Achieving Compliance with Microsoft SQL Server 2008Il-Sung LeeSenior Program ManagerMicrosoft Corporation

SESSION CODE: DAT302

AGENDAIntroduction to Regulatory ComplianceHealth Information Protection and Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI DSS)Compliance with SQL Server 2008

Introduction to Regulatory Compliance

WHAT IS COMPLIANCE?Compliance is an important step of a three step process – GRC

Compliance is the verifiable control of ones environment based on policyFor most of us, Compliance means the implementation of demonstrable policies and security safeguards mandated by government, industry, or corporation

RiskManagement

ComplianceGovernance

COMPLIANCE REGULATIONS

FDA 21 CFR Part 11 Basel II Accord California SB 1386 Department of Defense 5015

Department of Homeland Security

Act

European Union Data Protection Directive

Fair Information Protection System

Federal Information Security

Management Act

Gramm-Leach-Bliley Act

Health Insurance Portability and

Accountability Act

International Standards

Organization 27002USA PATRIOT Act

Payment Card Industry - Data

Security Standard

Personal Information Protection and

Electronic- Documents Act

Sarbanes-Oxley Act

Massachusetts Identity Theft

Protection Regulation – 201

Many more….

MAPPING REGULATIONS TO CONTROLS

http://www.microsoft.com/downloads/details.aspx?FamilyId=BD930882-0D39-4900-9A79-B91F213ED15D&displaylang=en

IT Control SOX PCI HIPAA GLBA

ID Management

Separation of Duties

Encryption

Key Management

Auditing

Control Testing

Policy Management

IT Compliance Management Guide

HIPAA

OVERVIEW OF THE HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT

Set of standards enacted in 1996 to govern health information privacy, security, and overall administrative practicesGuidelines include legal standards and requirements for protecting nonpublic personal data (Protected Health Information, PHI) HIPAA Security Rule is very policy and procedural oriented in generalNo formal certification process and enforcement traditionally laxHealth Information Technology for Economic and Clinical Health (HITECH) Act of 2009 will make covered entities now accountable to the US Dept. of Health and Human Services (HHS)

Recently, HHS issued an interim final rule to strengthen compliance and encourage prompt corrective actions

HIPAA TECHNICAL SAFEGUARDSHIPAA 45 CFR §164.312

Access Management• Access Control Standard – §164.312(a)(1)• Unique User Identification Specification – Required §164.312(a)(2)(i)• Emergency Access Procedure Specification – Required §164.312(a)(2)(ii)• Automatic Logoff Specification – Addressable § 164.312(a)(2)(iii)• Encryption and Decryption Specification – Addressable § 164.312(a)(2)(iv)• Person or Entity Authentication Standard – § 164.312(d)Audit and Compliance• Audit Controls Standard – § 164.312(b)Data Integrity• Integrity Standard – § 164.312(c)(1)• Mechanism to authenticate ePHI Specification – Addressable § 164.312(c)(2)Secure Communications• Transmission Security Standard – § 164.312(e)(1)• Integrity Controls Specification – Addressable § 164.312(e)(2)(i)• Encryption Specification – Addressable § 164.312(e)(2)(ii)

MORE INFORMATIONSQL Server 2008 HIPAA whitepaper by Jefferson Wells

PCI DSS

OVERVIEW OF THE PCI DSSVisa, Mastercard, AmEx, Discover, and JCB created the PCI Security Standards Council in Dec. 2004 and released the PCI Data Security Standard v1Created “to help facilitate the broad adoption of consistent data security measures on a global basis” for enhancing payment account data securityApplies to any business that stores, processes, or transmits Primary Account Number (PAN)Requires annual compliance audit

Noncompliance leads to levy of significant fines.Latest version is 1.2.1, https://www.pcisecuritystandards.org/security_standards/pci_dss.shtmlVersion 2.0 is due out later this year

PCI OBJECTIVES AND REQUIREMENTSBuild and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

MORE INFORMATIONSQL Server 2008 PCI whitepaper by Parente Beard:

