2. SQL Server Customer Advisory Team
(SQLCAT)
• Works on the largest, most complex SQL Server projects worldwide
• MySpace - 4.4 million concurrent users at peak time, 8 billion friend relationships, 34
billion e-mails, 1 PetaByte store, scale-out using SSB and SOA
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000004532
• Bwin – Most popular European online gaming site – 30000 database transactions /
second, motto: “Failure is not an option”; 100 TB total storage
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000004138
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000001470
• Korea Telecom - Largest telco in Korea serves 26 million customers; 3 TB Data
Warehouse
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000001993
• Drives product requirements back into SQL Server from our customers and ISVs
• Shares deep technical content with SQL Server community
• SQLCAT.com
• http://blogs.msdn.com/mssqlisv
3. SQL Server Design Win Program
• Target the most challenging and innovative SQL Server
applications
• 10+ TB DW, 3k/tran/s OLTP, Large 500GB+ Cubes, Competitive
migrations, Complex deployments, Server Consolidation (1000+)
• Invest in large scale, referenceable SQL Server projects
across the world
• Provide SQLCAT technical & project experience
• Conduct architecture and design reviews covering performance,
operation, scalability and availability
• Offer use of HW lab in Redmond with direct access to SQL Server
development team
• Work with Marketing Team Developing PR
4. SQLCAT and SQL CSS Invite You…
ROOM 611
• To the SQL Server Clinic where the most experienced SQL Server experts in the world
will be waiting to talk with you.
• Bring your toughest Questions / Challenges to the experts who have seen it all
• Architect and Design your future applications with experts who have done it before
with some of the largest, most complex systems in the world
• Or just stop in to say hello!
5. Agenda
• Introduction to Compliance
• Payment Credit Industry Compliance
Showcase
• Health Information Portability and
Accountability Act Compliance Showcase
• Application of SQL Server to fulfill HIPAA
compliance scenarios
• Enacted at CareGroup Healthcare
7. Importance of Compliance
• Widely cited within the academic
community, 87% of the US
population is uniquely identifiable
by the three attributes of zip
code, birth date, and gender
(Sweeney, 2002)
• Sweeney was able to identify the
medical records of Gov William
Weld (MA) by joining masked
medical data and a voter’s list.
Name
Address
Dates
Party
Voted Date
Ethnicity
Visit Date
Diagnosis
Procedure
Medication
Total Charge
Zip
DOB
Gender
*based on Sweeney L, k-Anonymity: A model for protecting
privacy, International Journal on Uncertainty, Fuzziness and
Knowledge-based Systems, 10(5), 2002, 557-570
9. GRC Example
Loss from theft,
vandalism and
injury to personnel
Review entrance
and guard logs,
tapes and news
reports
Locked door, guard,
camera, badges and
policies
12. Disclaimers
• I am not a QSA (Qualified Security Assessor)
• But I will provide guidance and best practice on
PCI DSS Compliance.
• No feature
deep dive
• More detailed
info available
in this
whitepaper
13. Overview of the PCI DSS
• Visa, Mastercard, AmEx, Discover, and JCB created the PCI
Security Standards Council in Dec. 2004 and released the PCI Data
Security Standard v1
• Created “to help facilitate the broad adoption of consistent data
security measures on a global basis” for enhancing payment account
data security
• Applies to any business that stores, processes, or transmits Primary
Account Number (PAN)
• Requires annual compliance audit
• Noncompliance leads to levy of significant fines.
• Latest version is 1.2.1,
https://www.pcisecuritystandards.org/security_standards/pci_dss.sht
ml
14. PCI Objectives and Requirements
Build and Maintain a Secure Network
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications
Implement StrongAccess Control Measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8:Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
• Requirement 12: Maintain a policy that addresses information security
15. SQL Server 2008 Compliance Toolbox
Audit
TDE
EKM
Signed
Module
PBM
CDC
16. Req 2: Do not use vendor-supplied defaults
for system pwds and other security params
• No default passwords in SQL Server
• Features/services Off-by-Default
• E.g., protocols, CLR, dbmail, XPcmdshell
• BUILTIN/Administrators are not sysadmin
• sa account is not enabled in Windows
Auth mode
17. Req 3: Protect stored cardholder data
• Enable Transparent Data Encryption on
databases containing credit card data
• Periodic key rotation – at least once a year
• EKM for split-key ownership
• HSM administrator different from db_owner and
sysadmin
• Key management without EKM permissible
• No single user with access to both db
backup and certificate backup files
18. Req 4: Encrypt transmission of cardholder
data across open, public networks
• Full support for TLS/SSL
• Can be set server-wide or on a per connection
basis.
• Enable for all connections transmitting
cardholder data
SSL
LOGIN
Userid
Password
...
