ms sql server
DESCRIPTION
Essentials on DataTRANSCRIPT
Achieving Compliance with Microsoft SQL Server 2008Il-Sung LeeSenior Program ManagerMicrosoft Corporation
SESSION CODE: DAT302
AGENDAIntroduction to Regulatory ComplianceHealth Information Protection and Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI DSS)Compliance with SQL Server 2008
Introduction to Regulatory Compliance
WHAT IS COMPLIANCE?Compliance is an important step of a three step process – GRC
Compliance is the verifiable control of ones environment based on policyFor most of us, Compliance means the implementation of demonstrable policies and security safeguards mandated by government, industry, or corporation
RiskManagement
ComplianceGovernance
COMPLIANCE REGULATIONS
FDA 21 CFR Part 11 Basel II Accord California SB 1386 Department of Defense 5015
Department of Homeland Security
Act
European Union Data Protection Directive
Fair Information Protection System
Federal Information Security
Management Act
Gramm-Leach-Bliley Act
Health Insurance Portability and
Accountability Act
International Standards
Organization 27002USA PATRIOT Act
Payment Card Industry - Data
Security Standard
Personal Information Protection and
Electronic- Documents Act
Sarbanes-Oxley Act
Massachusetts Identity Theft
Protection Regulation – 201
Many more….
MAPPING REGULATIONS TO CONTROLS
http://www.microsoft.com/downloads/details.aspx?FamilyId=BD930882-0D39-4900-9A79-B91F213ED15D&displaylang=en
IT Control SOX PCI HIPAA GLBA
ID Management
Separation of Duties
Encryption
Key Management
Auditing
Control Testing
Policy Management
IT Compliance Management Guide
HIPAA
OVERVIEW OF THE HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT
Set of standards enacted in 1996 to govern health information privacy, security, and overall administrative practicesGuidelines include legal standards and requirements for protecting nonpublic personal data (Protected Health Information, PHI) HIPAA Security Rule is very policy and procedural oriented in generalNo formal certification process and enforcement traditionally laxHealth Information Technology for Economic and Clinical Health (HITECH) Act of 2009 will make covered entities now accountable to the US Dept. of Health and Human Services (HHS)
Recently, HHS issued an interim final rule to strengthen compliance and encourage prompt corrective actions
HIPAA TECHNICAL SAFEGUARDSHIPAA 45 CFR §164.312
Access Management• Access Control Standard – §164.312(a)(1)• Unique User Identification Specification – Required §164.312(a)(2)(i)• Emergency Access Procedure Specification – Required §164.312(a)(2)(ii)• Automatic Logoff Specification – Addressable § 164.312(a)(2)(iii)• Encryption and Decryption Specification – Addressable § 164.312(a)(2)(iv)• Person or Entity Authentication Standard – § 164.312(d)Audit and Compliance• Audit Controls Standard – § 164.312(b)Data Integrity• Integrity Standard – § 164.312(c)(1)• Mechanism to authenticate ePHI Specification – Addressable § 164.312(c)(2)Secure Communications• Transmission Security Standard – § 164.312(e)(1)• Integrity Controls Specification – Addressable § 164.312(e)(2)(i)• Encryption Specification – Addressable § 164.312(e)(2)(ii)
MORE INFORMATIONSQL Server 2008 HIPAA whitepaper by Jefferson Wells
PCI DSS
OVERVIEW OF THE PCI DSSVisa, Mastercard, AmEx, Discover, and JCB created the PCI Security Standards Council in Dec. 2004 and released the PCI Data Security Standard v1Created “to help facilitate the broad adoption of consistent data security measures on a global basis” for enhancing payment account data securityApplies to any business that stores, processes, or transmits Primary Account Number (PAN)Requires annual compliance audit
Noncompliance leads to levy of significant fines.Latest version is 1.2.1, https://www.pcisecuritystandards.org/security_standards/pci_dss.shtmlVersion 2.0 is due out later this year
PCI OBJECTIVES AND REQUIREMENTSBuild and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
