protecting your key asset – data protection best practices v2.0 final
DESCRIPTION
The session that I did for Security Workshop on Data at a conferenceTRANSCRIPT
Protecting your Key Asset
– Data Protection Best Practices
Protecting your Key Asset
– Data Protection Best Practices
Vinod Kumar MVinod Kumar MTechnology EvangelistTechnology Evangelist
Microsoft CorporationMicrosoft Corporation
www.ExtremeExperts.comwww.ExtremeExperts.com
AgendaAgenda
““Best Practices” is a broad areaBest Practices” is a broad area
This talk focuses on operational This talk focuses on operational taskstasks
Look at various Data aspectsLook at various Data aspects
“Security…But isn’t that the Admin’s Job?”“Security…But isn’t that the Admin’s Job?”
Understanding Basic SecurityUnderstanding Basic Security
Restricting user accessRestricting user access
Disabling services and restricting Disabling services and restricting service configurationservice configuration
Reducing the surface area of Reducing the surface area of attack for new featuresattack for new features
Defense in DepthDefense in Depth
Always design your Always design your countermeasures to have at countermeasures to have at least two levels of defenseleast two levels of defenseThis means that you put your This means that you put your defenses in serially rather than defenses in serially rather than in parallel; attackers needs to in parallel; attackers needs to overcome A overcome A andand B – not A B – not A oror B BUse all the available Use all the available countermeasures – technology, countermeasures – technology, process, peopleprocess, peopleCountermeasures and Countermeasures and vulnerabilities are really two vulnerabilities are really two sides of the same coinsides of the same coin
Data & Resources
Application Defenses
Host Defenses
Network Defenses
Perimeter Defenses
Assum
e Prio
r Laye
rs Fai
l
Incidents Reported Industry WideIncidents Reported Industry Wide
CERT/CC incident statistics 1988 through 2006CERT/CC incident statistics 1988 through 2006
Incident: single security issue grouping together all impacts Incident: single security issue grouping together all impacts of that that issueof that that issue
Issue: disruption, DOS, loss of data, misuse, damage, loss of Issue: disruption, DOS, loss of data, misuse, damage, loss of confidentialityconfidentiality
Source: http://www.cert.org/stats/cert_stats.htmlSource: http://www.cert.org/stats/cert_stats.html
0
20000
40000
60000
80000
100000
120000
160000
180000
'88
'90
'92
'94
'96
'98
'00
'02
Port ScannersPort Scanners
Black HatBlack HatCommunity SharingCommunity Sharing
Know Your EnemyKnow Your Enemy
Brute Force pwd Brute Force pwd
crackerscrackers
Dictionary Based pwd crackers
Dictionary Based pwd crackers
Network Sniffers
Network Sniffers
De-compilers
De-compilersDebuggers
Debuggers
Cracker Tools
Cracker Tools
Mobile Device – Security AspectMobile Device – Security Aspect
Mobile – Entry PointsMobile – Entry Points
Access to DeviceAccess to Device
Access to Store-DataAccess to Store-Data
Access to wireless networksAccess to wireless networks
Mobile – Security Practices Mobile – Security Practices
Risk AnalysisRisk Analysis
Make Security policiesMake Security policies
PasswordPassword
Anti-Virus SoftwareAnti-Virus Software
EncryptionEncryption
Need-to-know Data storeNeed-to-know Data store
Mobile – Security PracticesMobile – Security Practices
AuthenticationAuthentication
Perimeter SecurityPerimeter Security
EncryptionEncryption
Data Encryption – Pocket PC (SQL CE – 128 Data Encryption – Pocket PC (SQL CE – 128 bit encryption)bit encryption)
App Encryption – .NET CF & High App Encryption – .NET CF & High Encryption PackEncryption Pack
Information Service EncryptionInformation Service Encryption
Network EncryptionNetwork Encryption
Lock- Down FunctionalityLock- Down Functionality
Desktop Data SecurityDesktop Data Security
Where is Customer’s Data Stored?Where is Customer’s Data Stored?
Q: Where is the Q: Where is the biggest data biggest data
exposure risk?exposure risk?
SQL
ClientsClients
DocumentsDocumentsWhere do customers’Where do customers’ users keep their users keep their documents?documents?
User ProfileUser ProfileOutlook, Sharepoint, Desktop, Temp, IE…Outlook, Sharepoint, Desktop, Temp, IE…
per-machine dataper-machine dataSearch index, offline file cache, Search index, offline file cache, pagefile…pagefile…
Non-standard locationsNon-standard locations……ISV & in-house appsISV & in-house apps
What is EFS?What is EFS?What is EFS?What is EFS?
