notes: update as of 1/13/2010. vulnerabilities are included for sql server 2000, sql server 2005,...

Microsoft SQL Server 2008 R2

Security OverviewName

TitleMicrosoft Corp.

Agenda

Introduction

SQL Server 2005 Security Recap

Security in SQL Server 2008 R2

Demo

Compliance and Certifications

Business Challenges

Data reliability is a growing concern for many enterprises

• Insider threat – 70% of attacks come from inside the firewall*

• Identity theft• Industrial espionage• Government espionage

Data misuse and detection/privacy violation

Regulations like PCI and HIPAA mandate strict requirements for data security, data privacy and data integrity

*Source: Forrester, March 2009

Business Needs

Ensure reliability, confidentiality, availability and integrity of data

Demonstrate that good security practices are being followed in the database environment

Provide a history of detailed auditing data for use by internal/external auditors

Insights into Database Vulnerabilities

SQL Server continues to lead in lowest security patches across the major DBMS vendors

Fewer vulnerabilities translates to less time spent patching servers and inherently more secure databases

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000 , SQL Server 2005 , SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g), IBM DB2 (8.0, 8.1, 8.2, 9.0, 9.5), Query for Oracle was run with vendor name: ‘Oracle’ , and product name: ‘any’ (all database product name variations were queried) . Query for IBM DB2 was run with vendor name: ‘IBM’ , and product name: ‘db2.’ Query for MySQL was run with vendor name: ‘MySQL’, and product name: ‘Any.’ Query for Microsoft was run with vendor name: ‘Microsoft ‘ ; product name: ‘Microsoft SQL Server’; version name: ’Any’This chart counts NIST CVE – Software Flaws (Each CVE might include more than one Oracle vulnerabilities)

2002 2003 2004 2005 2006 2007 2008 20090

20

40

60

80

100

120

140

160

SQL Server

Oracle

DB2

MySQL


PROTECT DATA

Key management

Catalog security

Built-in encryption

CONTROL ACCESS

User-schema separation

Granular permission control

Encrypted log-in credentials

ENSURE COMPLIANCE

Capture and audit DDL activities

Password policy enforcement


Customer challenges Security feature

Weak passwords


Lack of audit information


Data confidentiality

Built-in encryption Key management

Metadata protection

Catalog security

Schema level permission


Granular permission to execute statements in a module

Execution context Module signing

Protect access to the DB

Encrypted log-in credentials Connection end-points

Key management

Catalog security

Built-in encryption User-schema separation

Granular permission control




PR

OTEC

T

DATA

EN

SU

RE

CO

MPLI

AN

CE

CO

NTR

OL

AC

CESS

SQL Server 2008 Security Enhancements

SQL Server 2008 Investments

PROTECT DATA

CONTROL ACCESS

ENSURE COMPLIANCE

Built-in encryption

Key management

Catalog security


Granular permission

control




Transparent Data Encryption

Extensible Key Management

Authentication enhancements

Policy-based Management

SQL Server Audit

Protect Data



PROTECT DATA

Built-in encryption

Key management

Catalog security



CONTROL ACCESS

ENSURE COMPLIANCE


Granular permission

control






SQL Server Audit

Data Protection Investments PROTECT DATA

Recent regulations have mandated strict requirements for data security, data privacy and data integrity

Database security is a growing concern for many enterprises

• Encryption required application changes

• Encryption keys not separate from data

SQL Server 2005 limitations

• Extensible Key Management (EKM)• Transparent Data Encryption (TDE)

SQL Server 2008

Extensible Key Management (EKM)

Key storage, management and encryption done by HSM module

SQL EKM key is a proxy to HSM key

SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module

PROTECT DATA

SQL Server

SQL EKM Provider DLL

SQL EKM Key(HSM key proxy)

Data

HSM

Benefits of using EKM

“Defense in depth” makes unauthorized access to data harder by storing encryption keys away from the data

May facilitate separation of duties between DBA and data owner

Uses HSM for encryption and decryption which may result in performance gains

Enables centralized key management across organization

PROTECT DATA

…SQL Server 2008 helps CareGroup comply with HIPPA data encryption requirements… SQL Server 2008 delivers an excellent solution… by supporting third-party key management and hardware security module products. —CareGroup Case Study

Evid

ence

EKM Key Hierarchy in SQL Server PROTECT DATA

Symmetric key Asymmetric key

HSM

EKM Symmetric key EKM Asymmetric key

Data Data Native Symmetric key

TDE DEK

key

SQL Server

Transparent Data Encryption (TDE) PROTECT DATA

Encryption/decryption at database level

• Certificate• Key residing in a Hardware

Security Module (HSM)

DEK is encrypted with:

Certificate required to attach database files or restore a backup

SQL Server 2008

Client ApplicationEncrypted data page

DEK

Advantages of using TDE PROTECT DATA

Encrypt the entire database on the disk to protect against lost or stolen disks or backup media

Does not increase database size and has minimal performance impact

Does not require application changes

Applications do not need to explicitly encrypt/decrypt data

Backups are automatically encrypted and unusable without key

Protects against direct access to database files, data at rest

“With SQL Server 2008 we have transparent encryption, so we can easily enforce the encryption of the information in the database itself without making any changes on the application side.”

