How to Remove Document Management Hurdles with X-Docs?
Â
SQLCAT - Data and Admin Security
1. SQLCAT â Data and Admin
Security
Il-Sung Lee, Senior Program Manager
Denny Lee, Senior Program Manager
Ayad Shammout, Caregroup Healthcare
PASS Community Summit 2008
November 18 â 21, 2008 Seattle WA
2. SQL Server Customer Advisory Team
(SQLCAT)
ï§ Works on the largest, most complex SQL Server projects worldwide
â US: NASDAQ, Progressive, Premier Bankcard, Hilton Hotels
â Europe: Barclays Capital, Danske Bank, McLaren, Bwin
â Asia/Pacific: Korea Telecom, GMarket, Japan Railways East, China
Mobile
â LATAM: Banco Itau, Oi
â Strategic ISVs: SAP, Siebel, JDE, PeopleSoft, GE Healthcare, SunGard,
Siemens, Dynamics and more
ï§ Drives product requirements back into SQL Server from our customers
and ISVs
ï§ Shares deep technical content with SQL Server community
â SQLCAT.com
â http://blogs.msdn.com/sqlcat
â http://blogs.msdn.com/mssqlisv
â http://technet.microsoft.com/en-us/sqlserver/bb331794.aspx
2PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security
3. SQL Server Design Win Program
ï§ Target the Most Challenging and Innovative
Applications on SQL Server
ï§ Investing in Large Scale, Referenceable SQL Server
Projects Across the World
â Provide SQLCAT technical & project experience
â Conduct architecture and design reviews covering performance,
operation, scalability and availability aspects
â Offer use of HW lab in Redmond with direct access to SQL
Server development team
ï§ Work with Marketing Team Developing Case Studies
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 3
4. AGENDA
ï§ SQL Server 2008 Security Features
â Extensible Key Management
â Transparent Data Encryption
â SQL Server Audit
ï§ Customer Scenarios and Feedback
â Transparent Data Encryption and Extensible Key Management
â SQL Server Audit
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 4
5. SQL SERVER 2008 SECURITY
FEATURES
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 5
6. EXTENSIBLE KEY MANAGEMENT
ï§ Key storage, management
and encryption done by HSM
module
ï§ SQL EKM key is a proxy to
HSM key
ï§ SQL EKM Provider DLL
implements SQLEKM
interface, calls into HSM
module
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 6
SQL EKM Provider DLL
SQL EKM Key
(HSM key proxy)
Data
SQL Server
HSM
7. DATA ENCRYPTION
ï§ SQL Server 2005
â Built-in encryption functions
â Key management in SQL Server
â Encrypted File System (EFS)
â Bit-Locker
ï§ SQL Server 2008
â Extensible Key Management (EKM)
â Transparent Data Encryption (TDE)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 7
8. ADVANTAGES OF USING EKM
ï§ Security
â Data and keys are physically separated (keys are stored in HSM
modules)
â Centralized key management and storage for enterprise
â Additional authentication layer
â Separation of duties between db_owner and data owner
ï§ Performance
â Pluggable hardware encryption boards
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 8
9. EKM KEY HIERARCHY IN SQL 2008
HSM
Data Data
Native
Symmetric key
TDE DEK key
EKM Symmetric key EKM Asymmetric key
SQL
Server
Symmetric key Asymmetric key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 9
10. TRANSPARENT DATA ENCRYPTION
ï§ Encryption/decryption at
database level
ï§ DEK is encrypted with:
â Certificate
â Key residing in a Hardware
Security Module (HSM)
ï§ Certificate required to attach
database files or restore a
backup
SQL Server 2008
DEK
Client Application
Encrypted data page
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 10
11. SQL Server 2008
Instance Level
Service Master Key
TDE â KEY HIERARCHY
Database Master Key
encrypts Certificate In Master
Database
SQL Server 2008
User Database
Database Encryption Key
DPAPI encrypts
Service Master Key
Service Master Key encrypts
Database Master Key
Password
Operating System Level
Data Protection API (DPAPI)
SQL Server 2008
Master Database
Database Master Key
SQL Server 2008
Master Database
Certificate
Certificate encrypts Database
Encryption Key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 11
12. SQL Server 2008
User Database
Database Encryption Key
TDE â KEY HIERARCHY WITH EKM
Asymmetric Key resides on
the EKM device
Asymmetric Key encrypts
Database Encryption Key
Hardware Security Module (HSM)
Asymmetric Key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 12
13. REASONS TO USE TDE
ï§ Protects data-at-rest
ï§ Entire database is protected
ï§ Applications do not need to explicitly encrypt/decrypt data!
