This is Il Sung Lee, Ayad Shammout, and my 2009 SQL PASS Summit presentation on addressing security and compliance issues with SQL Server

1. SQLCAT: Addressing Security
and Compliance Issues
Il-Sung Lee, Denny Lee, Ayad Shammout

2. SQL Server Customer Advisory Team
(SQLCAT)
• Works on the largest, most complex SQL Server projects worldwide
• MySpace - 4.4 million concurrent users at peak time, 8 billion friend relationships, 34
billion e-mails, 1 PetaByte store, scale-out using SSB and SOA
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000004532
• Bwin – Most popular European online gaming site – 30000 database transactions /
second, motto: “Failure is not an option”; 100 TB total storage
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000004138
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000001470
• Korea Telecom - Largest telco in Korea serves 26 million customers; 3 TB Data
Warehouse
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000001993
• Drives product requirements back into SQL Server from our customers and ISVs
• Shares deep technical content with SQL Server community
• SQLCAT.com
• http://blogs.msdn.com/mssqlisv

3. SQL Server Design Win Program
• Target the most challenging and innovative SQL Server
applications
• 10+ TB DW, 3k/tran/s OLTP, Large 500GB+ Cubes, Competitive
migrations, Complex deployments, Server Consolidation (1000+)
• Invest in large scale, referenceable SQL Server projects
across the world
• Provide SQLCAT technical & project experience
• Conduct architecture and design reviews covering performance,
operation, scalability and availability
• Offer use of HW lab in Redmond with direct access to SQL Server
development team
• Work with Marketing Team Developing PR

4. SQLCAT and SQL CSS Invite You…
ROOM 611
• To the SQL Server Clinic where the most experienced SQL Server experts in the world
will be waiting to talk with you.
• Bring your toughest Questions / Challenges to the experts who have seen it all
• Architect and Design your future applications with experts who have done it before
with some of the largest, most complex systems in the world
• Or just stop in to say hello!

5. Agenda
• Introduction to Compliance
• Payment Credit Industry Compliance
Showcase
• Health Information Portability and
Accountability Act Compliance Showcase
• Application of SQL Server to fulfill HIPAA
compliance scenarios
• Enacted at CareGroup Healthcare

6. Introduction to Compliance
Addressing Security and Compliance Issues

7. Importance of Compliance
• Widely cited within the academic
community, 87% of the US
population is uniquely identifiable
by the three attributes of zip
code, birth date, and gender
(Sweeney, 2002)
• Sweeney was able to identify the
medical records of Gov William
Weld (MA) by joining masked
medical data and a voter’s list.
Name
Address
Dates
Party
Voted Date
Ethnicity
Visit Date
Diagnosis
Procedure
Medication
Total Charge
Zip
DOB
Gender
*based on Sweeney L, k-Anonymity: A model for protecting
privacy, International Journal on Uncertainty, Fuzziness and
Knowledge-based Systems, 10(5), 2002, 557-570

8. What is Compliance? (GRC)

9. GRC Example
Loss from theft,
vandalism and
injury to personnel
Review entrance
and guard logs,
tapes and news
reports
Locked door, guard,
camera, badges and
policies

10. Compliance Requirements
IT Control
SOX
PCI
HIPAA
GLBA
ID Management
Separation of Duties
Encryption
Key Management
Auditing
Control Testing
Policy Management
http://www.microsoft.com/sql/compliance

11. Payment Credit Industry (PCI)
Guidance
Addressing Security and Compliance Issues

12. Disclaimers
• I am not a QSA (Qualified Security Assessor)
• But I will provide guidance and best practice on
PCI DSS Compliance.
• No feature
deep dive
• More detailed
info available
in this
whitepaper

13. Overview of the PCI DSS
• Visa, Mastercard, AmEx, Discover, and JCB created the PCI
Security Standards Council in Dec. 2004 and released the PCI Data
Security Standard v1
• Created “to help facilitate the broad adoption of consistent data
security measures on a global basis” for enhancing payment account
data security
• Applies to any business that stores, processes, or transmits Primary
Account Number (PAN)
• Requires annual compliance audit
• Noncompliance leads to levy of significant fines.
• Latest version is 1.2.1,
https://www.pcisecuritystandards.org/security_standards/pci_dss.sht
ml

14. PCI Objectives and Requirements
Build and Maintain a Secure Network
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications
Implement StrongAccess Control Measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8:Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
• Requirement 12: Maintain a policy that addresses information security

15. SQL Server 2008 Compliance Toolbox
Audit
TDE
EKM
Signed
Module
PBM
CDC

16. Req 2: Do not use vendor-supplied defaults
for system pwds and other security params
• No default passwords in SQL Server
• Features/services Off-by-Default
• E.g., protocols, CLR, dbmail, XPcmdshell
• BUILTIN/Administrators are not sysadmin
• sa account is not enabled in Windows
Auth mode

17. Req 3: Protect stored cardholder data
• Enable Transparent Data Encryption on
databases containing credit card data
• Periodic key rotation – at least once a year
• EKM for split-key ownership
• HSM administrator different from db_owner and
sysadmin
• Key management without EKM permissible
• No single user with access to both db
backup and certificate backup files

18. Req 4: Encrypt transmission of cardholder
data across open, public networks
• Full support for TLS/SSL
• Can be set server-wide or on a per connection
basis.
• Enable for all connections transmitting
cardholder data
SSL
LOGIN
Userid
Password
...

