Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

The Need for Auditing

By Steve Jones,

This editorial was originally published on Dec 8, 2008. It is being re-run as Steve is away at DevConnections.

I got an email from someone a few weeks ago and found it interesting. This person was wondering about auditing and how people deal with it in a world where we increasingly worry about security. The main questions in the email were:

In this time of PII data and sensitive data in nature,I would like to know is C2widely used and who uses it?  Are there 3rd Party Tools that allow for the auditing of SQL Server activity?  If such tools exist, what are they and what are there features to include reporting?

With SQL Server 2008, there are a tremendous number of new features that really make auditing easier, but I doubt very many of you are using them, or even using SQL Server 2008. However I am sure that many of you are doing some types of auditing with previous versions because of your own requirements. My curiosity was piqued as well, so I wanted to drop a note out there and see what types of auditing the rest of you may be doing.

In my career I've been required to audit for a variety of reasons, though the regulations haven't been the onerous on me. Typically I've been able to use triggers and selectively store off information using custom, home-grown solutions at my jobs. I looked at a few solutions that would generate the triggers, but never thought they were worth the money since I could write code to generate my own triggers and I needed selective auditing, not every field that changed.

Years ago I looked at Lumigent's solutions for auditing when they first came out. This was years ago as the company was evolving from a log reading tool company to a more general auditing and compliance company. They had a good solution, but it was too expensive for the company for which I was employed. I'm not sure how successful they've been, but they are still in business and seem to be doing well.

C2 auditing was one of those things that sounded like a great feature when it was introduced. Get every event that occurs on your server and you'll be sure to cover all your auditing needs. After all, this is what the Department of Defense has specified as a standard, so it must be a good idea, right?

I'm not so sure, though I know that it's a good idea in places. Those people that get access to some sensitive areas, like the places where we have missles stored probably ought to be audited.

For most of us, however, I think that we need less auditing, but more than we tend to implement. SQL Server 2005 has a default trace and some good basic auditing capabilities and SQL Server 2008 adds more. I think there's still room for improvement, and this is definitely something I'd like to see better implemented in frameworks so developers and DBAs build it into every application they produce.

Steve Jones


The Voice of the DBA Podcasts

Everyday Jones

The podcast feeds are now available at sqlservercentral.mevio.com to get better bandwidth and maybe a little more exposure :). Comments are definitely appreciated and wanted, and you can get feeds from there.

Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.

Total article views: 504 | Views in the last 30 days: 2
 
Related Articles
BLOG

Podcasting

A new video setup is on the way!!!! Actually I'll do a couple podcasts on podcasting over the hol...

FORUM

Podcast Problem

Podcast Problem Blocked by group policy

ARTICLE

Auditing

For this Friday poll, Steve Jones asks about your auditing requirements.

ARTICLE

Company Rewards

Is there something that your company could do for you that would show that they valued your employme...

ARTICLE

Acing an Audit

Audits for technology groups can be time consuming and stress employees out. An article Steve Jones ...

Tags
auditing    
editorial    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones