Post on 06-Mar-2018
transcript
Best Practice for Security and Compliance with
Microsoft and Thales e-Security
Nelson Yuen, Business Development Manager
Thales e-Security Hong Kong
Session Objectives and Takeaways
Messages to deliver:
Overview of today’s common Compliance and Regulations
Using Hardware Security Modules as best security practice with SQL Server
The new features in SQL Server 2012 help you satisfy your security and compliance needs
Questions to answer:
Why encryption is easy, encryption key management is hard?!
How Microsoft & Thales strong partnership continues to help enterprises meet their evolving security and compliance mandates?
Public and Private Sector Guidelines
Source: Monetary Authority of Singapore, Hong Kong Government
Components Features Requirements
Cryptography Hardened architecture
• Support Full-Duplex, wire-speed encryption and key management • Certified to FIPS 140-2 Level 3 on key management • Support common encryption algorithm AES-256, SHA-1, SHA-256
Public and Private Sector Guidelines
Source: Monetary Authority of Singapore, Hong Kong Government
“It is very important to ensure the protection and management of keys.”
“Encryption in storage Mandatory for TOP SECRET / SECRET; Mandatory
for CONFIDENTIAL; Recommended for RESTRICTED”
Components Features Requirements
Cryptography Hardened architecture
• Support Full-Duplex, wire-speed encryption and key management • Certified to FIPS 140-2 Level 3 on key management • Support common encryption algorithm AES-256, SHA-1, SHA-256
Deployment Choices For Cryptography
Deployment Choices For Cryptography
Software environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Software-based system
Numerous copies of keys across
system and backups
Deployment Choices For Cryptography
Software environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Software-based system
Numerous copies of keys across
system and backups
Hardened security system
Keys are segregated within
isolated security environment
Hardware
Security
Module
Software environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Deployment Choices For Cryptography
Software environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Software-based system
Numerous copies of keys across
system and backups
Hardened security system
Keys are segregated within
isolated security environment
Hardware
Security
Module
Software environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Which One is Secure?
SQL Server 2008 & 2012 Security Features
Customer
challenges Security features
Protect data-at-rest Transparent
Data Encryption
Data/Key separation Extensible Key Managements
Use strong
authentication
Kerberos authentication enhancements
Monitor all activity SQL
Server Audit
Detect non-compliant
configurations
Policy-Based Management
Change Data Capture
Industry Certification Common Criteria
Certification (EAL4+)
PR
OTEC
T
DA
TA
EN
SU
RE
CO
MP
LIA
NC
E
CO
NTR
OL
AC
CESS
SQL Server 2008 & 2012 Security Features
Customer
challenges Security features
Protect data-at-rest Transparent
Data Encryption
Data/Key separation Extensible Key Managements
Use strong
authentication
Kerberos authentication enhancements
Monitor all activity SQL
Server Audit
Detect non-compliant
configurations
Policy-Based Management
Change Data Capture
Industry Certification Common Criteria
Certification (EAL4+)
PR
OTEC
T
DA
TA
EN
SU
RE
CO
MP
LIA
NC
E
CO
NTR
OL
AC
CESS
User-Defined Server Roles
Default Schema for Groups
Audit Resilience
Audit in all SKUs
User-Defined Audit
Audit Filtering
T-SQL Stack Info
Contained Database Authentication
Crypto Enhancements
SQL Server 2008 & 2012 Security Features
Customer
challenges Security features
Protect data-at-rest Transparent
Data Encryption
Data/Key separation Extensible Key Managements
Use strong
authentication
Kerberos authentication enhancements
Monitor all activity SQL
Server Audit
Detect non-compliant
configurations
Policy-Based Management
Change Data Capture
Industry Certification Common Criteria
Certification (EAL4+)
PR
OTEC
T
DA
TA
EN
SU
RE
CO
MP
LIA
NC
E
CO
NTR
OL
AC
CESS
User-Defined Server Roles
Default Schema for Groups
Audit Resilience
Audit in all SKUs
User-Defined Audit
Audit Filtering
T-SQL Stack Info
Contained Database Authentication
FIPS 140-2
Level 3
Crypto Enhancements
SQL 2012 - Crypto Changes
4K certificates supported for import
SMK/DMK default to AES256
Key backups encrypted with AES256
SHA2 (256 and 512) support
Password hashes use SHA512
SQL 2012 - Crypto Changes
4K certificates supported for import
SMK/DMK default to AES256
Key backups encrypted with AES256
SHA2 (256 and 512) support
Password hashes use SHA512
Microsoft SQL Server Encryption Concept
Benefit to Enable SQL Server TDE
Benefit to Enable SQL Server TDE
Protects data at rest
Protect data files, log files, backup all the time
Benefit to Enable SQL Server TDE
Protects data at rest
Protect data files, log files, backup all the time
Entire database is protected
Reduce data classification workload
Benefit to Enable SQL Server TDE
Protects data at rest
Protect data files, log files, backup all the time
Entire database is protected
Reduce data classification workload
No application changes!
No restrictions with indexes or data types
Benefit to Enable SQL Server TDE
Protects data at rest
Protect data files, log files, backup all the time
Entire database is protected
Reduce data classification workload
No application changes!
