Before joining Microsoft I worked for a large distribution company, we created a high level data model for the organisation – identifying our key information, where it was held and in what technology. The interesting thing in this exercise was that the key data, the data that kept the business running, was stored in an Access 2.0 database on an unsecured machine in a branch office. There were challenges not only around how the data was secured but also how it was distributed, backed-up, recovered etc.
Whilst this isn’t a witch-hunt against Access (it’s a great tool), this example hopefully demonstrates that it’s important that we know where our data lives, identify who is responsible for it, and equally importantly that it’s on a platform we can secure and manage. Just as an aside and to end the story – we used the SQL server migration tool to upgrade the Access databases to SQL server. You can choose to leave the user front end in Access should you wish.
If your data is already in SQL Server then you can start to take advantage of data encryption. In SQL Server 2005, we enabled the encryption and decryption of data at rest by providing built-in functions for applications to call. With 2008 we extend this capability to enable encryption of an entire database, data and log, without the need for application changes. One key benefit of the SQL Server implementation is that it will provide a much richer ability to search encrypted data including both range and fuzzy searches. This is in addition to Bitlocker support that Windows Server 2008 introduces.
Transparent Data Encryption & External Key Management
From SQL Server 2005, encryption and key management was contained entirely within SQL Server. To some small applications and users this is acceptable. However, with the growing demand for regulatory compliance and the overall concern for data privacy more NHS organisations are leveraging encryption as a way to provide a defence in depth solution. SQL Server 2008 will provide a mechanism for SQL Server encryption to work with third-party key management products.