software and protecting it from attack. "If you want to segment SQL Server offline as opposed to doing it with physical equipment, you use the virtualization product to do it," Kelley said.
As with any change, there are some minor modifications. Consider the group of people who have data center access in an organization and compare that with those who have access to virtualized systems. "You really have to evaluate the list," Kelley said. "There's the group of people that can get into the data center to touch the physical servers, but there might be a much bigger group that can touch the administration on virtualized servers. Don't just think about the equivalent of physical access."
Ozar said the reality is that lots of DBAs just don’t put good security guidelines to use when it comes to SQL Server, whether it's deployed in the physical world or on virtualized servers. They also don't pay as much attention to some of the more granular security capabilities as they should. DBAs need to think about their greatest security fears and address them accordingly, regardless of the target environment.
"Think about what would happen if someone stole your backup tapes tomorrow," he said. "If that's a concern for you, then the data needs to be encrypted at all times using SQL Server's transparent data encryption. This is even more important in virtual environments with shared storage where even more people can get access to SQL Server's drives and data files."
Beth Stackpole is a freelance writer who has been covering the intersection of technology and business for 25-plus years for a variety of trade and business publications and websites.