— Avad Shammout, Lead Technical Database Administrator, CareGroup HealthCare System

Evid

ence

TDE – Key Hierarchy

SQL Server 2008Master Database

Certificate

SQL Server 2008User Database

Database Encryption Key

Database Master Key encrypts Certificate In Master Database

Certificate encrypts Database Encryption Key

PROTECT DATA

Operating System Level Data Protection API (DPAPI)

DPAPI encrypts Service Master Key

SQL Server 2008Instance Level Service Master

Key

Service Master Key encrypts Database Master Key

SQL Server 2008Master Database

Database Master Key

Password

Demo: Enabling TDE

Control Access


PROTECT DATA

Built-in encryption

Key management

Catalog security



CONTROL ACCESS


Granular permission

control



ENSURE COMPLIANCE




SQL Server Audit

Authentication Enhancements

• Kerberos possible with TCP/IP connections only• SPN must be registered with AD

SQL Server 2005 limitations

• Kerberos available with ALL protocols• SPN may be specified in connection string

(OLEDB/ODBC)• Kerberos possible without SPN registered in AD

SQL Server 2008 enhancements

CONTROL ACCESS

Authentication Enhancements

Attacker could force NTLM to be used, authentication failures, or redirect connections to rogue servers

SPN composed using 2 insecure sources

CONTROL ACCESS

SQL Browser

DNS

SPN = MSSQLSvc/<FQDN>:<Port>

Why specify an SPN in the connection?

Ensure Compliance


SQL Server Audit

ENSURE COMPLIANCE



PROTECT DATA

Built-in encryption

Key management

Catalog security



CONTROL ACCESS


Granular permission

control




SQL Server Audit

Policy-Based Management

Automate surface area configuration

Ensure compliance with configuration policies for servers, databases, and database objects across the enterprise

Reduce your exposure to security threats by using the new Surface Area facet to control active services and features

ENSURE COMPLIANCE

Policy-Based ManagementDefining Policies

Categories

Facets Conditions Policies

ENSURE COMPLIANCE

Targets

Policy-Based ManagementPolicy checking and governance

ENSURE COMPLIANCE

• Capture the declarative intent (desired state)

• Simplify compliance enforcement

Conditions

• Define aspects of system configuration• Physical properties that

relate to settings• Logical properties that

encapsulate business rules

Facets

Auditing Database Activity

• SQL Trace• DDL/DML Triggers• Third-party tools to read transaction logs• No management tools support

SQL Server 2005

• SQL Server Audit

SQL Server 2008 enhancements

ENSURE COMPLIANCE

SQL Server Audit

• Native DDL for Audit configuration and management• Security support

Audit now a 1st Class Server Object

• File• Windows Application Log• Windows Security Log

Create an Audit object to automatically log actions to:

Ability to define granular Audit Actions of Users or Roles on DB objects

ENSURE COMPLIANCE

Benefits of SQL Server Audit

Track reads, writes, and other events to Windows Application Log and Windows Security Log

Detect misuse of permissions early on to limit possible damage

More granular audits for flexibility

Built into the database engine

Simple configuration using SQL Server Management Studio

Faster performance than SQLTrace

ENSURE COMPLIANCE

“The enhanced auditing tools in SQL Server 2008 enable us to track all changes to tables and other data elements in our system.”

—Avad Shammout, Lead Technical Database Administrator, CareGroup HealthCare System

Evid

ence

Audit Specifications

• Pre-defined action groups• Individual action filters

Server and database audit specifications for

ENSURE COMPLIANCE

• Server config changes, login/logoff, role membership change, etc.

Server action groups

• Schema object access, database role membership change, database object access, database config change

Database action groups

Audit Specifications

AuditSecurity Event Log

Application Event LogFile

system0..1Server audit specification per Audit object

0..1DB audit specificationper database per Audit object

CREATE SERVER AUDIT SPECIFICATION SvrAC

TO SERVER AUDIT PCI_Audit

ADD (FAILED_LOGIN_GROUP);

CREATE DATABASE AUDIT SPECIFICATION AuditAC

TO SERVER AUDIT PCI_Audit

ADD (SELECT ON Customers BY public)

Server Audit Specificatio

n

Server Audit ActionServer Audit Action

Server Audit ActionServer Audit Action

Server Audit Action

Database Audit

Specification

Database Audit ActionDatabase Audit

ActionDatabase Audit ActionDatabase Audit

ActionDatabase Audit Action

File

Demo: SQL Server Audit and

Policy-Based Management

Compliance and Certifications

HIPAA and PCI Compliance Evaluated

Common Criteria Certified

World-Class Security Evaluations

−The Common Criteria was designed by a group of nations to improve the availability of security-enhanced IT products, help users evaluate IT products for purchase, and contribute to consumer confidence in IT product security.

