the new normal: dealing with the reality of an unsecure world

Grab some

coffee and enjoy the pre-show banter

before the top of the

hour!

H T Technologiesof 2016

HOST:EricKavanagh

THISYEARis…

THELINEUP

ANALYST:

DezBlanchfieldDataScientist,TheBloorGroup

ANALYST:

RobinBloorChiefAnalyst,TheBloorGroup

GUEST:

IgnacioRodriguezSeniorProductManager,IDERA

INTRODUCING

RobinBloor

Securing Database

Robin Bloor, PhD

Database Security Evolution

It is easy to think of data security as a static target, but it isn’t

It’s a MOVING TARGET

A Very Brief Overview of Data Security

u  Data theft is nothing new; data that is valuable is targeted

u  Cyber-theft was born with the Internet and it exploded around 2005

u  There are many players: governments, businesses, hacker groups, individuals…

u  The technologies of attack and defense evolve

u  Businesses have a duty of care over their data, whether they own it or not

About the Hackers

u  They can be located anywhere and thus they may be difficult to bring to justice, even if identified

u  Many are very skilled; they share technology and information

u  They have considerable resources

u  Some are profitable businesses

u  There are government groups

–  Economic warfare (stealing secrets)

–  Cyber warfare

u  It’s unlikely that the phenomenon will ever end

Compliance and Regulations

u  Aside from sector initiatives there are many official regulations: HIPAA, SOX, FISMA, FERPA, GLBA (mainly US legislation)

u  Standards (Global): PCI-DSS, ISO/IEC 17799 (data should be owned)

u  National regulations differ country to country (even in Europe)

u  GDPR being negotiated

Things to Think About

u DBMS vulnerabilities

u  Identify vulnerable data

u  Security policy particularly in relation to access security (who can read, write, grant permissions, etc.)

u  Encryption

u  The cost of a security breach

u  The attack surface

The DBA and Data Security

Data Security is usually part of the DBA’s role. But it’s collaborative too. It NEEDS to be subject to corporate

policy.

INTRODUCING

DezBlanchfield

@dez_blanchfield

YOUR DATAIS THE

CURRENCY

@dez_blanchfield

DATABREACHESARERAPIDLY

BECOMINGNORMAL!!

@dez_blanchfield

@dez_blanchfield

THESHERESCALEOFTHESE

BREACHESISSTAGGERING

@dez_blanchfield

@dez_blanchfield

COSTSESTIMATEDTOCLEANUP

DONOTTAKEINTOACCOUNT

THEHUMANTOLL

INTRODUCING

IgnacioRodriguez

© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. © 2016 IDERA, Inc. All rights reserved.

THE NEW NORMAL: DEALING WITH THE REALITY OF AN UNSECURE WORLD Ignacio Rodriguez, Product Manager

2 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 2 © 2016 IDERA, Inc. All rights reserved.

DATABASE SECURITY CHALLENGES

Identify Vulnerabilities Manage creation of collection rules,

view collection history & analyze user access rights

Harden Security Policies Use recommended templates to

define policies with 3 distinct levels of protection

Assess Security Levels Identify factors that may allow SQL

Server to be attacked by a malicious user to reduce risk

Control User Permissions Analyze and manage user

permissions across all SQL Server objects

Control Server Security Review and update SQL Server security properties across your

environment

Comply with Audits Use customizable templates for user accesses to satisfy audits

3 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 3 © 2016 IDERA, Inc. All rights reserved.

SQL SECURE

§  Set strong security policies mapped to regulatory guidelines - View a complete history of SQL Server security settings and designate a baseline to compare against future changes.

§  Prevent security risks and violations - The security report card identifies top security vulnerabilities on your servers. Each security check is categorized as High, Medium, or Low Risk.

§  Identify vulnerabilities - Understand who has access to what and identify each user’s effective rights across all SQL Server objects.

§  Report on and analyze user, group, or role permissions - Analyze membership to powerful server roles and groups, such as administrators, systems administrators, and security administrators to ensure each user’s level of access is warranted.

4 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 4 © 2016 IDERA, Inc. All rights reserved.

SQL SECURE

§  Deliver detailed security risk reports – IDERA SQL Secure provides 23 reports out of the box, each of which contains flexible parameters to easily create the types of reports that display the data that auditors, security officers, managers, or administrators require.

§  Compare security, risk, and configuration changes over time - Reports such as the snapshot and assessment comparisons provide an easy way for comparing security, configuration, and risks between different time periods.

§  SQL Secure snapshot alerting - Notifications when SQL configuration changes are detected that present a new risk.

5 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 5 © 2016 IDERA, Inc. All rights reserved.

SQL SECURE ARCHITECTURE

SQL Secure Repository

Management and Collection Service

Enterprise Console SQL Secure Monitored

SQL Instances

Agentless capture of security model info

MS SQL Server Reporting Services

Active Directory

6 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 6 © 2016 IDERA, Inc. All rights reserved.

SECURITY REPORT CARD

7 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 7 © 2016 IDERA, Inc. All rights reserved.

AUDIT SQL USER PERMISSIONS

8 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 8 © 2016 IDERA, Inc. All rights reserved.

COMPARE SECURITY SETTINGS

9 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 9 © 2016 IDERA, Inc. All rights reserved.

POLICY TEMPLATES

10 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 10 © 2016 IDERA, Inc. All rights reserved.

SQL USER EFFECTIVE RIGHTS

11 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 11 © 2016 IDERA, Inc. All rights reserved.

SQL SERVER OBJECT ACCESS RIGHTS

12 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 12 © 2016 IDERA, Inc. All rights reserved.

SQL SECURE REPORTING

13 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 13 © 2016 IDERA, Inc. All rights reserved.

SNAPSHOT COMPARISONS

14 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 14 © 2016 IDERA, Inc. All rights reserved.

ASSESSMENT COMPARISON

15 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 15 © 2016 IDERA, Inc. All rights reserved.

SUMMARY

§  Database security is of critical importance •  Doing it wrong will expose your company to significant risks •  Doing it well and effectively requires both strategy and process

§  Database professionals need a tool to manage and monitor database access permissions

§  IDERA SQL Secure provides extensive capabilities to control database permissions, track access activities, and mitigate breach risks

16 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 16 © 2016 IDERA, Inc. All rights reserved.

THANKS! Any questions?

TheArchiveTrifecta:•  InsideAnalysiswww.insideanalysis.com•  SlideSharewww.slideshare.net/InsideAnalysis•  YouTubewww.youtube.com/user/BloorGroup

THANKYOU!