5. Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server Query = Vendor Name: Microsoft Corporation; Product Names: sql_server, sql_server, sql_server_desktop_engine, sql_server_express_edition, sql_server_reporting services, sql_srvsql_srv_desktop_engine; Oracle Query = Vendor Name: Oracle; Product Name: ‘Any’, all CVEs where “Vulnerable software and versions” lists a database product; DB2 Query = Vendor Name: IBM; Product Names: db2, db2_content_manager, db2_content_manager_toolkit, db2_server, db2_universal_database; MySQL Query = Vendor Name: mysql, mysql-ocaml, mysql_auction, mysql_eventum, mysql_quick_admin, mysqldumper, mysqlnewsengine; Product Name: ‘Any’NIST NVD

13. Key storage, management and encryption done by HSM module SQL EKM key is a proxy to HSM key SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module

18. SQL Server 2008 Master Database Certificate SQL Server 2008 User Database Database Encryption Key Operating System Level Data Protection API (DPAPI) SQL Server 2008 Instance Level Service Master Key SQL Server 2008 Master Database Database Master Key

34. Security functions: Access control, audit, management, identification & authentication, session handling and memory management Assurance components: Functional specs and high level design plus independent vulnerability testing Environment: CC certified OS (Windows Server) and admin roles Requirement for many governments, industries, and enterprise customers SQL Server 2008 Enterprise achieved Common Criteria (CC) compliance at EAL1+ (Evaluation Assurance Level), EAL4+ is in progress and recognized by the US government Represents the third time for CC compliance and the first time for a 64-bit version of SQL Server Common Criteria Certification R2 is built on the SQL Server 2008 foundation and brings forward the security benefits with minimal changes to the core engine

35. Health Information Portability and Accountability Act (HIPAA) governs health information privacy, security, organizational identifiers, and overall administrative practices HIPAA has 5 major components, SQL Server can help support the Security Rule; ensuring protected health information (PHI) SQL Server supports HIPAA areas: Access controls, Data integrity & encryption, Communications security, and Audit & compliance Take advantage of SQL Server 2008 capabilities to help meet database-related compliance requirements Technical features can support HIPAA requirements like role-based access, strong user authentication, encryption, and event logging SQL Server Support SQL Server features can promote the consistency of deployed technical controls and enable effective monitoring over time Whitepaper: “Supporting HIPAA Compliance with Microsoft SQL Server 2008,” Authored by Information Security Center of Expertise at Jefferson Wells International, Inc, a leading Risk Advisory and Security Compliance services organization.Supporting HIPAA Compliance with Microsoft SQL Server 2008

36. Payment Card Industry (PCI) Data Security Standard (DSS) is a worldwide security standard created by the Payment Card Industry Security Council SQL Server can be deployed to meet the database server requirements and should always be considered by personnel in cardholder environments SQL Server supports PCI areas: Vendor- supplied defaults, protect stored data, encrypt data transmission, restrict access to data, assign unique IDs to persons with access, and monitor all access to data Take advantage of SQL Server 2008 capabilities to help meet database-related compliance requirements Technical features can support PCI requirements like TDE, EKM, SQL Server Audit, and Policy-Based Management SQL Server Support Automated implementation of key SQL Server 2008 features help enable customers to achieve PCI compliance and standardized security controls Whitepaper: “Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS),” Authored by certified audit firm, Parente Randolph (now ParenteBeard).“Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS)

38. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.