Database Audits

Your SQL Server Database Audit

Database auditing is critical for compliance reasons and database security. It enables you to detect suspicious activity and establish accountability after the fact. Also, while database auditing cannot directly prevent malicious acts, it can have a deterrent influence on would-be adversaries. Remember, about 75% of all breaches are caused by internal personal.

Our experience includes working with clients requiring compliance with PCI (payment card industry), Sarbanes-Oxley and HIPAA. We’ve worked with businesses of all sizes from small businesses with a single database to large scale database installations for a Fortune 50. This means we understand the different database auditing techniques and requirements.

Here are 3 SQL Server Auditing Techniques:

  • SQL Server Audit – This technology is built on the mechanisms of extended events. That means that it can be used to monitor on a very fine-grained scale deep inside the SQL Server engine. However, it is based on a platform that provides this functionality with minimal performance impact.
  • Application Audit – Depending on your unique requirements, this technique might be advantageous. It enables you to provide a unified experience to the auditor while not only auditing database access but also application activity not related to the database.
  • External “Hardware” Auditing – This third technology is based on systems that sit outside your application or database servers. It employs technologies like network monitoring and enables a unified auditing experience across an entire organization. These tools provide the same interface while auditing across different applications and even different database platforms.

When designing your database auditing strategy, what questions should you ask? Potential questions fall into two categories: Static or preventive and dynamic or reactive.

Preventive questions help you discover areas where the Least Privilege Principle is not followed. Examples for preventative questions are:

  • Who has sysadmin rights? Who needs sysadmin rights?
  • Who has and who needs other forms of elevated permissions like dbo?

Reactive questions however try to provide the information needed to investigate after the fact. Examples are:

  • Who accessed the database and when?
  • What SQL statements were issued?
  • Was important data modified?

When handles your database audit, you can have the peace of mind that it will provide answers to the right questions.

Do you know the #1 thing we find with new clients?

Most Databases Have Security Gaps

In our experience, we find security is often overlooked or an afterthought. It takes a backseat to functionality and performance because people take shortcuts in the rush to finish a project. They’re up against a deadline and they think they’ll have time to come back later to fix it. But often that does not happen because something else “more important” takes precedence.

Then, the unthinkable happens.

Target, Adobe, Home Depot, the American Military VA, Community Health Systems, the list goes on. From major retailers to renowned research hospitals, no one is impervious to a data breach.

Did you know that each customer record affected by a breach could cost your company $188(USD)? Multiply that by the number of records your company stores. How many millions is it? And this calculation does not even take the inevitable PR nightmare into account. Nobody likes to do business with a company affected by a breach.

Introducing: The Database Audit Plan

Peace of Mind for your SQL Server Security Questions.

A surprising number of businesses leave their SQL Server security to chance. In the event something happens, they’re faced with loss of customer trust and costs that easily go into the millions.

Don’t leave security to chance. You likely already have many types of insurance for your business. Your SQL Server security is as important as any type of insurance policy. After all, the data in your database is the lifeblood of your company.

Do you store credit cards or other payment related information? Do you have to comply with HIPAA regulations? Is your company affected by the Sarbanes-Oxley Act? Do you handle other protected PII? If you answered yes to any of these questions, you are likely also required to follow increased audit log requirements. These requirements include detailed data access logs identifying the individual person and the type of access. Does your current database audit plan live up to these requirements?

Call us now to discus these questions:

  • What type of data access do you want to audit?
  • What are your legal audit requirements?
  • Which are the best tools to achieve the task?
  • How do you make sure that your auditing system stays effective in the long run?

Our experience includes compliance with PCI (payment card industry), Sarbanes-Oxley and HIPAA. Don’t wait for the Auditor. Start on your way to a compliant Database Audit Plan today.

Call 832-377-5489 or email us now.