Click here to view the buyer's guide table.
In a time when security failures regularly get news coverage, you don't want to responsible for a security snafu. You can help protect your servers using proper configuration and sticking to best practices, but the right security software can add a much more substantial safety net.
See the table on the following page for some examples of these products. You'll notice that there's a wide variety of products available to protect SQL Server. They come in at many different price and feature levels, so don't jump into a purchase without doing your research.
The Basics
Be aware of security problems that are specific to certain versions of SQL Server, and check that any security products you consider fully support your SQL Server version. All the vendors who responded to our survey said their products are compatible with SQL Server 2000, SQL Server 2005, and SQL Server 2008, but not all products were compatible with SQL Server 2008 R2 yet—so check on that if you plan to adopt R2 right away.
Carefully check the license terms of any SQL Server security product you're considering. There are almost as many different license types as there are products in our buyer's guide table. Some products are licensed by SQL Server instance, some by the hardware used to run SQL Server, and some by the hardware where you install the monitoring tools. Depending on how your environment is set up, you could pay different amounts for very similar coverage.
On top of watching out for your SQL Servers, don't forget that a secure SQL Server has to run on a secure Windows server. Keep your servers properly patched, and don't neglect network security. Be cautious about security measures with the potential to hurt SQL Server's performance, however, because some products may not consider SQL Server's unique requirements.
Dig Deep
According to the companies that make them, all of the products in the table have minimal system resource requirements, but it's up to you to make sure that your environment can take strain imposed by security products. You need to choose between security products that run on the SQL Server and those that run on a separate machine. Products running on your server use resources there, but just about any security solution will put an additional load on your servers, whether directly or indirectly.
Of course, all the system resources in the world won't help you if you don't meet your regulatory or compliance standards. If your SQL Servers are bound by standards like Sarbanes-Oxley or the Health Insurance Portability and Accountability Act, make sure a security product will make it easy to meet these requirements. If you slack on your research in this area, you could find yourself in a very uncomfortable situation—no one wants to be audited.
Unlike with other types of security, such as firewalls, there isn't really a standard set of features that you can expect from a SQL Server security product. Many features are available on each of the solutions listed in our table, but most of the products are missing at least one of the features. Any given product may not manage user access, for example. Or it might lack real-time monitoring and alerting functions. This lack of standardization means the onus on administrators is heavier than usual to understand their environments and needs thoroughly.
