This article is written by our contributing author Ken Lassesen. His bio can be found here.
[Prior Post in Series] [Next Post in Series]
[Next Child Post in Series]
I am a standards-based person and prefer to adopt existing best practices. When I work in the roles of Product Manager or Architect on an ISV product, I will ask the question: “If there is a security breach and data is lost, would it have a more severe impact on the firm than the loss of corporate credit cards?” If the answer is yes, then I hand out Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 2.0 (PCIDSS) and we proceed to identify what does not apply. What remains becomes part of the best practices recommendations for the product.
Many ISV products require SQL Server standard security or mixed security. These products are the primary focus of this set of posts. SQL Server logins are not rich in features. PCIDSS requirements are organized into four groups which I will address in subsequent posts:
In the following posts, I will show how Data Definition Language (DDL) triggers can enhance SQL Server to implement the above.