Dear Todd,
thank you for your article focusing on SQL Server security vulnerabilities. I would like to put the stress on a couple of points.
First your long list of vulnerabilities can be extended to the following parts of SQL Server that you did not mention:
-Filestream Data
-Full-Text Indexes
-Communication channels
Second, a widely used encryption technology called Transparent Data Encryption (TDE) allows to encrypt SQL Server databases starting from version 2008 and Oracle databases starting from version 10g.
TDE solves the major vulnerabilities that are in your list, such as:
-TempDB system database will be encrypted if any other database on the instance of SQL Server is encrypted by using TDE
-Backup Files are encrypted
-Transaction Log files are encrypted
-Replication files can be encrypted too
So, the main message of your article remains: do not rely only on database encryption to ensure
that your information is safe. Every process involving data and interaction with the database engine must be secured too. Not forgetting the application user interface where SQL Injection remains a major vulnerability.
For those who would like to know more about
TDE:
http://msdn.microsoft.com/en-us/library/bb934049.aspx
Encrypted connections:
http://msdn.microsoft.com/en-us/library/ms191192.aspx
Kind Regards,
Fabrizio Faleni