best practice for security and compliance with microsoft...
TRANSCRIPT
![Page 1: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/1.jpg)
Best Practice for Security and Compliance with
Microsoft and Thales e-Security
Nelson Yuen, Business Development Manager
Thales e-Security Hong Kong
![Page 2: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/2.jpg)
![Page 3: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/3.jpg)
Session Objectives and Takeaways
Messages to deliver:
Overview of today’s common Compliance and Regulations
Using Hardware Security Modules as best security practice with SQL Server
The new features in SQL Server 2012 help you satisfy your security and compliance needs
Questions to answer:
Why encryption is easy, encryption key management is hard?!
How Microsoft & Thales strong partnership continues to help enterprises meet their evolving security and compliance mandates?
![Page 4: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/4.jpg)
Public and Private Sector Guidelines
Source: Monetary Authority of Singapore, Hong Kong Government
Components Features Requirements
Cryptography Hardened architecture
• Support Full-Duplex, wire-speed encryption and key management • Certified to FIPS 140-2 Level 3 on key management • Support common encryption algorithm AES-256, SHA-1, SHA-256
![Page 5: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/5.jpg)
Public and Private Sector Guidelines
Source: Monetary Authority of Singapore, Hong Kong Government
“It is very important to ensure the protection and management of keys.”
“Encryption in storage Mandatory for TOP SECRET / SECRET; Mandatory
for CONFIDENTIAL; Recommended for RESTRICTED”
Components Features Requirements
Cryptography Hardened architecture
• Support Full-Duplex, wire-speed encryption and key management • Certified to FIPS 140-2 Level 3 on key management • Support common encryption algorithm AES-256, SHA-1, SHA-256
![Page 6: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/6.jpg)
Deployment Choices For Cryptography
![Page 7: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/7.jpg)
Deployment Choices For Cryptography
Software environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Software-based system
Numerous copies of keys across
system and backups
![Page 8: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/8.jpg)
Deployment Choices For Cryptography
Software environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Software-based system
Numerous copies of keys across
system and backups
Hardened security system
Keys are segregated within
isolated security environment
Hardware
Security
Module
Software environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
![Page 9: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/9.jpg)
Deployment Choices For Cryptography
Software environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Software-based system
Numerous copies of keys across
system and backups
Hardened security system
Keys are segregated within
isolated security environment
Hardware
Security
Module
Software environment
Application
Hardware platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
Which One is Secure?
![Page 10: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/10.jpg)
SQL Server 2008 & 2012 Security Features
Customer
challenges Security features
Protect data-at-rest Transparent
Data Encryption
Data/Key separation Extensible Key Managements
Use strong
authentication
Kerberos authentication enhancements
Monitor all activity SQL
Server Audit
Detect non-compliant
configurations
Policy-Based Management
Change Data Capture
Industry Certification Common Criteria
Certification (EAL4+)
PR
OTEC
T
DA
TA
EN
SU
RE
CO
MP
LIA
NC
E
CO
NTR
OL
AC
CESS
![Page 11: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/11.jpg)
SQL Server 2008 & 2012 Security Features
Customer
challenges Security features
Protect data-at-rest Transparent
Data Encryption
Data/Key separation Extensible Key Managements
Use strong
authentication
Kerberos authentication enhancements
Monitor all activity SQL
Server Audit
Detect non-compliant
configurations
Policy-Based Management
Change Data Capture
Industry Certification Common Criteria
Certification (EAL4+)
PR
OTEC
T
DA
TA
EN
SU
RE
CO
MP
LIA
NC
E
CO
NTR
OL
AC
CESS
User-Defined Server Roles
Default Schema for Groups
Audit Resilience
Audit in all SKUs
User-Defined Audit
Audit Filtering
T-SQL Stack Info
Contained Database Authentication
Crypto Enhancements
![Page 12: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/12.jpg)
SQL Server 2008 & 2012 Security Features
Customer
challenges Security features
Protect data-at-rest Transparent
Data Encryption
Data/Key separation Extensible Key Managements
Use strong
authentication
Kerberos authentication enhancements
Monitor all activity SQL
