United States   Change   |   All Microsoft Sites

Home

Microsoft Home  |  Servers and Tools

Compliance

Video: Using SQL Server for Auditing and Compliance
Video: Using SQL Server for
Auditing and Compliance

Overview

Addressing Compliance Concerns

Microsoft SQL Server 2008 is a secure and reliable platform for protecting data and for building compliance solutions. Conforming to regulatory legislation often impacts how data is stored and how it is accessed. SQL Server® 2008 provides the capabilities to address organizational needs around regulations such as HIPAA, SOX and PCI.

Whether dealing with separation of duties, key management or auditing and reporting, SQL Server 2008 provides the support needed to meet these demands. 

Top New Features

  • Increased ability to protect encryption keys

  • Granular auditing capabilities

  • Define, deploy and validate configuration policies destined for your databases

 

PCI Audit Results

SQL Server can help you comply with PCI compliance needs. Certified audit firm, Parente Randolph, evaluated SQL Server for PCI compliance and provides guidance to customers on passing PCI audits in a detailed whitepaper and informative webcast.

 

Understanding compliance

Compliance affects many organizations, large and small either through regulatory requirements or organizational policies. Compliance is the final step of the three-step Governance process, as explained below.

Deconstructing Governance (GRC)

  • Risk Management

    Program for identifying risks and for developing plans to mitigate or remove risk.

  • Governance

    Represents actions taken to address the risks identified during a risk assessment.  This is the step where polices, IT controls, practices, systems, and training are put in place to mitigate risks.

  • Compliance

    Validation that identified risks have been mitigated.

    • Is there a policy in place to avoid a risk? 

    • Have the appropriate people been informed of these policies? 

  • Note: Being able to answer these questions is the key to compliance.  The “Reaching Compliance” guide provides the guidance on how to validate compliance within the new features of SQL Server 2008.

Related Links

Deep Dive

 

Securing the platform

This section describes actions to be taken before installing software or configuring the database. These actions help mitigate risks to the operating system and database applications.

To secure the platform:

  • Ensure that you have a secure base for installing SQL Server ranging from the latest operating system and current service packs to installing the most current security patches and anti-malware software

  • Minimize your surface area of attack by limiting running services, installing only the software needed, disable unnecessary ports and configuring the firewall

  • But most importantly, ensure that you limit the users that have access to the server and roles

Related Links

Deep Dive

 

Controlling identity and separation of duties

The first step to restricting access to database data is to limit who can access the database. SQL Server 2008 provides various means for managing who can access a database and which operations can be executed by database users.

To control identity and ensure separation of duties:

  • Use Windows Authentication for all database logins. Using this mode ties the SQL Server identity to an Active Directory account, providing a strong identity. Integrating access management with Active Directory Domain Services (AD DS) provides several benefits for SQL Server including consistent identity across servers and centralized enforcement and disabling of accounts and policies.

  • Grant users access to databases as needed. You do this by creating individual user logins instead of security groups because the former provides more control over the logins. 

  • Grant and deny needed permissions for users. This can be done easily by assigning those users to different database roles. This will allow you to place users in roles necessary to perform their jobs.

  • The separation of duties (segregation of duties or role separation) is an important consideration when managing identity and permissions

  • Use Policy-Based Management to validate identity policies

Related Links

Deep Dive

 

Encrypting database data

Protecting sensitive data is an important aspect of database operations and SQL Server 2008 provides a several ways of protecting sensitive data using encryption.

  • Choosing an encryption algorithm is typically based on the degree of protection and the level of performance desired

  • In SQL Server 2008, Transparent Data Encryption (TDE) was added to permit encryption of database data without the need to modify applications. TDE encrypts data files, log files, and backups.

  • An important feature of TDE is the ability to backup and rotate certificate private keys. SQL Server audit specifications and/or policies can be used to ensure these actions are performed.

Related Links

Deep Dive

 

Auditing sensitive information

SQL Server Audit can be used to monitor database events at a high level using Audit Actions Groups or at a more granular level using Audit Actions. 

When choosing to audit:

  • Determine which specific users and tables to audit. There can be many events within the audit logs and you may want to reduce the size of the logs by choosing to only audit specific users and tables.

  • If you are monitoring more than one server, it may be beneficial to centralize logs to a central location

  • The compliance within this SDK provides sample reports and scripts to process and create auditing reports against these log files

Related Links

Deep Dive

 

Using policy-based management to define, deploy, and validate policies

To address compliance needs, SQL Server 2008 makes it easier to manage the compliance of database security, identity, encryption, and auditing. Policy-Based Management can be used to validate that each of these areas have been properly configured according to policy.

Using Policy-Based Management

  • From the standpoint of compliance, the On Change, On Schedule, and On Demand features of Policy-Based Management allows regular health checks to be performed to determine who or what is violating policies or best practices, and when

  • Creating a policy plan can identify the priority of policies. An incremental approach to creating policies is important for both management and performance reasons.

  • The different execution modes of Policy-Based Management are dependent on the policy facet. You can view a table of which execution mode is applicable to which facets within the guide SQL Server Policy-Based Management: Facets

  • This guide and sample files demonstrate how to use Policy-Based Management for implementing KPIs and KRIs, validate auditing configurations, and validate encryption configurations

  • The Enterprise Policy Management Framework is a reporting solution that reports the state of the enterprise against a desired state defined in a policy. The EPM Framework extends SQL Server 2008 Policy-Based Management to all versions of SQL Server in an enterprise, including SQL Server 2000 and SQL Server 2005. The EPM Framework reports the state of specified SQL Server instances against policies that define the defined intent, desired configuration, and deployment standards.

Related Links

Deep Dive

 

Helpful scripts and tips

To help you achieve your compliance goals, this “Reaching Compliance” guide includes the following scripts and tips.

  • Programming interfaces to SQL Server

  • Ensuring security settings

  • Ensuring security settings

  • Managing separation of duties

  • Managing encryption keys

  • Managing auditing including a full end-to-end centralized auditing project (including reports)

  • Managing Policy-Based Management Policies

Related Links

Additional Resources

Related Sites

 

Take the next step

Try it
Try SQL Server 2008

Buy SQL Server

Take a closer look

Solutions for your needs

Download the Essential Backpack
TechNet IT Pros Start Here
MSDN Developers Start Here