Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | avice-norton |
View: | 219 times |
Download: | 0 times |
1
Andrew FryerTechnical Evangelist http://blogs.technet.com/andrew
R2
Data Governance for the IT Manager
2
Determining Compliance
Compliance
Monitoring Remediation Validation
GovernanceWritten Policies Best Practices Enforcement Training
Risk ManagementAssessment Prioritization Plan of Action
Compliance results from policies that indicate a need for risk management
3
Addressing CompliancePrioritization
IgnoreMitigation costs may exceed the value of
trivial data
Example: Non-sensitive data may not be worth
securing
AvoidIt’s better to avoid risks that business
needs don’t require
Example: Don’t store sensitive
data without specific need
MitigateYou must mitigate risks that can’t be
ignored or avoided
Example: Sensitive data must be
thoroughly secured
4
Mitigation ControlsPlatform Security• Minimize Surface Attack Area• Use latest OS, SP & App’s• Configure Ports & Firewall
Identity Management• Use Windows Authentication• Grant only required permission• Use PBM to validate policy
Separation of Duties• Create dedicated role accounts• Ensure users have only 1 role• Restrict use of ‘SA’ account
Auditing• Account & Role Changes• All Administrative Actions• Server & Database Access
Encryption• Data at Rest• During Access• During Transport
Policy Management• Remediation• Validation• Vulnerability Reporting
Mitigation ControlsPlatform Security• Minimize Surface Attack Area• Use latest OS, SP & App’s• Configure Ports & Firewall
Identity Management• Use Windows Authentication• Grant only required permission• Use PBM to validate policy
Separation of Duties• Create dedicated role accounts• Ensure users have only 1 role• Restrict use of ‘SA’ account
Auditing• Account & Role Changes• All Administrative Actions• Server & Database Access
Encryption• Data at Rest• During Access• During Transport
Policy Management• Remediation• Validation• Vulnerability Reporting
5
Analyzing Compliance RequirementsAligning Vulnerabilities to Mitigation Controls
Categorize requirements accordingto their areas of concern:Map those areas of concern toSQL Server and platform capabilities
6
Identifying RequirementsExamples
• OS version must be under current Microsoft support
• A Password change variance, complexity and change time limit policy must be in place
Secure Platform
• Revoke CONNECT privileges from Public and Guest
• Ensure individual accounts for each user, application, etc.Identity and SOD
• All data files must be encrypted
• Provide offline, offsite storage of the Service Master Key
• Encryption algorithms must be FIPS 140-2 compliant
Encryption
• Server and Database access must be recorded
• Security assignment changes must be recorded
• Audit data must be retained for a minimum time period
Audit
7
New SQL Server 2008 Features
Policy Based Management
SQL Audit
Transparent Data
Encryption
Extensible Key
Management
Change Data Capture
Data Collection
Central Management
Servers
8
Policy-Based Management (PBM)Customer Challenges
Managing IT compliance is too difficultNot enough out-of-box tools to automate the compliance management processThere is no clear approach for managing baseline configuration changes between version releases
9
Policy Based Management (PBM)Overview
Eliminates scripted or manual procedures for compliance configuration and managementPolicies are entities for automation that declare desired state & execution behaviorCustom Policy definitions are easily created using SQL Server Management Studio
10
Policy Based Management (PBM)Executes through a built-in Policy Engine:
• Manually executed by AdministratorOn Demand
• Executed as a SQL Agent JobOn Schedule
• Logs configuration changes that would violate policyOn Change - Log Only
• Proactively prevents any changes that would violate policyOn Change - Prevent
11
SQL Server 2008 Audit Replaces a collection of Microsoft and third-party tools to:
Provide a comprehensive approach to AuditingExpose a broader array of eventsProvide a better management experienceRender much higher performance
TraceProfilerSQL Server 2008
AuditingLogsTriggers
12
SQL Server 2008 Audit FeatureArchitecture
Server Audit SpecificationServer Audit Action
Server Audit Action
Server Audit Action
Database Audit SpecificationDatabase
Audit Action
Database Audit Action
Database Audit Action
SQL ServerAudit Object
File SystemFile
SecurityEvent Log
ApplicationEvent Log
13
SQL Server 2008 Audit FeatureRole-Based Security
Sys-Admins• Creates and
manages audits
• Reads and appends to any audit file
Operators• Reads audit
metadata• Determines
whether or not an audit is running
Auditor• Reads and
manages audits
• Reads audit logs
Auditor(Read-only)• Reads audit
metadata• Reads audit
logs
14
Transparent Data Encryption (TDE)
Encrypts data at rest:Detached Data FilesTransaction Log FilesBackup Files
Implemented atthe database levelTransparent to the application:
Requires no application modifications to take advantage of encryptionEncryption/Decryption occurs at I/O
SQL Server 2008
DEK
Client Application
Encrypted Data Page
15
Extensible Key Management (EKM)
Enables centralized storage & management of keys from all SQL Servers in an enterprise
Can be used to store both symmetric and asymmetric keys outside the server
Depends on 3rd Party Hardware Security Modules (HSM) to provide solutions based on custom implementations of industry standard algorithms
16
SQL Server 2008 Compliance Guide
Whitepaper: Reaching Compliance
Demonstrates How to Achieve Compliance
Assessing Vulnerability
Defining Risk Mitigation Models
Managing Security Configurations
Also includes Hands-on Labs
17
Session Takeaways4 Things to Remember
Categorize your requirements to align with SQL Server 2008’s approach to managing security and compliance configurations
Policy-Based Management (PBM) replaces scripts, BPA, & other CM tools for defining, maintaining, and reporting desired state
SQL Audit replaces SQL Profiler, Triggers and 3rd Party Log readers for auditing
Leverage the SQL 2008 Compliance Guide and its sample scripts and policies
18
Resources
Microsoft data governance portal
http://www.microsoft.com/privacy/guidance.aspx
SQLCAT Compliance Guide for SQL Server 2008
http://sqlcat.com/whitepapers/archive/2008/11/15/reaching-compliance-sql-server-2008-compliance-guide.aspx
Compliance Solution Accelerators (including PCI)
http://technet.microsoft.com/en-us/solutionaccelerators/dd229342.aspx
19
© 2009 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.