â No restrictions with indexes or data types (except Filestream)
ï§ Performance cost is small
ï§ Backups are unusable without key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 13
14. TDE CONSIDERATIONS
ï§ Compatible with Database Compression
ï§ Not recommended with Backup Compression
ï§ Database Mirroring
â Copy certificate from primary to mirror
ï§ Log files are not retroactively encrypted
â Encryption begins at next VLF boundary
ï§ Tempdb is encrypted when 1 db in instance uses TDE
ï§ Enterprise only
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 14
16. AUDITING DATABASE ACTIVITY
ï§ SQL Server 2005
â SQL Trace
â DDL/DML Triggers
â Third-party tools to read transaction logs
â No management tools support
ï§ SQL Server 2008
â SQL Server Audit
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 16
17. SQL SERVER AUDIT
ï§ Audit now a 1st Class Server Object
â Native DDL for Audit configuration and management
â Security support
ï§ Create an Audit object to
automatically log actions to:
âFile
âWindows Application Log
âWindows Security Log
ï§ Ability to define granular Audit Actions of
Users or Roles on DB objects
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 17
18. AUDIT SPECIFICATIONS
ï§ Server and database audit specifications for
â Pre-defined action groups
â Individual action filters
ï§ Server action groups
â Server config changes, login/logoff, role membership change, etc.
ï§ Database action groups
â Schema object access, database role membership change,
database object access, database config change
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 18
19. AUDIT SPECIFICATIONS
19
Audit
Security Event Log
Application Event Log
File
system
0..1
Server audit specification
per Audit object
0..1
DB audit specification
per database
per Audit object
CREATE SERVER AUDIT SPECIFICATION
SvrAC
TO SERVER AUDIT PCI_Audit
ADD (FAILED_LOGIN_GROUP);
CREATE DATABASE AUDIT SPECIFICATION
AuditAC
TO SERVER AUDIT PCI_Audit
ADD (SELECT ON Customers BY
public)
Server Audit
Specification
Server Audit Action
Server Audit Action
Server Audit Action
Server Audit Action
Server Audit Action
Database Audit
ComponentsDatabase Audit
ComponentsDatabase Audit
Components
Database
Audit
Specification
Database Audit Action
Database Audit Action
Database Audit Action
Database Audit Action
Database Audit Action
File
20. REASONS TO USE SQL AUDIT
ï§ Leverages high performance eventing infrastructure to
generate audits
ï§ Runs within engine rather than as a side/separate app
ï§ Parity with SQL 2005 Audit Generation
ï§ Faster than SQL Trace
ï§ Records changes to Audit configuration
ï§ Configuration and management in SSMS
ï§ (Note: Enterprise Edition only)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 20
23. Business Reasons
ï§ Compliance requirements for PCI, HIPAA, GLBA among many
other acronyms
ï§ Key Management, Encryption, and Auditing are key components to
meeting these compliance requirements
ï§ Refer to Compliance SDK that will be released on sqlcat.com and
Technet this month
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 23
IT Control
SOX
PCI
HIPAA
GLBA
ID Management
Separation of Duties
Encryption
Key Management
Auditing
Control Testing
Policy Management
25. Transparent Data Encryption
What happens after encryption is enabled
When enabling encryption
ï§ Immediate success provided not blocked by backup
â Can be executed with applications online
ï§ Every page from this point forward is encrypted
ï§ Background task will encrypt existing pages
ï§ TempDB is encrypted with AES 256 (strongest key available)
â This is done independent of algorithm chosen for user database
â If you unencrypt all user database, this does not automatically unencrypt
TempDB
â Consequences for other databases using TempDB intensively
Resources
ï§ Using Transparent Data Encryption with large SAP databases will be
published by Juergen Thomas on sqlcat.com
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 25
26. Transparent Data Encryption
Operational Impact
ï§ Storage replication at hardware level
â Background task to encrypt all pages
â At HW level, all pages get changed, i.e. all pages need to be replicated
â Need to test if your hardware replication can handle this throughput
ï§ When using Database Mirroring or Log Shipping,
â Ensure that the mirror server has the master key and certificate as well
â Bottleneck isnât throughput of pages
ï§ Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted
ï§ But, secondary server restore of transaction log uses less threads than principle/primary
servers, i.e. back log in restore activity
â Possible Failover Issues
ï§ Synchronous mirroring backlog may result in not being able to failover since restoring received
transaction log records could take a few hours
ï§ For log shipping restoration of the backups will fall behind, manual failover cannot take place
before restore finally caught up.