COMPLIANCE WITH SQL SERVER 2008

SQL SERVER 2008 COMPLIANCE TOOLBOX

Audit

TDE

EKM

Signed Module

PBM

CDC

COMPLIANCE WITH SQL SERVER 2008SHOWCASE: PCI DSS

PCI REQ 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM PWDS AND OTHER SECURITY PARAMS

No default passwords in SQL ServerFeatures/services Off-by-Default

E.g., protocols, CLR, dbmail, XPcmdshellBUILTIN/Administrators are not sysadminsa account is not enabled in WindowsAuth mode

PCI REQ 3: PROTECT STORED CARDHOLDER DATAEnable Transparent Data Encryption on databases containing credit card data

Periodic key rotation – at least once a yearEKM for split-key ownership

HSM administrator different from db_owner and sysadminKey management without EKM permissible

No single user with access to both db backup and certificate backup files

Enabling TDE

DEMO

PCI REQ 4: ENCRYPT TRANSMISSION OF CARDHOLDER DATA ACROSS OPEN, PUBLIC NETWORKS

Full support for TLS/SSLCan be set server-wide or on a per connection basis.Enable for all connections transmitting cardholder data

SSL

LOGIN

UseridPassword...

Setting Up Channel Encryption

DEMO

PCI REQ 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED-TO-KNOW

Limit inclusion in sysadmin Windows authentication

BUILTIN/Administrators are not sysadminUsing principals of least privilege

Role-based accessInstance and database permissionsSigned modules

Disable sa login

PCI REQ 8: ASSIGN A UNIQUE ID TO EACH PERSON WITH COMPUTER ACCESS

SQL Server uses Windows SIDs for Windows users and groupsSQL Logins use GUID for generating SID

Enable Windows password policy supportSet to change password on next logon

Enforce 90 day password expirationDo not use a single login for applicationconnections (or any shared accounts in general);

applies to sa – disable!

PCI REQ 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA

SQL Server Audit to monitor data accessGranular auditing of tablesAudit trail must be retained for 1 yearLog should be protected from SQL users/DBAConfigure Audit to shutdown on failure

Change Data Capture to record committed changes to dataPolicy-based Management to monitor server settings and detect changes

AUDIT SETTINGSAt a minimum, Audit:

Login success and failuresChanges to server configurations, encryption keys, logins, server level permissions, databasesCREATE/DELETE/ALTER of schema objectsSELECT/INSERT/UPDATE/DELETE and ALTER of tables containing cardholder dataChanges to Audit configuration

Enable the CDC against any table containing cardholder data

Setting Up An Audit

DEMO

ACHIEVING COMPLIANCEWith careful planning, proper organizational procedures, and process controls, compliance with SQL Server 2008 attainableTDE, Audit, PBM and other 2008 features are all useful tools in achieving complianceLeverage the available resources, e.g., whitepapers, guides, etc.Consult a compliance auditor

Related Content

DAT304 Better Together: Secure SQL Server on Secure Windows

DAT09-INT Microsoft SQL Server 2008 Security Tips and Tricks

PRC04 Setting Up and Managing a Secure and Compliant SQL Server

TLC-78 Microsoft SQL Server 2008 R2 Manageability & Security

Track Resources

SQL Server Compliance website: http://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx

SQL Server 2008 Compliance Guide: http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-65B9-41C2-8385-438028F5ACC2&displaylang=en

SQL Server 2008 PCI Compliance whitepaper: http://www.parentebeard.com/Uploads/Files/Deploying_SQL_Server_2008_Based_on_PCI_DSS.PDF

SQL Server 2008 HIPAA Compliance whitepaper: http://www.jeffersonwells.com/mssql2008hipaa

DAT Track Scratch 2 Win

Find the DAT Track Surface Table in the Yellow Section of the TLCTry your luck to win a Zune HDSimply scratch the game pieces on the DAT Track Surface Table and Match 3 Zune HDs to win

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA