Insufficient data from Andrew Fryer

The place where I page to when my brain is full up of stuff about the Microsoft platform

Compliance in SQL Server

I often get asked about whether SQL server is compliant with some standard or other e.g. Sarbannes-Oxley (SOX) , Data Protection etc.  The answer is yes, but there is no flip switch in SQL to turn any of these on , and as anyone knows who’s tried it turning on c2 security is a great way of slowing your data base down, so caution is advised here.

For SQL Server 2005 there are configuration packs for SOX here  and for the European Union Data Protection Directive (EUDPD) here.  However these packs are applied to System Center Configuration Manager 2007 (SCCM) as these they are a set of  configurations which can be used to evaluate compliance and then sent into SCCM for reporting, so you are going to need to invest in this technology or take the more expensive option of going around every server in your organisation and checking each one in turn manually. 

For SQL Server 2008 this approach will continue, but is much easier as there are a whole bunch of new features to make compliance a lot easier and my top three would be:

  • Transparent Data Encryption (TDE) to encrypt the data at rest.
  • Change Tracking and Auditing to find out who did what and when (Why is proving much more difficult until we can use TSQL to read minds!).  These are much lighter weight than profiler and trace and so can be left on without significant performance degradation.
  • Policy based management (which was called the declarative management framework) allows the DBA to set conditions on any configurable facet of SQL Server and then decide what to do if they are broken or someone attempts to break them.

Of course the rules of the game will also change as new legislation comes in, usually following hot on the heels of the latest compliance fiasco, so I wouldn’t be surprised to see something bubbling up from the UK government’s scant regard for the protection of personal data or the fallout from Societe Generale.