Encrypting File System Encrypting File System Encrypting File System Encrypting File System
Privacy of data that goes beyond Privacy of data that goes beyond access controlaccess control
Protect confidential data on Protect confidential data on laptops laptops Configurable approach to data Configurable approach to data recoveryrecovery
Integrated with core operating Integrated with core operating system components system components
Windows NT File System - NTFSWindows NT File System - NTFSCrypto API key managementCrypto API key managementLSA security policyLSA security policy
Transparent and very high Transparent and very high performanceperformance
What EFS is not…What EFS is not…What EFS is not…What EFS is not…
A way to protect local user A way to protect local user credentialscredentials
A way to protect data in transit A way to protect data in transit (think IPSec)(think IPSec)
A way to protect business A way to protect business transaction documents (think transaction documents (think Windows Rights Management)Windows Rights Management)
RNGRNG
Data decryptionData decryptionfield generationfield generation
(RSA)(RSA)
Data recoveryData recoveryfield generationfield generation
(RSA)(RSA)
DDFDDF
DRFDRF
User’sUser’spublicpublic key key
Recovery agent’sRecovery agent’spublicpublic key keyin recovery policyin recovery policy
Randomly-Randomly-generatedgeneratedfile encryption key file encryption key (FEK)(FEK)
EFS File EncryptionEFS File Encryption
File encryptionFile encryption(e.g. AES)(e.g. AES)
A quickA quick brown fox brown foxjumped...jumped...
*#$fjda^j*#$fjda^ju539!3tu539!3t
t389E *&t389E *&
*#$fjda^j*#$fjda^ju539!3tu539!3t
t389E *&t389E *&
DDFDDF
A quick A quick brown foxbrown foxjumped...jumped...
A quick A quick brown foxbrown foxjumped...jumped...
DDF extractionDDF extraction(RSA)(RSA)
File decryptionFile decryption(e.g. AES)(e.g. AES)
File encryptionFile encryptionkeykey
DDF is decrypted DDF is decrypted using the user’s using the user’s private keyprivate key to get the to get the file encryption keyfile encryption key
EFS File DecryptionEFS File Decryption
DDF contains file DDF contains file encryption key encryption key encrypted under encrypted under user’s user’s public keypublic key User’s User’s privateprivate
keykey
*#$fjda^j*#$fjda^ju539!3tu539!3t
t389E *&t389E *&
DRFDRF
A quick A quick brown foxbrown foxjumped...jumped...
A quick A quick brown foxbrown foxjumped...jumped...
DRF DRF extractionextraction(RSA)(RSA)
File decryptionFile decryption(e.g. AES)(e.g. AES)
File encryptionFile encryptionkeykey
DRFDRF is decrypted is decrypted using the using the DRADRA’s ’s private keyprivate key to get the to get the file encryption keyfile encryption key
EFS File RecoveryEFS File Recovery
DRFDRF contains file contains file encryption key encryption key encrypted under encrypted under DRADRA’s ’s public keypublic key DRADRA’s ’s privateprivate
keykey
EFS best practices: recoveryEFS best practices: recoveryEFS best practices: recoveryEFS best practices: recovery
No local Recovery AgentsNo local Recovery AgentsPrevents data comprise in “stolen laptop” scenarioPrevents data comprise in “stolen laptop” scenario
Prevents out-of-process data recovery… if Prevents out-of-process data recovery… if encrypted data needs to be recovered, it should encrypted data needs to be recovered, it should be an audited operationbe an audited operation
Have at least 2 Recovery Agents per domainHave at least 2 Recovery Agents per domain
Encrypt directories, not filesEncrypt directories, not filesEnsures that temp files created in process are also Ensures that temp files created in process are also encryptedencrypted
Prevents data recovery from free space on the file Prevents data recovery from free space on the file systemsystem
Encrypt CSC cache (Offline Files)Encrypt CSC cache (Offline Files)Protects temporary files that maybe written during Protects temporary files that maybe written during application executionapplication execution
Document ProtectionDocument Protection
Windows Rights Management Services (RMS)Windows Rights Management Services (RMS)
Information protection technology that Information protection technology that augments security strategiesaugments security strategies
Users can easily safeguard Users can easily safeguard sensitive information from sensitive information from unauthorized useunauthorized use
Organizations can centrally Organizations can centrally manage internal information manage internal information usage policiesusage policies
Uses RMS Server, RMS Client Uses RMS Server, RMS Client and RMS-enabled appsand RMS-enabled apps
RMS protects RMS protects information both information both online and online and offline, inside and offline, inside and outside of the outside of the firewall. firewall.
