SQL Server database security and compliance

When discussing SQL Server security, one of the most important terms is principal. Principals are SQL Server entities, arranged in a hierarchy, which can request specific SQL Server resources. There are various principals in SQL Server, and in this article, we’ll focus on a database user entity. Unlike SQL Server login entities, which are used for accessing a SQL Server instance (a server-level principal), a database user entity (a database-level principal) is used for defining access to a particular database that belongs to the SQL Server instance

February 3, 2014

Auditing SELECT statements on SQL Server

Although SELECT statements are not destructive by nature, nor they can change either data or schema, there are several cases that require their auditing on SQL Server. Executed SELECT statements can indicate various current or potential issues, and this is the reason why it’s important to know who-saw-what and when

January 23, 2014

HIPAA Compliance for SQL Server DBAs

Health Insurance Portability and Accountability Act (HIPAA) is a security act that sets standards for ensuring security, privacy, confidentiality, integrity, and availability of patient health information – electronic Protected Health Information (PHI).

January 16, 2014

FERPA Compliance for SQL Server DBAs

The Family Educational Rights and Privacy Act (FERPA) [1] is a Federal law created to protect the privacy of student education records. It establishes the rights of parents and currently enrolled eligible students to review their education records, request changes of misleading or inaccurate data, and control the record disclosure

December 24, 2013

Basel II Compliance for SQL Server DBAs

The Basel Capital Accord Basel II [1] is an improvement of recommendations for banking standards on international scale, based on three intertwined pillars, issued by the Basel Committee on Banking Supervision. It’s an extension the Basel I Accord [1], and it sets risk and management requirements while introducing a data management approach.

December 5, 2013

GLBA Compliance for SQL Server DBAs

The Gramm – Leach – Bliley Act (GLBA) is a security and privacy regulations standard created with a purpose to protect consumer financial privacy. To meet GLBA compliance requirements customers must be informed by the financial organizations about the organization’s information privacy and sharing practices. The customers must be provided with explanations about their rights and unambiguous option to deny their financial information to be shared with any third parties.

December 4, 2013

Auditing SQL Server data changes – the centralized solution

In the previous part of the Methods for auditing SQL Server data changes articles series, How to analyze and read SQL Server Audit information, we described several native SQL Server auditing features – Change Tracking, Change Data Capture and Audit. We described their unique and shared characteristics, how they store captured information, how to provide the information, and explained the advantages and disadvantages of each feature.

November 27, 2013

PCI Compliance for SQL Server DBAs

The Payment Card Industry Data Security Standard (PCI DSS, or just PCI) is a security regulations standard related to payment cardholder and card payment information security. Any company or institution that uses and stores such information is obligated to comply with the PCI standard.

November 22, 2013

How to set up and use SQL Server Audit

In the previous part of the SQL Server auditing methods series, SQL Server Audit feature – Introduction, we described main features of the SQL Server Auditfeature – its main characteristics, what events it can audit and where the audit information is stored. We also explained two levels of auditing – the database-level and server-level, and three components necessary for using the feature – the SQL Server audit object, database audit specification, and server audit specification

November 17, 2013

SQL Server Change Data Capture (CDC) – Introduction

In the previous part of this series, How to read SQL Server Change Tracking results, we described SQL Server Change Tracking – its features, how to use it, and how to read the results. We also showed examples of the captured records. If you need to know is whether the row has been changed or not, the type of the last change, and which column was changed, without the details (old and new values, who, and when) about the change, then SQL Server Change Tracking is not the right auditing solution for you

November 1, 2013

What is SQL Server Change Tracking and how to set it up?

SQL DBAs are sometimes confused by the differences in SQL Server Change Tracking and Change Data Capture features. Not only can their names be mixed up, but also feature specifications. The goal of this series is to present each of 3 SQL Server auditing features (Change Tracking, Change Data Capture and SQL Server Auditing) and ApexSQL Audit – a complete third-party solution. We will show their features, similarities, differences, advantages, and disadvantages in order to help users determine the right tool for their auditing requirements

October 23, 2013