â May want to consider disabling HA and perform resynchronization of your HA
configuration
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 26
27. PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security
Transparent Data Encryption
Monitoring Progress of Encryption / Decryption
2727
select DB_NAME(database_id),
case encryption_state
when 1 then 'Unencrypted'
when 2 then 'Encryption in Progress'
when 3 then 'Encrypted'
when 4 then 'DEK change in progress'
when 5 then 'Decryption in progress'
end as encryption_state_desc,
key_algorithm,
key_length,
percent_complete
from sys.dm_database_encryption_keys
28. Transparent Data Encryption
Customer Scenario
ï§ Observations
â 4 x 2 cores, one LUN for 6 data files on 30 spindles, 10 spindles for log
â Write rate 10-15% higher than read rate
â Writes bundled into 150-180k chunks â less I/O
â Âœ core CPU
ï§ Only one data LUN therefore one background and one coordinating thread
ï§ Recall, CPU is dependent on number of LUNs
â 30MB/s volume for read, encrypt, write for 100GB volume
ï§ 1h with AES algorithm
ï§ 2.5h with TRIPLE_DES algorithm
ï§ Same for encrypted to decrypted state
ï§ Performance Impact
â Hard to predict ⊠âit dependsâ
â Will impact more write intensive workloads than vs. read-only workloads
â Another customer 2008 (with TDE and PaGE compression) performance on
par with 2005
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 28
29. Transparent Data Encryption
Quick Guide
When implementing TDE
ï§ Be sure to backup the certificate private key
ï§ Rotate certificates and keys periodically as required by regulations
ï§ Use EKM for stronger key protection and separation of duties
ï§ Monitor key and encryption access
â Policy Based Management
â Auditing (Audit action types: DATABASE_OBJECT_ACCESS_GROUP and
DATABASE_OBJECT_CHANGE_GROUP)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 29
Possible algorithms include
Extensible Key
Management
Rotation
Key Server
BackupCertificate
Certificate Template
Database
Encryption
Key
Possible algorithms include
AES (128, 192, 256bit) and 3DES
Protects
31. Auditing
Business Reasons
ï§ Compliance requirements for SOX, PCI, HIPAA, GLBA among
many other acronyms
ï§ Customers like the fact that SQL is attempting to address auditing
issues with this feature
ï§ Additional guidance on how to use it for auditing scenarios can be
found in the Compliance SDK.
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 31
IT Control
SOX
PCI
HIPAA
GLBA
ID Management
Separation of Duties
Encryption
Key Management
Auditing
Control Testing
Policy Management
32. Auditing
What to audit
ï§ Audit specific users
â Typically want to do sysadmin
â But, many scenarios require auditing of more users because those users
have insert, update access
â Based on your policies
ï§ Audit specific tables
â Audit all tables that can only be modified or deemed as sensitive
ï§ Audit Objects
â Key and encryption access auditing (Audit action types:
DATABASE_OBJECT_ACCESS_GROUP and
DATABASE_OBJECT_CHANGE_GROUP)
ï§ Audit everything approach
â Can grow quite quickly (i.e. lots of data) so may want to limit data
â Or have your audit reporting system filter out data you do not need
PASS Community Summit 2008 <Session ID #> <Session Name> 32
33. Auditing
Centralizing audit logs and reporting
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 33
Compliance Reports
Process Audit Information
Use SSIS to process SQL2008 audit log data and store in its own SQL database.
File Server SQL 2008
SQL Audit
SSIS
Generate Reports
DB Servers
DB Server
DB Server
DB Server
Transfer Logs
SSRS 2008
34. Auditing
Centralizing audit logs and reporting
ï§ Centralizing Logs
â Allows you to have one server process all audit logs from your
servers
â Easier manageability
â Set files to 100MB in size (less files, but not too large to process)
â Can also centralize processing
â ⊠and centralize reporting
ï§ Compliance SDK contains the full project
â Organized by Server, Database, DDL, and DML actions
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 34
35. Auditing
Interesting finds from auditing
ï§ Backup a user database:
â Need CREATE permissions on the master database to look at the
backup media
â The CREATE permission is a misnomer since you are not creating
â Nevertheless required to do a backup hence the RESTORE
LABELONLY statements in your audit
ï§ Server Principal Name is the user name
ï§ A lot of VIEW SERVER STATE calls but is part of
important server audit specification (may want to filter this
out)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 35
36. Auditing
Caregroup Hospitals Scenario
ï§ Auditing is critical component HIPAA compliance and ensuring patient
privacy
â 1 Billion rows of audit data
â 146 mission critical clinical applications
â Comprehensive audits yield 300-500k transactions/day
â HIPAA requires audit system with 20 years of data
ï§ Auditing Project
â Available to community as part of Compliance SDK
â Collaboration of Caregroup, MCS, SQLCAT
ï§ Quote:
â Creating an enterprise tool for consolidated storage, reporting and alerting of
all application audit data - that's cool!
â John Halamkaâs Cool Technology of the Week (Wellsphere Top Health
Blogger, Health Impact Award)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 36
38. Thank you
for attending this session and the
PASS Community Summit 2008
PASS Community Summit 2008
November 18 â 21, 2008 Seattle WA
Hinweis der Redaktion
1
Why consider encryption?
Additional layer of security
Required by some regulatory compliance laws
Database security is a growing concern for many enterprises
Recent regulations have mandated strict requirements for data security, data privacy and data integrity
2005 Cons
Built-in encryption functions require application change
EFS has performance issues with SQL
Bit-Locker â encryption doesnât stick to data and only available on Vista/Windows Server 2008
Consolidation across enterprise
Simplify key management and storage
Includes, key generation, retrieval, aging, etc.
Offer functionality not available in SQL Server
In SQL Server 2005, you can encrypt data in the database by writing custom Transact-SQL that uses the cryptographic capabilities of the database engine. SQL Server 2008 improves upon this situation by introducing transparent data encryption.
Transparent data encryption performs all cryptographic operations at the database level removing any need for application developers to create custom code to encrypt and decrypt data/logs. Data is encrypted as it is written to disk, and decrypted as it is read from disk. By using SQL Server to manage encryption and decryption transparently, you can secure business data in the database without requiring any changes to existing applications