Server Audit
Detect non-compliant
configurations
Policy-Based Management
Change Data Capture
Industry Certification Common Criteria
Certification (EAL4+)
PR
OTEC
T
DA
TA
EN
SU
RE
CO
MP
LIA
NC
E
CO
NTR
OL
AC
CESS
User-Defined Server Roles
Default Schema for Groups
Audit Resilience
Audit in all SKUs
User-Defined Audit
Audit Filtering
T-SQL Stack Info
Contained Database Authentication
FIPS 140-2
Level 3
Crypto Enhancements
![Page 13: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/13.jpg)
SQL 2012 - Crypto Changes
4K certificates supported for import
SMK/DMK default to AES256
Key backups encrypted with AES256
SHA2 (256 and 512) support
Password hashes use SHA512
![Page 14: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/14.jpg)
SQL 2012 - Crypto Changes
4K certificates supported for import
SMK/DMK default to AES256
Key backups encrypted with AES256
SHA2 (256 and 512) support
Password hashes use SHA512
![Page 15: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/15.jpg)
Microsoft SQL Server Encryption Concept
![Page 16: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/16.jpg)
Benefit to Enable SQL Server TDE
![Page 17: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/17.jpg)
Benefit to Enable SQL Server TDE
Protects data at rest
Protect data files, log files, backup all the time
![Page 18: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/18.jpg)
Benefit to Enable SQL Server TDE
Protects data at rest
Protect data files, log files, backup all the time
Entire database is protected
Reduce data classification workload
![Page 19: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/19.jpg)
Benefit to Enable SQL Server TDE
Protects data at rest
Protect data files, log files, backup all the time
Entire database is protected
Reduce data classification workload
No application changes!
No restrictions with indexes or data types
![Page 20: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/20.jpg)
Benefit to Enable SQL Server TDE
Protects data at rest
Protect data files, log files, backup all the time
Entire database is protected
Reduce data classification workload
No application changes!
No restrictions with indexes or data types
Performance cost is small
No observable impact to application, but security enhanced
![Page 21: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/21.jpg)
Benefit to Enable SQL Server TDE
Protects data at rest
Protect data files, log files, backup all the time
Entire database is protected
Reduce data classification workload
No application changes!
No restrictions with indexes or data types
Performance cost is small
No observable impact to application, but security enhanced
Storage space size unchanged
Minimize Cost; Maximize Security
![Page 22: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/22.jpg)
Responsibility and Accountability
![Page 23: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/23.jpg)
Responsibility and Accountability
IT Manager
DBA / Backup Op
![Page 24: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/24.jpg)
Responsibility and Accountability
IT Manager
DBA / Backup Op
![Page 25: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/25.jpg)
Responsibility and Accountability
IT Manager
DBA / Backup Op
Who Owns This?
![Page 26: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/26.jpg)
Industry Best Practice on Security Control
IT Manager
DBA / Backup Op
Security Officer
![Page 27: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/27.jpg)
Industry Best Practice on Security Control
IT Manager
DBA / Backup Op
Security Officer
![Page 28: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/28.jpg)
Multi-Server Key Management
Authorization models can be applied on per application server basis
Multiple card sets segregate HSM resources
Enables maximum utilization of HSM investment
Virtual HSM 1
SQL Server 1
TDE with EKM
Virtual HSM 2
TDE with EKM
Virtual HSM 3
TDE with EKM
SQL Server 3 SQL Server 2
HSM
![Page 29: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/29.jpg)
A
Non-Shared Storage
A
A
A
Key Management in AlwaysOn Technology
Support SQL Server 2012 AlwaysOn HA DR model.
Central management key, storage, in use, rotate and disposal.
SQL DB 1
(Primary)
TDE
Master Certificate
TDE TDE
SQL DB 1
(Cluster B)
SQL DB 1
(Cluster A)
HSM
HSM (Cluster)
![Page 30: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/30.jpg)
HK Gov. Security Regulation
SR Ch9 Section 358 :
Stored CONFIDENTIAL information must be encrypted.
SR Ch9 Section 370 :
A key has the same classification as the classified information in respect of which it is used.
SR Ch9 Section 371 :
For keys that are used for the processing of information classified CONFIDENTIAL or above, they must be stored separately from the corresponding encrypted information.
