data management conference data security for audit and compliance terry room architect, microsoft...
TRANSCRIPT
Data Management Conference
Data Security for Audit and ComplianceTerry RoomArchitect, Microsoft Ltd
LondonSeptember 29th
Session Objectives
• Understand that Security is an important consideration for applications as well as the server
• Know what is available in SQL Server and how it can help you achieve security objectives
Agenda
• Protecting applications− Data protection− Authentication/Authorization− SQL Injection
• SQL 2008 Compliance New Features− Transparent Data Encryption− Extensible Key Management− Audit
A true story.....(kind of)
• The Company
• The Application
• The MD
• The IT Manager
• The DBA
Contoso.com
What happened
• Day 1 due diligence− Review and change admin passwords
• 10 minutes later− Helpdesk reports problems− Login failures
• Smoking gun− ODBC DSN
• 10 minutes later− Helpdesk reports problems− Module failures, report failures− Code review !
using ‘sa’ context!
Code review
• Issues− No centralized data access layer− Embedded SQL
− Lookup Order:
− Lookup Customer:
− Connection strings with hardcoded passwords
“SELECT * FROM Orders WHERE OrderId=“ + varOrderId
SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”’”
Provider=sqloledb;Data Source=xxx;Initial Catalog=billingDB;User Id=sa;Password=‘’;
Authentication
SQL AUTHENTICATION WINDOWS AUTHENTICATION
Userid/Password Encrypted Token (Kerberos)Challenge-Response (NTLM)
Password obfuscated on wire Password not transmitted on wire
Subject to replay attack if channel not encrypted
Not subject to replay attack (Kerberos)
No mutual authentication Mutual authentication with Kerberos
Logins managed in SQL Server Logins managed by Windows
DBAs create login accounts Windows/domain admins create login accounts
Password policy enforced by Windows (Windows 2003+)
Password policy enforced by Windows
Security context may or may not be common between servers
Security context is common between servers
Data Encryption
• In SQL Server 2000, 3rd party support required
• Since SQL Server 2005 − Built-in support for data encryption− Support for key management
• Encryption additions in SQL Server 2008− Transparent Data Encryption− Extensible Key Management
Channel Encryption
• Support for full SSL Encryption since SQL Server 2000− Clients: MDAC 2.6 or later− Force encryption from client or server
• Login packet encryption− Used regardless of encryption settings− Supported since 2000− Self-generated certificates avail since
2005
Permission Strategy
• Follow principal of least privilege!• Avoid using sysadmin/sa and
db_owner/dbo− Grant required perms to normal login
• Never use the dbo schema− User-schema separation
• Applications should have own schema− Consider multiple schemas
• Leverage Flexible Database Roles− Facilitates role separation
• Consider Auditing user activity
GRANT EXECUTE ONHR.Proc1 TO Bob
EXECUTE HR.Proc1
Proc1
View1
Table1
Check EXECUTE
No check
No check
Database
Alice’s HR Schema
Bob
Alice
Ownership Chaining
• Beware of Ownership Chaining
Execution ContextBest Practices
• Controlled escalation of privileges− DB scoped: EXECUTE AS and App Roles− Cross-DB scoped: Certificates− Avoid using dynamic SQL under an
escalated context
• Do not use use CDOC and SETUSER• Avoid allowing guest access on user
DBs
SQL Injection
• SQL Injection is an attack where malicious code is inserted into strings and later passed to SQL Server for parsing and execution.
SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”%’”
''';DROP TABLE CUSTOMERS--'
SELECT * FROM Customer WHERE SurName Like ‘%’; DROP TABLE CUSTOMERS—’
SQL Injection – defence
• Use parameterized SQL queries• Use Type-Safe SqlParameter in .Net• Use parameterized SPs• Least-privilege Principle• Escape special characters• Escape quotes with
quotename/replace• Escape wildcards in LIKE statements• Validate buffer length to avoid
truncation
Business Reasons
• Compliance requirements for PCI, HIPAA, GLBA among many other acronyms
• Key Management, Encryption, and Auditing are key components to meeting these compliance requirements
• Refer to Compliance SDK and the SQL Compliance site: http://www.microsoft.com/sql/compliance
IT Control SO
X
PC
I
HIP
AA
GL
BA
ID Management
Separation of Duties
Encryption
Key Management
Auditing
Control Testing
Policy Management
Data Encyption
• SQL Server 2005− Built-in encryption functions− Key management in SQL Server− Encrypted File System (EFS)− Bit-Locker
• SQL Server 2008− Extensible Key Management (EKM)− Transparent Data Encryption (TDE)
Extensible Key Management
• Key storage, management and encryption done by HSM module
• SQL EKM key is a proxy to HSM key
• SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module
SQL EKM Provider DLL
SQL EKM Key(HSM key proxy)
Data
SQL Server
HSM
Advantages of using EKM
• Security− Data and keys are physically separated
(keys are stored in HSM modules)− Centralized key management and
storage for enterprise− Additional authentication layer− Separation of duties between db_owner
and data owner
• Performance− Pluggable hardware encryption boards
EKM Key Hierarchy in SQL 2008
HSM
Data
Data
Native Symmetric key
TDE DEK key
EKM Symmetric key EKM Asymmetric key
SQL Server
Symmetric key Asymmetric key
Transparent Data Encryption (TDE)
• Encryption/decryption at database level
• DEK is encrypted with:− Certificate− Key residing in a
Hardware Security Module (HSM)
• Certificate required to attach database files or restore a backup
SQL Server 2008
DEK
Client Application
Encrypted data page
SQL Server 2008Instance Level
Service Master Key
TDE – Key Hierarchy
Database Master Key encrypts Certificate In Master Database
SQL Server 2008 User Database
Database Encryption Key
DPAPI encrypts Service Master Key
Service Master Key encrypts Database Master KeyPassword
Operating System LevelData Protection API (DPAPI)
SQL Server 2008 Master Database
Database Master Key
SQL Server 2008 Master Database
Certificate
Certificate encrypts Database Encryption Key
SQL Server 2008 User Database
Database Encryption Key
TDE – Key Hierarchy with EKM
Asymmetric Key resides on the EKM device
Asymmetric Key encrypts Database Encryption Key
Hardware Security Module (HSM)Asymmetric Key
TDE considerations
• Compatible with Database Compression
• Not recommended with Backup Compression
• Database Mirroring− Copy certificate from primary to mirror
• Log files are not retroactively encrypted− Encryption begins at next VLF boundary
• Tempdb is encrypted when 1 db in instance uses TDE
• Enterprise only
Transparent Data EncryptionOperational Impact
• Storage replication at hardware level− Background task to encrypt all pages− At HW level, all pages get changed, i.e. all pages need to be replicated− Need to test if your hardware replication can handle this throughput
• When using Database Mirroring or Log Shipping, − Ensure that the mirror server has the master key and certificate as well− Bottleneck isn’t throughput of pages
− Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted
− But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity
− Possible Failover Issues− Synchronous mirroring backlog may result in not being able to failover since
restoring received transaction log records could take a few hours− For log shipping restoration of the backups will fall behind, manual failover
cannot take place before restore finally caught up.− May want to consider disabling HA and perform resynchronization of
your HA configuration
Auditing Database Activity
• SQL Server 2005− SQL Trace− DDL/DML Triggers− Third-party tools to read transaction logs− No management tools support
• SQL Server 2008− SQL Server Audit
Audit Specifications
29
AuditSecurity Event Log
Application Event Log File syste
m0..1Server audit specification per Audit object
0..1DB audit specificationper database per Audit object
CREATE SERVER AUDIT SPECIFICATION SvrACTO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP);
CREATE DATABASE AUDIT SPECIFICATION AuditACTO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public)
Server Audit
Specification
Server Audit ActionServer Audit
ActionServer Audit ActionServer Audit
ActionServer Audit Action
Database Audit ComponentsDatabase Audit
ComponentsDatabase Audit Components
Database Audit
Specification
Database Audit ActionDatabase Audit
ActionDatabase Audit ActionDatabase Audit
ActionDatabase Audit Action
File
Reasons to use SQL Audit
• Leverages high performance eventing infrastructure to generate audits
• Runs within engine rather than as a side/separate app
• Parity with SQL 2005 Audit Generation• Faster than SQL Trace• Records changes to Audit
configuration• Configuration and management in
SSMS• (Note: Enterprise Edition only)
AuditingCentralizing audit logs and reporting
Compliance Reports
Process Audit InformationUse SSIS to process SQL2008 audit log data and store in its own SQL database.
File Server SQL 2008
SQL Audit
SSIS
Generate Reports
DB Servers
DB Server
DB Server
DB Server
Transfer Logs
SSRS 2008
Take aways
• Protect applications not just databases• Get the basics right!• Leverage all of the features of SQL
Server to meet your compliance needs
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.