19. Req 7: Restrict access to cardholder data by
business need-to-know
• Limit inclusion in sysadmin
• Windows authentication
• BUILTIN/Administrators are not sysadmin
• Using principals of least privilege
• Role-based access
• Instance and database permissions
• Signed modules
• Disable sa login
20. Req 8: Assign a unique ID to each person
with computer access
• SQL Server uses Windows SIDs for Windows
users and groups
• SQL Logins use GUID for generating SID
• Enable Windows password policy support
• Set to change password on next logon
• Enforce 90 day password expiration
• Do not use a single login for application
connections (or any shared accounts in
general); applies to sa – disable!
21. Req 10: Track and monitor all access to
network resources and cardholder data
• SQL Server Audit to monitor data access
• Granular auditing of tables
• Audit trail must be retained for 1 year
• Log should be protected from SQL users/DBA
• Configure Audit to shutdown on failure
• Change Data Capture to record committed
changes to data
• Policy-based Management to monitor server
settings and detect changes
22. Audit Settings
• At a minimum, Audit:
• Login success and failures
• Changes to server configurations, encryption keys,
logins, server level permissions, databases
• CREATE/DELETE/ALTER of schema objects
• SELECT/INSERT/UPDATE/DELETE and ALTER of
tables containing cardholder data
• Changes to Audit configuration
• Enable the CDC against any table containing
cardholder data
23. Achieving PCI Compliance
• With careful planning, proper organizational
procedures, and process controls, PCI
compliance with SQL Server 2008 attainable
• TDE, Audit, PBM and other 2008 features are
all useful tools in achieving compliance
• Take time to read the whitepaper
• http://www.parentebeard.com/lib/pdf/Deploying_
SQL_Server_2008_Based_on_PCI_DSS.pdf
• Consult a PCI Qualified Security Assessor
25. Business Drivers
• Avoiding disruptions in patient care
• Improving patient and staff access to medical records
and other vital information
• Complying with HIPAA regulations
• Maintaining privacy of medical information
• Its Expensive To Be Careless!
o Direct Costs – Customers lost, Revenue, Legal,
Audit Fees
o Indirect Losses – Reputation
26. The Challenges
Protecting the privacy and integrity of
patient medical records
Monitoring database access and capturing
access information for compliance and
audit purposes
Who accessed which databases, when and
how?
27. What we can and can’t do
We can ….
Enforce account/password policy
Define strong policies and procedures
We can’t …..
Enforce audit log in every vendor application
Determine who is doing what and when
28. How we are providing for data integrity
and security
Database classifications (AAA vs. AA)
Have policies and procedures for data access authorization
Online HIPAA and Security employee training
Automatically terminate data access when employees leave
Create scripts to collect data and user access details
Implement our Centralized Audit Solution on SQL Server
2008
29. Implementing IT Control with SQL
Server 2008
• Securing the Platform
• Controlling Identity and Separation of Duties
• Encrypting Database Data
• Auditing Sensitive Information
• Using Policy-Based Management to Define,
Deploy and Validate Policy
30. Securing the Platform
• Limit number of users have access to SQL Server
• Minimize surface area of attack by limiting running services,
installing only the software needed, disable unnecessary
ports and configuring the firewall
• Install latest OS/SQL service packs and security patches
31. Controlling Identity and Separation of
Duties
• Limit who can access the database and grant the least
privileges.
• Use Windows Authentication
• Use Policy-Based Management to validate security policies
36. Using Policy-Based Management to
Define, Deploy and Validate Policy
SQLAudit
Central Server
Server 1
Server 2
Server n
Policy Extract
Extract Policy
Data
Obtain Server
List
Load Policy Data
View
Reports
Extract Logs to
fileshare
38. Results
• Spend less time on regulatory compliance
• Automate compliance and IT security controls
• Proactively measure and remediate
deficiencies to sustain the control environment
• Embrace best practices and build policies and
processes
• Reduce the impact of a breach by providing
Analysis and Alerts of malicious or suspicious
activity.
• Complete audit log
39. Complete the Evaluation Form & Win!
• You could win a Dell Mini Netbook – every day – just for
handing in your completed form! Each session form is
another chance to win!
Pick up your Evaluation Form:
• Within each presentation room
• At the PASS Booth near registration area
Drop off your completed Form:
• Near the exit of each presentation room
• At the PASS Booth near registration area
Sponsored by Dell
41. Visit the
Microsoft Technical Learning Center
Located in the Expo Hall
Microsoft Ask the Experts Lounge
Microsoft Chalk Talk Theater Presentations
Microsoft Partner Village
Hinweis der Redaktion
Requirement 6 is mostly operational in nature and requires establishment of standard system development lifecycle procedures. However it does touch upon SoD of people with access to development and test environments
By split key ownership, we mean the requirement of more than 1 person in order to administer and manage the cryptographic key, e.g., restore key.