![Page 31: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/31.jpg)
PCI DSS Compliance – Req. 3: Protect stored cardholder data
3.6 Fully document and implement all key-management processes and
procedures for cryptographic keys used for encryption of cardholder
data
3.6.1 Generation of strong cryptographic keys
3.6.2 Secure distribution of cryptographic key
3.6.3 Secure storage of cryptographic key
3.6.4 Periodically change keys
3.6.5 Split knowledge of keys
3.5 Protect any keys used to secure cardholder data against disclosure
and misuse:
3.5.1 Restrict access to cryptographic keys to the fewest number of
custodians necessary.
3.5.2 Store cryptographic keys securely in the fewest possible
locations and forms.
![Page 32: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/32.jpg)
The Key Management Process
![Page 33: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/33.jpg)
The Key Management Process
Policy
and
Audit
Generate
Store
Distribute
Use
Rotate
Terminate
Back-up
Recover
Revoke
Suspend
![Page 34: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/34.jpg)
Hardware-based Key Protection Summary
![Page 35: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/35.jpg)
Hardware-based Key Protection Summary
Higher performance for hardware based encryption/decryption
![Page 36: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/36.jpg)
Hardware-based Key Protection Summary
Higher performance for hardware based encryption/decryption
Ability to store keys from all across the enterprise in one place for easy management
![Page 37: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/37.jpg)
Hardware-based Key Protection Summary
Higher performance for hardware based encryption/decryption
Ability to store keys from all across the enterprise in one place for easy management
Enterprise Key Managers enable and enhance functionality not available in the SQL Server Engine: Key Generation
Key Storage – Keeping data separate from the keys that protect it is a best practice
Key Retrieval
Key Retention
Key Rotation
Key Recovery
Key Distribution
Key Disposal
![Page 38: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/38.jpg)
Hardware-based Key Protection Summary
Higher performance for hardware based encryption/decryption
Ability to store keys from all across the enterprise in one place for easy management
Enterprise Key Managers enable and enhance functionality not available in the SQL Server Engine: Key Generation
Key Storage – Keeping data separate from the keys that protect it is a best practice
Key Retrieval
Key Retention
Key Rotation
Key Recovery
Key Distribution
Key Disposal
Software
environment Application
HW platform
Hypervisor
Operating
System
CPU
Memory Storage
Back-ups
![Page 39: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/39.jpg)
Hardware-based Key Protection Summary
Higher performance for hardware based encryption/decryption
Ability to store keys from all across the enterprise in one place for easy management
Enterprise Key Managers enable and enhance functionality not available in the SQL Server Engine: Key Generation
Key Storage – Keeping data separate from the keys that protect it is a best practice
Key Retrieval
Key Retention
Key Rotation
Key Recovery
Key Distribution
Key Disposal
Software
environment Application
HW platform
Hypervisor
Operating
System
CPU
Memory Storage
Back-ups
Hardware
Security
Module
Software
environment Application
HW platform
Hypervisor
Operating System
CPU
Memory Storage
Back-ups
![Page 40: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/40.jpg)
Best Practice for Secure Key Management
Thales nShield HSMs add FIPS & EAL 4+ compliant key storage
Validated up to FIPS 140-2 Level 3
Validated up to Common Criteria EAL 4+
External regulations, especially in government
Internal security policies required many enterprises.
Ensures your systems are both current and compliant
Thales nShield HSMs integrate with Microsoft Identity & Security Products to offer:
Manage keys across hundreds of database servers
Reduce operation cost
Protect keys with hardware device
Facilitate key rotation
Ensure recoverability of data
![Page 42: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/42.jpg)
Key Management Lifecycle with Thales HSM
Jeff Tiung (CISSP, CISA), Senior Security Engineer
Thales e-Security Hong Kong
![Page 43: Best Practice for Security and Compliance with Microsoft ...download.microsoft.com/documents/hk/technet/techdays2012/120322... · Best Practice for Security and Compliance with Microsoft](https://reader031.vdocument.in/reader031/viewer/2022022003/5a9e15017f8b9a39338ca5b5/html5/thumbnails/43.jpg)
Thank You