Database Auditing and Compliance Products

Keeping sensitive data secure, easily audited, and in compliance with the latest privacy and data-collection laws has become an increasingly challenging task for DBAs and IT managers. Corporate-governance laws and initiatives—such as Sarbanes-Oxley (SOX), Gramm-LeachBliley (GLBA), and the Payment Card Industry (PCI) Compliance initiative—have made the difficult task of enterprise data management even more so. Many corporate-governance laws have severe penalties for non-compliance, including fines and possible jail time for company executives. And many tasks related to complying with such requirements are falling squarely on the data side of the enterprise, which translates into more work for data managers. We'll take a look at the demands auditing and compliance are placing on DBAs and explore how SQL Server 2005 and available software and hardware solutions can help meet some of those challenges. (Also see the sidebar, "Auditing and Compliance Features in SQL Server 2008," for a quick look at the auditing and compliance support that SQL Server 2008 will provide.)

Identify Data to Be Audited
Compliance demands are putting pressure on companies of all sizes. As JC Cannon, a privacy strategist in Microsoft's Corporate Privacy Group, explains, "Some enterprises are deciding to take the safe route… and decide to save everything forever, just to ensure that they have all the information needed for the audit process." Cannon says that those same pressures are pushing Microsoft to develop features in future versions of their products that help beleaguered DBAs and IT managers more easily and effectively meet their auditing and compliance needs.

If you've just been handed the task of ensuring that your company's data environment is adhering to the latest auditing and compliance law, where do you begin? According to Bryan Bain, SoftTree Technologies' director of sales and marketing, your first step should be to look at the big picture. Bain says that one of the biggest mistakes an IT manager can make is to focus on architectural solutions to compliance issues before determining what information a company needs to satisfy requisite audit processes.

"Enterprises should be most concerned about identifying what exactly needs to be audited," explains Bain. "We've seen cases of companies believing that they needed to put an auditing infrastructure in place for every database in the entire company. One customer was looking at auditing more than 800 databases, which would have been a Herculean task that would have taken months to deploy. They eventually learned that fewer than 60 of those databases contained the data they needed to satisfy their SOX compliance needs."

Bain says that IT should work closely with auditors early in the process to determine exactly what data those auditors are looking for and who needs to see what types of information. Microsoft's Cannon concurs: "Some companies don't do a proper assessment of what they have and where all their data is. They need to evaluate the sensitivity of the data and look at data permissions. For example, some people may have access to certain parts of a table but not the entire table. Find out where the sensitive data is and ensure that the right data is protected when it needs to be." Proper information gathering and solid planning done early in the process can save months of work.

Basic Auditing Using SQL Server
Once you've determined your overall auditing and compliance needs, the next step is to evaluate your current infrastructure and determine whether it can provide the auditing and compliance solutions you require. For smaller companies and those exempt from some compliance laws and regulations, that solution may largely rest on using the inherent capabilities of SQL Server 2005.

According to Al Comeau, Microsoft SQL Server security lead, SQL Server 2005 already has some basic features that can assist with meeting auditing and compliance demands. "If someone doesn't need to dig too deeply into custom auditing, they can turn on C2 audit mode in SQL Server Management Studio," says Comeau. "[Doing so] provides for a default audit that can always be running... [and] provides an audit trail that records all attempts (both successful and unsuccessful) to access objects, statements, and other aspects of the audited database." (For more security tips from Comeau and other members of Microsoft's SQL Server team, see the Web-exclusive sidebar, "SQL Server 2005 Security Tips," http://www.sqlmag.com, InstantDoc ID 96528.)

SQL Server 2005 SP2 also introduced another useful auditing feature: the login trigger. According to Niraj Nagrani, a Microsoft senior product manager, you can customize login triggers to perform a wide range of functions. "You can control who logs into the database and also when they log in. SP2 triggers also allow you to implement time-of-day, time-of-week, and other restrictions." Narani explains that using login triggers can help enforce other auditing and compliance-related controls, such as restricting access to certain usernames and creating records of connection activity.

Even with SQL Server 2005's built-in features that support auditing and compliance, some DBAs might find that they have little knowledge or experience with implementing auditing functionality, or perhaps the specific auditing and compliance demands on their enterprise can't be met by using SQL Server alone. In either case, DBAs can turn to an emerging market of third-party software and hardware solutions that extend SQL Server 2005's auditing and compliance capabilities.

Third-Party Auditing and Compliance Solutions
Several auditing and compliance products are geared toward enterprises that use only SQL Server 2005 (as opposed to multiple database platforms). Two of the most widely used products in this category are Idera's SQL compliance manager and ApexSQL Tools' ApexSQL Audit. Idera President and CEO Rick Pleczko touts the speed of the company's software solution, noting that enterprises are often wary of vendor software that has the potential to degrade the performance of their live servers. "Our design goal was to keep our overhead on the server to less than 5 percent," says Pleczko. "We typically don't see any of our customers exceed 2 percent... even when fully loaded." Pleczko sees Idera's focus on only SQL Server 2005 as a competitive benefit and notes that the company has licensed technology from Microsoft to make sure Idera's product offerings minimize the impact on database performance.