1

Andrew FryerTechnical Evangelist http://blogs.technet.com/andrew

R2

Data Governance for the IT Manager

2

Determining Compliance

Compliance

Monitoring Remediation Validation

GovernanceWritten Policies Best Practices Enforcement Training

Risk ManagementAssessment Prioritization Plan of Action

Compliance results from policies that indicate a need for risk management

3

Addressing CompliancePrioritization

IgnoreMitigation costs may exceed the value of

trivial data

Example: Non-sensitive data may not be worth

securing

AvoidIt’s better to avoid risks that business

needs don’t require

Example: Don’t store sensitive

data without specific need

MitigateYou must mitigate risks that can’t be

ignored or avoided

Example: Sensitive data must be

thoroughly secured

4

Mitigation ControlsPlatform Security• Minimize Surface Attack Area• Use latest OS, SP & App’s• Configure Ports & Firewall

Identity Management• Use Windows Authentication• Grant only required permission• Use PBM to validate policy

Separation of Duties• Create dedicated role accounts• Ensure users have only 1 role• Restrict use of ‘SA’ account

Auditing• Account & Role Changes• All Administrative Actions• Server & Database Access

Encryption• Data at Rest• During Access• During Transport

Policy Management• Remediation• Validation• Vulnerability Reporting

Mitigation ControlsPlatform Security• Minimize Surface Attack Area• Use latest OS, SP & App’s• Configure Ports & Firewall

Identity Management• Use Windows Authentication• Grant only required permission• Use PBM to validate policy

Separation of Duties• Create dedicated role accounts• Ensure users have only 1 role• Restrict use of ‘SA’ account

Auditing• Account & Role Changes• All Administrative Actions• Server & Database Access

Encryption• Data at Rest• During Access• During Transport

Policy Management• Remediation• Validation• Vulnerability Reporting

5

Analyzing Compliance RequirementsAligning Vulnerabilities to Mitigation Controls

Categorize requirements accordingto their areas of concern:Map those areas of concern toSQL Server and platform capabilities

6

Identifying RequirementsExamples

• OS version must be under current Microsoft support

• A Password change variance, complexity and change time limit policy must be in place

Secure Platform

• Revoke CONNECT privileges from Public and Guest

• Ensure individual accounts for each user, application, etc.Identity and SOD

• All data files must be encrypted

• Provide offline, offsite storage of the Service Master Key

• Encryption algorithms must be FIPS 140-2 compliant

Encryption

• Server and Database access must be recorded

• Security assignment changes must be recorded

• Audit data must be retained for a minimum time period

Audit

7

New SQL Server 2008 Features

Policy Based Management

SQL Audit

Transparent Data

Encryption

Extensible Key

Management

Change Data Capture

Data Collection

Central Management

Servers

8

Policy-Based Management (PBM)Customer Challenges

Managing IT compliance is too difficultNot enough out-of-box tools to automate the compliance management processThere is no clear approach for managing baseline configuration changes between version releases

9

Policy Based Management (PBM)Overview

Eliminates scripted or manual procedures for compliance configuration and managementPolicies are entities for automation that declare desired state & execution behaviorCustom Policy definitions are easily created using SQL Server Management Studio

10

Policy Based Management (PBM)Executes through a built-in Policy Engine:

• Manually executed by AdministratorOn Demand

• Executed as a SQL Agent JobOn Schedule

• Logs configuration changes that would violate policyOn Change - Log Only

• Proactively prevents any changes that would violate policyOn Change - Prevent

11

SQL Server 2008 Audit Replaces a collection of Microsoft and third-party tools to:

Provide a comprehensive approach to AuditingExpose a broader array of eventsProvide a better management experienceRender much higher performance

TraceProfilerSQL Server 2008

AuditingLogsTriggers

12

SQL Server 2008 Audit FeatureArchitecture

Server Audit SpecificationServer Audit Action

Server Audit Action

Server Audit Action

Database Audit SpecificationDatabase

Audit Action

Database Audit Action

Database Audit Action

SQL ServerAudit Object

File SystemFile

SecurityEvent Log

ApplicationEvent Log

13

SQL Server 2008 Audit FeatureRole-Based Security

Sys-Admins• Creates and

manages audits

• Reads and appends to any audit file

Operators• Reads audit

metadata• Determines

whether or not an audit is running

Auditor• Reads and

manages audits

• Reads audit logs

Auditor(Read-only)• Reads audit

metadata• Reads audit

logs

14

Transparent Data Encryption (TDE)

Encrypts data at rest:Detached Data FilesTransaction Log FilesBackup Files

Implemented atthe database levelTransparent to the application:

Requires no application modifications to take advantage of encryptionEncryption/Decryption occurs at I/O

SQL Server 2008

DEK

Client Application

Encrypted Data Page

15

Extensible Key Management (EKM)

Enables centralized storage & management of keys from all SQL Servers in an enterprise

Can be used to store both symmetric and asymmetric keys outside the server

Depends on 3rd Party Hardware Security Modules (HSM) to provide solutions based on custom implementations of industry standard algorithms

16

SQL Server 2008 Compliance Guide

Whitepaper: Reaching Compliance

Demonstrates How to Achieve Compliance

Assessing Vulnerability

Defining Risk Mitigation Models

Managing Security Configurations

Also includes Hands-on Labs

17

Session Takeaways4 Things to Remember

Categorize your requirements to align with SQL Server 2008’s approach to managing security and compliance configurations

Policy-Based Management (PBM) replaces scripts, BPA, & other CM tools for defining, maintaining, and reporting desired state

SQL Audit replaces SQL Profiler, Triggers and 3rd Party Log readers for auditing

Leverage the SQL 2008 Compliance Guide and its sample scripts and policies

18

Resources

Microsoft data governance portal

http://www.microsoft.com/privacy/guidance.aspx

SQLCAT Compliance Guide for SQL Server 2008

http://sqlcat.com/whitepapers/archive/2008/11/15/reaching-compliance-sql-server-2008-compliance-guide.aspx

Compliance Solution Accelerators (including PCI)

http://technet.microsoft.com/en-us/solutionaccelerators/dd229342.aspx

19

© 2009 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.