MORE INFORMATIONSQL Server 2008 PCI whitepaper by Parente Beard:
COMPLIANCE WITH SQL SERVER 2008
SQL SERVER 2008 COMPLIANCE TOOLBOX
Audit
TDE
EKM
Signed Module
PBM
CDC
COMPLIANCE WITH SQL SERVER 2008SHOWCASE: PCI DSS
PCI REQ 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM PWDS AND OTHER SECURITY PARAMS
No default passwords in SQL ServerFeatures/services Off-by-Default
E.g., protocols, CLR, dbmail, XPcmdshellBUILTIN/Administrators are not sysadminsa account is not enabled in WindowsAuth mode
PCI REQ 3: PROTECT STORED CARDHOLDER DATAEnable Transparent Data Encryption on databases containing credit card data
Periodic key rotation – at least once a yearEKM for split-key ownership
HSM administrator different from db_owner and sysadminKey management without EKM permissible
No single user with access to both db backup and certificate backup files
Enabling TDE
DEMO
PCI REQ 4: ENCRYPT TRANSMISSION OF CARDHOLDER DATA ACROSS OPEN, PUBLIC NETWORKS
Full support for TLS/SSLCan be set server-wide or on a per connection basis.Enable for all connections transmitting cardholder data
SSL
LOGIN
UseridPassword...
Setting Up Channel Encryption
DEMO
PCI REQ 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED-TO-KNOW
Limit inclusion in sysadmin Windows authentication
BUILTIN/Administrators are not sysadminUsing principals of least privilege
Role-based accessInstance and database permissionsSigned modules
Disable sa login
PCI REQ 8: ASSIGN A UNIQUE ID TO EACH PERSON WITH COMPUTER ACCESS
SQL Server uses Windows SIDs for Windows users and groupsSQL Logins use GUID for generating SID
Enable Windows password policy supportSet to change password on next logon
Enforce 90 day password expirationDo not use a single login for applicationconnections (or any shared accounts in general);
applies to sa – disable!
PCI REQ 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA
SQL Server Audit to monitor data accessGranular auditing of tablesAudit trail must be retained for 1 yearLog should be protected from SQL users/DBAConfigure Audit to shutdown on failure
Change Data Capture to record committed changes to dataPolicy-based Management to monitor server settings and detect changes
AUDIT SETTINGSAt a minimum, Audit:
Login success and failuresChanges to server configurations, encryption keys, logins, server level permissions, databasesCREATE/DELETE/ALTER of schema objectsSELECT/INSERT/UPDATE/DELETE and ALTER of tables containing cardholder dataChanges to Audit configuration
Enable the CDC against any table containing cardholder data
Setting Up An Audit
DEMO
ACHIEVING COMPLIANCEWith careful planning, proper organizational procedures, and process controls, compliance with SQL Server 2008 attainableTDE, Audit, PBM and other 2008 features are all useful tools in achieving complianceLeverage the available resources, e.g., whitepapers, guides, etc.Consult a compliance auditor
Related Content
DAT304 Better Together: Secure SQL Server on Secure Windows
DAT09-INT Microsoft SQL Server 2008 Security Tips and Tricks
PRC04 Setting Up and Managing a Secure and Compliant SQL Server
TLC-78 Microsoft SQL Server 2008 R2 Manageability & Security
Track Resources
SQL Server Compliance website: http://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx
SQL Server 2008 Compliance Guide: http://www.microsoft.com/downloads/details.aspx?FamilyId=6E1021DD-65B9-41C2-8385-438028F5ACC2&displaylang=en
SQL Server 2008 PCI Compliance whitepaper: http://www.parentebeard.com/Uploads/Files/Deploying_SQL_Server_2008_Based_on_PCI_DSS.PDF
SQL Server 2008 HIPAA Compliance whitepaper: http://www.jeffersonwells.com/mssql2008hipaa
DAT Track Scratch 2 Win
Find the DAT Track Surface Table in the Yellow Section of the TLCTry your luck to win a Zune HDSimply scratch the game pieces on the DAT Track Surface Table and Match 3 Zune HDs to win
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
JUNE 7-10, 2010 | NEW ORLEANS, LA