— SQL Server Books Online

Security functions: Access control, audit, management, identification & authentication, session handling and memory management

Assurance components: Functional specs and high level design plus independent vulnerability testing

Environment: CC certified OS (Windows Server) and admin roles

Key Criteria

Requirement for many governments, industries, and enterprise customers

SQL Server 2008 Enterprise achieved Common Criteria (CC) compliance at EAL1+ (Evaluation Assurance Level), EAL4+ is in progress and recognized by the US government

Represents the third time for CC compliance and the first time for a 64-bit version of SQL Server

Common Criteria Certification

R2 is built on the SQL Server 2008 foundation and brings forward the security benefits with minimal changes to the core engine

Evid

ence

Health Information Portability and Accountability Act (HIPAA) governs health information privacy, security, organizational identifiers, and overall administrative practices

HIPAA has 5 major components, SQL Server can help support the Security Rule; ensuring protected health information (PHI)

SQL Server supports HIPAA areas: Access controls, Data integrity & encryption, Communications security, and Audit & compliance

HIPAA Details

Take advantage of SQL Server 2008 capabilities to help meet database-related compliance requirements

Technical features can support HIPAA requirements like role-based access, strong user authentication, encryption, and event logging

SQL Server Support

SQL Server features can promote the consistency of deployed technical controls and enable effective monitoring over time

SQL Server for HIPAA Compliance

Whitepaper: “Supporting HIPAA Compliance with Microsoft SQL Server 2008,” Authored by Information Security Center of Expertise at Jefferson Wells International, Inc, a leading Risk Advisory and Security Compliance services organization.

Evid

ence

http://www.jeffersonwells.com/mssql2008hipaa

Payment Card Industry (PCI) Data Security Standard (DSS) is a worldwide security standard created by the Payment Card Industry Security CouncilSQL Server can be deployed to meet the database server requirements and should always be considered by personnel in cardholder environments

SQL Server supports PCI areas: Vendor-supplied defaults, protect stored data, encrypt data transmission, restrict access to data, assign unique IDs to persons with access, and monitor all access to data

PCI Details

Take advantage of SQL Server 2008 capabilities to help meet database-related compliance requirements

Technical features can support PCI requirements like TDE, EKM, SQL Server Audit, and Policy-Based Management

SQL Server Support

Automated implementation of key SQL Server 2008 features help enable customers to achieve PCI compliance and standardized security controls

SQL Server for PCI Compliance

Whitepaper: “Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS),” Authored by certified audit firm, Parente Randolph (now ParenteBeard). E

vid

ence

http://www.parentebeard.com/lib/pdf/Deploying_SQL_Server_2008_Based_on_PCI_DSS.pdf

http://www.parentebeard.com/lib/pdf/Deploying_SQL_Server_2008_Based_on_PCI_DSS.pdf

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Appendix

Reduced Surface Area Configuration

New in SQL Server 2008, Surface Area Configurations are handled by automated policy-based framework to help ensure compliance across the enterprise

• Some features are off by default(except when you perform an upgrade

• Granular permissions on SQL engineand SQL Server Agent

• Users need VIEW DEFINITION permissionsto see metadata that they do not own

Efforts made in reducing surface area include:

Authentication Features

• Useful if login is compromised or user is fired

Ability to disable a login

• Password complexity, Password expiration, Account lockout

• Common policy across the network for windows and SQL

• Granular control to turn on/off policy/expiration per login

Password Policy Enforcement

• Ability to choose which users connect over which protocols

Endpoint Based Authentication

• Single Sign On• Constrained delegation with Win2K3 (Granular control)

NTLM and Kerberos for Windows logins

• No admin step required to get secure (secure by default)

Default Secure channel for standard SQL logins

SQL Server 2008Authorization

Ease of security management

• Granular permissions• Choice of appropriate scope

(database, schema, object, sub-object)• Role Based Access control• Application module based access control• Minimizing application impact for user

management• Both data (above) and metadata

Rich access control model

Principle of least privileges

notes: update as of 1/13/2010. vulnerabilities are included for sql server 2000, sql server 2005,...

Documents

hsm module slide

advantage of sql server

core engine slide

microsoft sql server

hsm module sql ekm key

database product

hsm key sql ekm provider

cc certified os windows