Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

New security features in SQL Server 2008 leave some work for you

Microsoft has certainly taken security in SQL Server 2008 to a higher level. But as IT security expert Kevin Beaver points out, just because SQL Server 2008 is secure to begin with, that doesn't mean it'll be secure in your environment. Add people and process flaws to the equation and here's what Microsoft can't help you with.

Earlier this year I wrote about how security features in SQL Server 2008 can help reduce risks. Now that SQL Server 2008 has been out for awhile, just how secure is it out of the box? Does it flex its muscle and really stand up to common attacks with strength and vigor?

Well, after poking and prodding it with some vulnerability assessment tools, it is looking good. A small footprint indeed and certainly the best out of the box database security posture I've seen from Microsoft. Unfortunately none of the mainstream commercial database vulnerability scanners that many of us depend on for really digging into SQL Server weaknesses currently support SQL Server 2008. At least the ones I'm aware of. So that angle of the story remains to be seen.

Vulnerability scanning aside, it's important to not forget that just because a piece of software such as SQL Server 2008 is secure to begin with, that doesn't mean it'll be secure in your environment. Just add people and process flaws to the equation and you've got yourself a recipe for SQL Server security problems no amount of built-in security can help.

Here's a run-down of what Microsoft can't help you with:

Even with all the latest and greatest security features built right into SQL Server 2008, you're still going to have database vulnerabilities. So, we're not out of the woods yet – nor likely ever will be since older versions of SQL Server could be around indefinitely. That said, we're certainly off to a much better start with SQL Server 2008. The only way you'll ever know is to see where you currently stand, maintain visibility and control and consistently test for new flaws in your environment. Vigilance is not everything – it's the only thing.

Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at  kbeaver@principlelogic.com.

Dig Deeper on SQL Server Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.