Businesses that handle Controlled Unclassified Information (CUI) or other sensitive data need to comply with applicable information security and privacy regulations to minimize the risk of a data breach, data loss, and other threats to data confidentiality, integrity, and availability. This generally includes regularly or continuously monitoring and auditing all the activities taking place in your Microsoft SQL Server environment. 

To help automate this critical monitoring process, Microsoft provides SQL Server Audit, a tool built into SQL Server that can read database transaction logs to provide information about data and object changes affecting the database. By keeping tabs on how a database is being used, DBAs or security teams can spot suspicious actions that could indicate a potential incident, such as a data breach or cyber attack. 

How SQL Server Audit Works

SQL Server Audit lets you track and analyze events taking place on Microsoft SQL servers to reveal potential vulnerabilities and threats to CUI. It enables you to log all changes to the server settings, as well as record all server activities, in a special database table.

For example, you can check SQL Server Audit data for suspicious log events that point to unauthorized network access. Other activities you can log with SQL Server Audit include:

  • Insert, update, and delete attempts to the server table
  • Connection and login attempts, including both, failed and successful logins
  • Database object access attempts
  • Database management activities
  • Admins and other users who connected to the database engine
  • Creating new logins and databases

You can choose from among several levels of auditing with the SQL Server Audit tool, depending on your specific compliance requirements (e.g., compliance with CMMC Level 2 versus CMMC Level 3). You can create server audits to log server-level events, and/or database audits for database-level events. 

SQL Server Audit Benefits

The overall goal of SQL Server audits is to track how database records are used, who accessed them, and when. This data can help you comply with data protection and privacy regulations, including those governing CUI on non-government systems. It can also improve your information security and incident response—the ability to prevent, detect and contain an attack or data breach impacting your database.

Database auditing also improves your confidence in the accuracy, consistency, and completeness of your data for analytics purposes. Finally, it helps you chart a path of continuous improvement by uncovering problems with your database security, administration, and/or monitoring.

Most common SQL Server Audit levels to protect CUI

Guidance on safeguarding CUI generally recommends implementing either of two SQL Server Audit levels as part of your SQL database audit program: C2 Audit or Common Criteria Compliance. These are the most widely used international standards for SQL auditing.

C2 Audit records data beyond the SQL Server, such as who triggered what events in which database, the event type, the server name, and the event outcome. To get started, you assign an audit ID to each group of related processes starting at login. System calls that these processes perform are thereafter logged with that audit ID. Examples include calls to open or close files, calls to change directories, and failed or successful login attempts.

Common Criteria Compliance replaces C2 Audit processes in many compliance frameworks. This approach uses Extended Events (superseding SQL Trace) to gather audit event details. To residually protect CUI, you can filter specific events out of the trace and subsequently use them in applications that manage SQL Server. Note that Common Criteria Compliance can impact SQL Server performance and should ordinarily be enabled only if your guidance on safeguarding CUI mandates it.

Key SQL Server Audit actions to protect CUI

These are some of the most critical SQL Server events to log for most organizations:

  1. Failed login attempts. This data is vital to identify attempted or successful attacks on your database.
  2. Role member changes. This tells you when a login is added or removed from a server or database role, so you can track your privileged users. and know if an unauthorized user was added.
  3. Database user changes. Like with role member changes, this event tells you when users are created, changed, or deleted from a database so you know who has access within a SQL Server instance.
  4. Database object adds/deletions/changes. While this can create bulky audit logs, guidance on safeguarding CUI frequently mandates it.
  5. AUDIT_CHANGE_GROUP. Logging this event lets you identify when a user is altering or disabling your audit logs to “cover their tracks,” and is often required in audit guidance on safeguarding CUI. Or, this event may just alert you if a DBA disables auditing to temporarily improve SQL Server performance and forgets to re-enable it. 

It’s important to carefully choose the SQL Server events you want to audit based on compliance requirements, so you don’t need to filter unnecessary data. However, it’s important to log unsuccessful as well as successful events, as failures are a top way to spot attacks in progress and identify abuse of privileges.

Guidance on Safeguarding CUI Data: Next steps

Most orgs that handle CUI or other sensitive data are subject to one or more regulations like NIST 800-171, the Cybersecurity Maturity Model Certification (CMMC), HIPAA, Sarbanes-Oxley (SOX), PCI-DSS, etc. The inability to pass a compliance audit puts you at significant risk of fines, legal sanctions, or potentially even criminal prosecution under the US Department of Justice’s False Claims Act.

A database vulnerability assessment performed by Buda Consulting experts will identify any compliance issues with your database environment. This will provide the guidance on safeguarding CUI and other sensitive data that you need to achieve—and demonstrate—compliance to regulators and other stakeholders. 

Contact us to schedule a free 15-minute call to discuss how a database vulnerability assessment can help your business meet its compliance goals.