16 August 2018
16 August 2018

What SOX means to the DBA

The responsibilities of a database administrator can seem endless, so why should that already heavy workload be burdened with legislation compliance? Surely, legal stuff can be dealt with by lawyers?

Unfortunately, this is no longer the case. With legislation like the GDPR, PCI, CCPA, Sarbanes-Oxley (SOX) and HIPAA, the requirements for protecting and preserving the integrity of data are more critical than ever, and part of that responsibility falls with you, the DBA.

Introduced in 2002, SOX is a US federal law created in response to several high-profile corporate accounting scandals (Enron and WorldCom, to name a few). The public and shareholders alike were in an uproar about the fraudulent activities that came to light and companies everywhere were subsequently expected to raise standards to address their concerns. Corporations needed to change the way they worked from the top down and, by law, that means the DBA too.

So what does that mean for a DBA?

For DBAs this meant introducing new procedures around protecting data, creating backup and recovery processes, and ensuring the auditing, encryption and restricted access of regulated data. Importantly, SOX isn’t like many of the other regulations where protecting personally identifiable information (PII) is the main goal. Instead, financial data is the primary focus when trying to maintain compliance.

This information will likely need to be made public sooner or later, so data breaches are not the biggest problem. You need to ensure that data doesn’t get inserted, updated or deleted without being recorded or, worse still, without your knowledge. It’s about ensuring shareholders have a transparent view into the company.

These prerequisites might sound simple but in practice they can be quite difficult to meet. Keeping track of who changed what, when, where, and how across all activities can seem daunting. There is also the concern that it will have an impact on performance and disk space.

One approach may appear to be reducing who has access to the data. If we reduce the number of people who have access, after all, we reduce the work needed to track those interactions.

A development team might protest, however, that it is absolutely critical they have access to real data in order to accurately test their changes and work effectively. And they’re correct. Generated data as a solution does not tend to test well and can slow down your release processes. Striking a balance between data protection and data performance is the challenge.

Compliance with performance

The worry that processes in place to ensure compliance can bottleneck the development process is a very real one. So how can you have the best of both worlds?

The solution is to provision and mask copies of production databases with realistic, workable data, and this idea of masking and provisioning going hand in hand is called out in the recent Data Masking report from Gartner:

“Test data (or copy data) virtualization is a technology that is increasingly popular, when used in combination with SDM (Static Data Masking), to speed up the provisioning of and updates to target environments, in addition to significantly reducing the amount of storage required by these environments.”

So while compliance does have an impact on database development, it doesn’t mean it has to slow it down.

Tools in this post


Deliver SOX-compliant data to SQL Server teams.

Find out more

Share this post.

Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter

Related posts

Also in Blog

Easing the transition from shared to dedicated database development

Working in dedicated development environments for the database is the ideal for many. This is the message we frequently hear throughout the industry from thought leaders, at conferences, and in many w...

Also in Audit & Compliance

Simplify and improve your security model with SQL Census

In the R&D division of Redgate, Foundry, we're working on a new tool, SQL Census, in an effort to make your SQL Server permissions more manageable by seeing who has access to your servers and rest...

Also about data masking

Why SQL Provision should be at the top of your procurement list

2018 will be remembered as the year the world stood up and took note of how slack some organizations were being with their data. The EU enacted the GDPR – the most far reaching data protection law s...

Also about data protection

The conflict between data protection and DevOps

Data breaches are the new normal – according to the Identity Theft Resource Center there were nearly 1,600 of them in 2017 in the US alone, exposing 179 million records. Demonstrating the scale of t...