1 Andrew Fryer Technical Evangelist R2 Data Governance for the IT Manager

2 Determining ComplianceCompliance MonitoringRemediationValidation Governance Written PoliciesBest PracticesEnforcementTraining Risk Management AssessmentPrioritizationPlan of Action Compliance results from policies that indicate a need for risk management

3 Addressing Compliance PrioritizationIgnore Mitigation costs may exceed the value of trivial data Example: Non-sensitive data may not be worth securing Avoid It’s better to avoid risks that business needs don’t require Example: Don’t store sensitive data without specific need Mitigate You must mitigate risks that can’t be ignored or avoided Example: Sensitive data must be thoroughly secured

4 Mitigation Controls Platform Security Minimize Surface Attack AreaMinimize Surface Attack Area Use latest OS, SP & App’sUse latest OS, SP & App’s Configure Ports & FirewallConfigure Ports & Firewall Identity Management Use Windows AuthenticationUse Windows Authentication Grant only required permissionGrant only required permission Use PBM to validate policyUse PBM to validate policy Separation of Duties Create dedicated role accountsCreate dedicated role accounts Ensure users have only 1 roleEnsure users have only 1 role Restrict use of ‘SA’ accountRestrict use of ‘SA’ accountAuditing Account & Role ChangesAccount & Role Changes All Administrative ActionsAll Administrative Actions Server & Database AccessServer & Database AccessEncryption Data at RestData at Rest During AccessDuring Access During TransportDuring Transport Policy Management RemediationRemediation ValidationValidation Vulnerability ReportingVulnerability Reporting Mitigation Controls Platform Security Minimize Surface Attack AreaMinimize Surface Attack Area Use latest OS, SP & App’sUse latest OS, SP & App’s Configure Ports & FirewallConfigure Ports & Firewall Identity Management Use Windows AuthenticationUse Windows Authentication Grant only required permissionGrant only required permission Use PBM to validate policyUse PBM to validate policy Separation of Duties Create dedicated role accountsCreate dedicated role accounts Ensure users have only 1 roleEnsure users have only 1 role Restrict use of ‘SA’ accountRestrict use of ‘SA’ accountAuditing Account & Role ChangesAccount & Role Changes All Administrative ActionsAll Administrative Actions Server & Database AccessServer & Database AccessEncryption Data at RestData at Rest During AccessDuring Access During TransportDuring Transport Policy Management RemediationRemediation ValidationValidation Vulnerability ReportingVulnerability Reporting

5 Analyzing Compliance Requirements Aligning Vulnerabilities to Mitigation Controls Categorize requirements according to their areas of concern: Map those areas of concern to SQL Server and platform capabilities

6 Identifying Requirements Examples OS version must be under current Microsoft support A Password change variance, complexity and change time limit policy must be in place Secure Platform Revoke CONNECT privileges from Public and Guest Ensure individual accounts for each user, application, etc. Identity and SOD All data files must be encrypted Provide offline, offsite storage of the Service Master Key Encryption algorithms must be FIPS compliant Encryption Server and Database access must be recorded Security assignment changes must be recorded Audit data must be retained for a minimum time period Audit

7 New SQL Server 2008 Features Policy Based Management SQL Audit Transparent Data Encryption Extensible Key Management Change Data Capture Data Collection Central Management Servers

8 Policy-Based Management (PBM) Customer Challenges Managing IT compliance is too difficult Not enough out-of-box tools to automate the compliance management process There is no clear approach for managing baseline configuration changes between version releases

9 Policy Based Management (PBM) Overview Eliminates scripted or manual procedures for compliance configuration and management Policies are entities for automation that declare desired state & execution behavior Custom Policy definitions are easily created using SQL Server Management Studio

10 Policy Based Management (PBM) Executes through a built-in Policy Engine: Manually executed by Administrator On Demand Executed as a SQL Agent Job On Schedule Logs configuration changes that would violate policy On Change - Log Only Proactively prevents any changes that would violate policy On Change - Prevent

11 SQL Server 2008 Audit Replaces a collection of Microsoft and third-party tools to: Provide a comprehensive approach to Auditing Expose a broader array of events Provide a better management experience Render much higher performance Trace Profiler Logs Triggers

12 SQL Server 2008 Audit Feature Architecture Server Audit Specification Server Audit Action Database Audit Specification Database Audit Action SQL Server Audit Object File System File Security Event Log Application Event Log

13 SQL Server 2008 Audit Feature Role-Based Security Sys-Admins Creates and manages auditsCreates and manages audits Reads and appends to any audit fileReads and appends to any audit fileOperators Reads audit metadataReads audit metadata Determines whether or not an audit is runningDetermines whether or not an audit is runningAuditor Reads and manages auditsReads and manages audits Reads audit logsReads audit logs Auditor (Read-only) Reads audit metadataReads audit metadata Reads audit logsReads audit logs

14 Transparent Data Encryption (TDE) Encrypts data at rest: Detached Data Files Transaction Log Files Backup Files Implemented at the database level Transparent to the application: Requires no application modifications to take advantage of encryption Encryption/Decryption occurs at I/O SQL Server 2008 DEK Client Application Encrypted Data Page

15 Extensible Key Management (EKM) Enables centralized storage & management of keys from all SQL Servers in an enterprise Can be used to store both symmetric and asymmetric keys outside the server Depends on 3rd Party Hardware Security Modules (HSM) to provide solutions based on custom implementations of industry standard algorithms

16 SQL Server 2008 Compliance Guide Whitepaper: Reaching Compliance Demonstrates How to Achieve Compliance Assessing Vulnerability Defining Risk Mitigation Models Managing Security Configurations Also includes Hands-on Labs

17 Session Takeaways 4 Things to Remember Categorize your requirements to align with SQL Server 2008’s approach to managing security and compliance configurations Policy-Based Management (PBM) replaces scripts, BPA, & other CM tools for defining, maintaining, and reporting desired state SQL Audit replaces SQL Profiler, Triggers and 3rd Party Log readers for auditing Leverage the SQL 2008 Compliance Guide and its sample scripts and policies

18 Resources Microsoft data governance portal SQLCAT Compliance Guide for SQL Server hing-compliance-sql-server-2008-compliance-guide.aspx Compliance Solution Accelerators (including PCI) us/solutionaccelerators/dd aspx

19 © 2009 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.