No restrictions with indexes or data types
Performance cost is small
No observable impact to application, but security enhanced
Benefit to Enable SQL Server TDE
Protects data at rest
Protect data files, log files, backup all the time
Entire database is protected
Reduce data classification workload
No application changes!
No restrictions with indexes or data types
Performance cost is small
No observable impact to application, but security enhanced
Storage space size unchanged
Minimize Cost; Maximize Security
Responsibility and Accountability
Responsibility and Accountability
IT Manager
DBA / Backup Op
Responsibility and Accountability
IT Manager
DBA / Backup Op
Responsibility and Accountability
IT Manager
DBA / Backup Op
Who Owns This?
Industry Best Practice on Security Control
IT Manager
DBA / Backup Op
Security Officer
Industry Best Practice on Security Control
IT Manager
DBA / Backup Op
Security Officer
Multi-Server Key Management
Authorization models can be applied on per application server basis
Multiple card sets segregate HSM resources
Enables maximum utilization of HSM investment
Virtual HSM 1
SQL Server 1
TDE with EKM
Virtual HSM 2
TDE with EKM
Virtual HSM 3
TDE with EKM
SQL Server 3 SQL Server 2
HSM
A
Non-Shared Storage
A
A
A
Key Management in AlwaysOn Technology
Support SQL Server 2012 AlwaysOn HA DR model.
Central management key, storage, in use, rotate and disposal.
SQL DB 1
(Primary)
TDE
Master Certificate
TDE TDE
SQL DB 1
(Cluster B)
SQL DB 1
(Cluster A)
HSM
HSM (Cluster)
HK Gov. Security Regulation
SR Ch9 Section 358 :
Stored CONFIDENTIAL information must be encrypted.
SR Ch9 Section 370 :
A key has the same classification as the classified information in respect of which it is used.
SR Ch9 Section 371 :
For keys that are used for the processing of information classified CONFIDENTIAL or above, they must be stored separately from the corresponding encrypted information.
PCI DSS Compliance – Req. 3: Protect stored cardholder data
3.6 Fully document and implement all key-management processes and
procedures for cryptographic keys used for encryption of cardholder
data
3.6.1 Generation of strong cryptographic keys
3.6.2 Secure distribution of cryptographic key
3.6.3 Secure storage of cryptographic key
3.6.4 Periodically change keys
3.6.5 Split knowledge of keys
3.5 Protect any keys used to secure cardholder data against disclosure
and misuse:
3.5.1 Restrict access to cryptographic keys to the fewest number of
custodians necessary.
3.5.2 Store cryptographic keys securely in the fewest possible
locations and forms.
The Key Management Process
The Key Management Process
Policy
and
Audit
Generate
Store
Distribute
Use
Rotate
Terminate
Back-up
Recover
Revoke
Suspend
Hardware-based Key Protection Summary
Hardware-based Key Protection Summary
Higher performance for hardware based encryption/decryption
Hardware-based Key Protection Summary
Higher performance for hardware based encryption/decryption
Ability to store keys from all across the enterprise in one place for easy management
Hardware-based Key Protection Summary
Higher performance for hardware based encryption/decryption
Ability to store keys from all across the enterprise in one place for easy management
Enterprise Key Managers enable and enhance functionality not available in the SQL Server Engine: Key Generation
Key Storage – Keeping data separate from the keys that protect it is a best practice
Key Retrieval
Key Retention
Key Rotation
Key Recovery
Key Distribution
Key Disposal
Hardware-based Key Protection Summary
Higher performance for hardware based encryption/decryption
Ability to store keys from all across the enterprise in one place for easy management
Enterprise Key Managers enable and enhance functionality not available in the SQL Server Engine: Key Generation
Key Storage – Keeping data separate from the keys that protect it is a best practice
Key Retrieval
Key Retention
Key Rotation
Key Recovery
Key Distribution
Key Disposal
Software
environment Application
HW platform
Hypervisor
Operating
System
CPU
Memory Storage
Back-ups
Hardware-based Key Protection Summary
Higher performance for hardware based encryption/decryption
Ability to store keys from all across the enterprise in one place for easy management
Enterprise Key Managers enable and enhance functionality not available in the SQL Server Engine: Key Generation
Key Storage – Keeping data separate from the keys that protect it is a best practice
Key Retrieval
Key Retention
Key Rotation
Key Recovery
Key Distribution
Key Disposal
Software
environment Application
HW platform
Hypervisor
Operating
System
CPU
Memory Storage
Back-ups
Hardware
Security
Module
Software
environment Application
HW platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Best Practice for Secure Key Management
Thales nShield HSMs add FIPS & EAL 4+ compliant key storage
Validated up to FIPS 140-2 Level 3
Validated up to Common Criteria EAL 4+
External regulations, especially in government
Internal security policies required many enterprises.
Ensures your systems are both current and compliant
Thales nShield HSMs integrate with Microsoft Identity & Security Products to offer:
Manage keys across hundreds of database servers
Reduce operation cost
Protect keys with hardware device
Facilitate key rotation
Ensure recoverability of data
Key Management Lifecycle with Thales HSM
Jeff Tiung (CISSP, CISA), Senior Security Engineer
Thales e-Security Hong Kong
Thank You