SQL Server getting security boosts

Microsoft at its Tech Ed conference in San Diego on Tuesday will tout plans to add data encryption to its SQL Server database and seek federal government security certification for the platform as well.

The company also will release to manufacturing a tool that advises on best practices for administering SQL Server databases.

Native data encryption will be featured in SQL Server 2005, which is codenamed “Yukon” and due next year, according to the company. “It’s just another layer of protection for customers to secure their data,” said Tom Rizzo, director of product management for SQL Server at Microsoft. With the encryption support, a hacker breaking into the system to query data still would need a password or keys to de-encrypt data, Rizzo said. PKI infrastructures are supported by the data encryption function.

Data encryption is of growing importance, with state governments increasingly prone to making a company liable for unauthorized access to unencrypted data, Rizzo said.

Additionally, Microsoft will subject SQL Server 2005 to the federal government’s Common Criteria certification from the National Security Agency. Common Criteria certification carries a more rigorous standard for auditing and security processes than its predecessor, C2.

“It’s a good step for us to show our very focused efforts around security,” Rizzo said. The move should boost SQL Server’s usefulness in governmental agencies, including foreign governments, and in corporations also, Rizzo said.

Microsoft is anticipating a high upgrade rate for SQL Server 2005. “Based on the customer excitement I’ve seen, I think a lot of people will upgrade,” Rizzo said. However, Microsoft will not be swayed by the current industry momentum of Linux and open source, with no plans afoot to port the database to either Linux or Unix or make any SQL Server code available through an open source format, he said.

“Oracle and IBM go across many platforms and you get a homogenized release that doesn’t work very well on any one platform,” Rizzo said. “We believe that integrating deeply with Windows is a benefit to our customers.”

Microsoft also is not swayed by the popular open source database, MySQL, and questions the supposed cost benefits, Rizzo said. Two customers at TechEd will be highlighted for choosing SQL Server over MySQL, he said. “What they found out was it wasn’t free. There was cost,” Rizzo said.

One of those users was TSYS, which provides credit card processing services.

“Primarily, we chose [SQL Server] for scalability,” said Tim Kelly, a technical director of technology at TSYS. Manageability also was a benefit, he said. 

As far as costs, SQL Server is more expensive than MySQL on a per-license basis, costing thousands of dollars per processor for the enterprise version of SQL Server as opposed to minimal, almost-free cost of MySQL, Kelly said. But costs rose when support expenses were factored in, Kelly said. Support costs for MySQL represented “a five-figure difference” over SQL Server, making SQL Server the cost-saver overall, Kelly said.

He applauded the security enhancements planned for SQL Server 2005 as well as database mirroring, which can create the appearance of uptime even though a data center may be lost.