Data security, SQL Server 2016, and your business
Security is unquestionably a major priority for Microsoft. A recent news story reported that the company “is spending $1 billion a year to make Microsoft products more secure.” The Microsoft data platform, including SQL Server and Azure SQL Database, is at the top of the list of products investing in security. But, be aware that a commitment to data security is actually nothing new. SQL Server has long been recognized for its outstanding security record: According to the National Institute of Standards and Technology(NIST)1 public security board, for the past six years, SQL Server has had the fewest security vulnerabilities when compared with the major database vendors. In addition, SQL Server has been deemed “the most secure database” by the Information Technology Industry Council (ITIC). Despite this excellent security record, Microsoft is not content to rest on its laurels and is continuing to invest in security, providing customers with new and improved tools to secure data and applications.
From an IT infrastructure and compliance perspective, the importance of protecting data is clear. Witness the fact that security has been identified as one of the “Eight emerging data center trends to follow in 2016.” But data protection also has profound business implications and can even be a competitive differentiator by helping drive customer loyalty and retention, create opportunities for premium offers and new sources of revenue, and protect future revenue streams, according to Forrester Research 2.To help deal with the complexity and scope of data security — and diminish risks to your business — Microsoft provides an across-the-board, in-depth security approach that includes application security, network security, and database security.
Data Security and SQL Server
Playing into this overall approach, SQL Server 2016 and Azure SQL Database include advanced, layered security functionality to help protect data itself as well as access to that data, and then provide monitoring capabilities. Data security features include (but are not limited to) the following:
- Always Encrypted enables encryption inside client applications without revealing encryption keys to SQL Server. It allows changes to encrypted data without the need to decrypt it first.
- Transparent Data Encryption (TDE) protects data at rest by encrypting all the user data in data files. TDE prevents users from attaching or restoring a database to another server as a way to access the data.
- Support for Transport Layer Security (TLS), which has now been updated to version 1.2, protects data in transit and offers protection from such tactics as man-in-the-middle attacks.
- Dynamic Data Masking (DDM) and Row-Level Security (RLS) help developers build applications that require restricted direct access to certain data as a means of preventing users from seeing specific information.
This layered approach to data security and Microsoft’s overall commitment to advancing security and privacy protection address important considerations for business today. Upcoming blogs will go into deep technical detail on these security capabilities, but examining a business scenario can help illuminate the business benefits that data security can help ensure.
Business implications
Data has become not only a business asset, but it is now also a competitive differentiator: A company that can ensure that customer and business data are secured has a competitive edge over a company that does not make data security a priority. This means that for business and technical decision-makers to enable their businesses to compete effectively, they need a data platform with built-in security features and they need a strategy that takes advantage of the built-in security capabilities.
The business implications of data security range from speeding up customer service, to impacting the bottom line, to protecting shareholder value. Underscoring the potential bottom-line concerns of financial executives, a recent survey found that 66 percent of CFOs consider security to be a high or very high priority. Even at the end-user level, the potential business impact of exposing sensitive data is recognized: Another recent survey discloses that “71 percent of end users say that they have access to company data they should not be able to see.”
How can Microsoft’s data security capabilities ease such concerns? Consider just one example showing how Dynamic Data Masking, as a part of your data security program, can help you address the point raised by those end users who admitted they had access to data (such as Social Security Numbers or health details) that they shouldn’t be able to view. For example, suppose you have a call center where representatives deal with customer billing questions. When a customer record comes up, the representative needs to see certain information to answer questions. But some customer information, such as specific personal health details, need to remain confidential for HIPAA compliance. With Dynamic Data Masking, IT administrators can take simple steps to define policies, or rules, to mask any personally identifiable information that is not needed for the customer interaction. This way, the representative can view a customer record without having access to confidential information. Customer information is secured, but at the same time, customer service is able to answer questions by accessing appropriate data without compromising privacy.
Commitment to security built-In
As the article cited above emphasizes, Microsoft is spending $1 billion per year to ensure that its products are secured so that businesses are protected. SQL Server and Azure SQL Database are continuously building-in state-of-the-industry security technologies as part of this ongoing commitment to security. For business, this means you don’t have to pay extra to give IT staff security tools that are easy to deploy and maintain — those tools are built into Microsoft’s data platform. At the same time, businesses can build data security infrastructure that supports customers and provides a competitive edge. To learn more about Microsoft’s data security approach, see the Security Center for SQL Server Database Engine and Azure SQL Database.
See the other posts in the SQL Server 2016 blogging series
1. National Institute of Standards and Technology Comprehensive Vulnerability Database update 10/2015
2. The Future of Data Security And Privacy: Growth And Competitive Differentiation Vision: The Data Security And Privacy Playbook, John Kindervag, Heidi Shey, and Kelley Mak, Forrester, July 10, 2015