19. Req 7: Restrict access to cardholder data by
business need-to-know
• Limit inclusion in sysadmin
• Windows authentication
• BUILTIN/Administrators are not sysadmin
• Using principals of least privilege
• Role-based access
• Instance and database permissions
• Signed modules
• Disable sa login

20. Req 8: Assign a unique ID to each person
with computer access
• SQL Server uses Windows SIDs for Windows
users and groups
• SQL Logins use GUID for generating SID
• Enable Windows password policy support
• Set to change password on next logon
• Enforce 90 day password expiration
• Do not use a single login for application
connections (or any shared accounts in
general); applies to sa – disable!

21. Req 10: Track and monitor all access to
network resources and cardholder data
• SQL Server Audit to monitor data access
• Granular auditing of tables
• Audit trail must be retained for 1 year
• Log should be protected from SQL users/DBA
• Configure Audit to shutdown on failure
• Change Data Capture to record committed
changes to data
• Policy-based Management to monitor server
settings and detect changes

22. Audit Settings
• At a minimum, Audit:
• Login success and failures
• Changes to server configurations, encryption keys,
logins, server level permissions, databases
• CREATE/DELETE/ALTER of schema objects
• SELECT/INSERT/UPDATE/DELETE and ALTER of
tables containing cardholder data
• Changes to Audit configuration
• Enable the CDC against any table containing
cardholder data

23. Achieving PCI Compliance
• With careful planning, proper organizational
procedures, and process controls, PCI
compliance with SQL Server 2008 attainable
• TDE, Audit, PBM and other 2008 features are
all useful tools in achieving compliance
• Take time to read the whitepaper
• http://www.parentebeard.com/lib/pdf/Deploying_
SQL_Server_2008_Based_on_PCI_DSS.pdf
• Consult a PCI Qualified Security Assessor

24. Health Information Portability and
Accountability Act (HIPPA) Case
Study
Addressing Security and Compliance Issues

25. Business Drivers
• Avoiding disruptions in patient care
• Improving patient and staff access to medical records
and other vital information
• Complying with HIPAA regulations
• Maintaining privacy of medical information
• Its Expensive To Be Careless!
o Direct Costs – Customers lost, Revenue, Legal,
Audit Fees
o Indirect Losses – Reputation

26. The Challenges
 Protecting the privacy and integrity of
patient medical records
 Monitoring database access and capturing
access information for compliance and
audit purposes
 Who accessed which databases, when and
how?

27. What we can and can’t do
 We can ….
 Enforce account/password policy
 Define strong policies and procedures
 We can’t …..
 Enforce audit log in every vendor application
 Determine who is doing what and when

28. How we are providing for data integrity
and security
 Database classifications (AAA vs. AA)
 Have policies and procedures for data access authorization
 Online HIPAA and Security employee training
 Automatically terminate data access when employees leave
 Create scripts to collect data and user access details
 Implement our Centralized Audit Solution on SQL Server
2008

29. Implementing IT Control with SQL
Server 2008
• Securing the Platform
• Controlling Identity and Separation of Duties
• Encrypting Database Data
• Auditing Sensitive Information
• Using Policy-Based Management to Define,
Deploy and Validate Policy

30. Securing the Platform
• Limit number of users have access to SQL Server
• Minimize surface area of attack by limiting running services,
installing only the software needed, disable unnecessary
ports and configuring the firewall
• Install latest OS/SQL service packs and security patches

31. Controlling Identity and Separation of
Duties
• Limit who can access the database and grant the least
privileges.
• Use Windows Authentication
• Use Policy-Based Management to validate security policies

32. Encrypting Database Data
• Transparent Data Encryption (TDE)
• Protecting sensitive data

33. Auditing Sensitive Information

34. SSIS
SSIS
SSIS
CentralSQL
AuditRepository
SQL2008E.E.
Applications
AuditLogs.

35. Auditing…in action
HIPAA Case Study

36. Using Policy-Based Management to
Define, Deploy and Validate Policy
SQLAudit
Central Server
Server 1
Server 2
Server n
Policy Extract
Extract Policy
Data
Obtain Server
List
Load Policy Data
View
Reports
Extract Logs to
fileshare

37. Enterprise Policy Management Framework

38. Results
• Spend less time on regulatory compliance
• Automate compliance and IT security controls
• Proactively measure and remediate
deficiencies to sustain the control environment
• Embrace best practices and build policies and
processes
• Reduce the impact of a breach by providing
Analysis and Alerts of malicious or suspicious
activity.
• Complete audit log

39. Complete the Evaluation Form & Win!
• You could win a Dell Mini Netbook – every day – just for
handing in your completed form! Each session form is
another chance to win!
Pick up your Evaluation Form:
• Within each presentation room
• At the PASS Booth near registration area
Drop off your completed Form:
• Near the exit of each presentation room
• At the PASS Booth near registration area
Sponsored by Dell

40. Thank you
for attending this session and the
2009 PASS Summit in Seattle

41. Visit the
Microsoft Technical Learning Center
Located in the Expo Hall
Microsoft Ask the Experts Lounge
Microsoft Chalk Talk Theater Presentations
Microsoft Partner Village