Databases Reference
In-Depth Information
11.2) is an audit trail detailing all logins and logouts into the database
server, but audit trails are everywhere, and they are explicitly mentioned by
many regulations. HIPAA, for example, includes section 164.528—
Accounting of disclosures of protected health information—which states
that an individual has the right to receive an accounting of all disclosures
made by the CE in the six years prior to the request (excepting some spe-
cific types of disclosures such as to the individual). These disclosures map to
database access. The CE must present the account within 60 days of the
request and must supply one of these per year free of charge. If taken to an
extreme interpretation, this requires knowing who connected to the data-
base maintaining the protected health information and selected records
about the individual—and keeping this record for six years in a place that
could be relatively easy to retrieve from.
The second audit category involves
security audits
. These are sometimes
called assessments, penetration tests, or vulnerability scans, and focus on
the current state of a database environment rather than auditing data. These
audits are typically performed periodically (e.g., once a year) as part of a
larger audit, compliance, or governance schedule and are aimed to ensure
that the database environment continuously complies with set regulations
and policies.
You should use assessment tools for these types of audits, because they
already include and package a set of best practices, known vulnerabilities,
and items that map well to compliance requirements. Some of these tools
are free whereas others need to be purchased. For example, in the second
half of 2004, Microsoft released the SQL Server Best Practices Analyzer
Tool, which is free and can be downloaded from
www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-
D3CA-44EE-893E-9E07339C1F22&displaylang=en
(or just run a search on the Microsoft site for SQL Server Best Prac-
tices Analyzer). Using this tool you can analyze SQL Server instances for
compliance with widely accepted best practices. The initial focus of the
tool is on performance and efficiency, but items related to security will be
added over time.
When using the analyzer, you start off by defining your database servers
and by creating groups of servers. This allows you to run an audit per server
or run it for the entire group. You then define the best practice rules to run
as shown in Figure 11.3—groups of items that the audit run will check per
each of the databases in the group. You then run the audit, which will check
each rule with each database server in the defined group to produce a com-
Search WWH ::
Custom Search