RMS Publishing Flow (“online”)RMS Publishing Flow (“online”)
File Recipient
File Author
RMServer
Author creates a file and defines Author creates a file and defines a set of rights and rules.a set of rights and rules.
Application encrypts file and sends Application encrypts file and sends unsigned “publishing license” to unsigned “publishing license” to RMS; Server signs and returns RMS; Server signs and returns publishing license.publishing license.
Author distributes file.Author distributes file.
Application renders file and Application renders file and enforces rights.enforces rights.
Recipient clicks file to open, the Recipient clicks file to open, the application calls to RMS which application calls to RMS which validates the user and the request validates the user and the request and issues the “use license”.and issues the “use license”.
Database Server
File Server
If I could choose one, which one would I choose when?If I could choose one, which one would I choose when?
EFS – to encrypt all local data EFS – to encrypt all local data files automatically, under my files automatically, under my domain account, to minimize risk domain account, to minimize risk of offline attackof offline attack
RMS – to share encrypted files RMS – to share encrypted files easily among a group of people, easily among a group of people, or send them encrypted over the or send them encrypted over the wire to any storage mediumwire to any storage medium
Database SecurityDatabase Security
What are Principals?What are Principals?
PrincipalsPermissions
Securables
Server RoleSQL Server Login
SQL ServerSQL Server
Windows GroupDomain User AccountLocal User AccountWindowsWindows
UserDatabase RoleApplication Role
GroupDatabaseDatabase
What are Securables?What are Securables?
PrincipalsPermissions
Securables
Server RoleSQL Server Login
SQL ServerSQL Server
Windows GroupDomain User AccountLocal User AccountWindowsWindows
UserDatabase RoleApplication Role
GroupDatabaseDatabase
FilesRegistry Keys
Server
Schema
Database
What are Permissions?What are Permissions?
PrincipalsPermissions
Securables
Server RoleSQL Server Login
SQL ServerSQL Server
Windows GroupDomain User AccountLocal User AccountWindowsWindows
UserDatabase RoleApplication Role
GroupDatabaseDatabase
FilesRegistry Keys
Server
Schema
Database
CREATEALTERDROPCONTROLCONNECTSELECTEXECUTEUPDATEDELETEINSERTTAKE OWNERSHIPVIEW DEFINITIONBACKUP
GRANT/REVOKE/DENYGRANT/REVOKE/DENY
ACL
Database SecurityDatabase Security
Surface Area ReductionSurface Area Reduction
Authentication ModeAuthentication ModePassword Policies enforcementPassword Policies enforcement
Administrative PrivilegesAdministrative Privileges
Catalog SecurityCatalog Security
EncryptionEncryption
AuditingAuditing
Demo …Demo …
SummarySummary
Security is integral part of all Security is integral part of all softwaresoftware
Maximize SQL Security to protect Maximize SQL Security to protect sensitive datasensitive data
Encryption is cool : Use it carefully Encryption is cool : Use it carefully thoughthough
Understand the password policies of Understand the password policies of organizationorganization
Block standard/un-used default portsBlock standard/un-used default ports
Lastly, Understand Lastly, Understand allall the entry the entry points to your applicationpoints to your application
QuestionsQuestions??
ResourcesResources
Encrypting File System in Windows XP and Encrypting File System in Windows XP and Windows Server 2003Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspxcryptfs.mspx
Best practices for the Encrypting File SystemBest practices for the Encrypting File Systemhttp://support.microsoft.com/default.aspx?scid=kb;en-http://support.microsoft.com/default.aspx?scid=kb;en-
us;223316&sd=techus;223316&sd=tech
What's New in Security for Windows XP What's New in Security for Windows XP Professional and Windows XP Home EditionProfessional and Windows XP Home Edition
http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xpsec.mspxxpsec.mspx
ResourcesResources
SQL Server : Security BlogSQL Server : Security Blog
http://blogs.msdn.com/lcris/http://blogs.msdn.com/lcris/
SQL Server Security and ProtectionSQL Server Security and Protectionhttp://www.microsoft.com/technet/prodtechnol/sql/2005/library/http://www.microsoft.com/technet/prodtechnol/sql/2005/library/
security.mspxsecurity.mspx
What's New in Security for Windows XPWhat's New in Security for Windows XPhttp://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/
xpsec.mspxxpsec.mspx