Alasdair Daw and Ally Parker

24 May 2017

We’re making SQL Server audits easier – can you help us?

On the Foundry team, we’ve just completed the second stage of our research into problems in the SQL Server audit and compliance space. Thank you to everyone who helped us by participating in our initial research (you can read more about it here). Now we’re starting work on a solution that will reduce the pain and time involved in providing audit evidence for SQL Server user access.

What we’ve learned about audit and compliance

We discovered that tracing and reporting on user access during an audit is a common problem experienced by organizations, regardless of the regulations they’re subject to.

Stage 2 concept demo for tracing user access

Since risks like fraud or data breaches tend to come from within an organization, a lot of regulation hinges on ensuring the correct access and permissions are given to each database user. Organizations document and follow agreed processes in order to comply with these regulations and, during an audit, DBAs are asked to provide evidence of this.

To get this information, DBAs write SQL and PowerShell scripts that need to be run across their environment. They’re often written and executed by the most senior DBA, since they’re the one with the necessary permissions to run scripts in the production environment.

Even though the DBAs are able to return this information, auditors are frequently not SQL Server specialists (and even those that are can be forgiven for not following the labyrinthine web that is SQL Server’s security model. Auditors can’t always understand the scripts (or the results) enough to trust them, so they ask for additional supporting evidence (including screenshots from Active Directory, etc), taking more time away from the DBA’s day job.

SQL Server database engine permissions

Our objective is to help the auditor leave as happy and as soon as possible: the longer your most senior DBA is locked away with the auditor, the more the audit costs the business. Oh, and organizations have to pay for the auditors’ time too.

What we’re doing now

We’re looking for people approaching an audit in the next quarter to get involved with our early access program. We’ll work with you to get features in place so your auditors can leave happier and sooner, leaving you to get back to what you do best.

If you’re interested in participating, sign up here.

Foundry is Redgate’s research and development division. We develop products and technologies for the Microsoft Data Platform. Each project progresses through Foundry’s four-stage product development process: Research, Concept, Prototype, Beta. At each stage the Foundry team is exploring the scope and potential for Redgate to develop a product.