SQL security and regulatory compliance: Implementation of RBAC and audit logs

Diversity is the hallmark of every security and compliance strategy. Security capabilities may address data at rest or in transit; alternatively, compliance requirements may be driven by governance regulations such as Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), or the European Union's General Data Protection Regulation (GDPR) [1-3]. HIPAA compliance, for example, requires that persistence layer data be encrypted (both in transit and at rest) in addition to enforcing role-based access controls and maintaining SQL Audit Logs. GDPR assigns comparable requirements yet focuses heavily on audit reporting and the provision of easily accessible detail regarding data provenance [2,4,5].

Development of a compliance strategy centers on three main components: establishing an enterprise framework centered on meeting the technical requirements dictated in the original law or regulation; training staff on the requirements and procedures developed to address them; and, finally, ensuring adherence to governance standards through monitoring and reporting. Role-based access control (RBAC) is a widely implemented design pattern for regulating access to logical objects and is typically reinforced by supporting control structures in the physical data layer. Row-level security (RLS) is a more fine-grained approach that delivers similar protections yet operating at the record instead of the table level [6-8].