[Limited Access]

Content:Content:

PurposePurpose

MechanismMechanism

DifficultyDifficulty

ProposalProposal

Database Security & Audit Proposal

[Limited Access]

1. Purpose1. Purpose

> Insure data security and not be modified arbitrarily

> All operations to Sensitivity data by those who have permissions should be audited.(Contain read/write/…)

[Limited Access]

2. Mechanism2. Mechanism

>Database Account & Privileges Control

>Database Operation Audit

>Data files and Backup files security

>Data encryption

>Sensitivity Data separation

[Limited Access]

Database Account & Privileges ControlDatabase Account & Privileges Control> Prod/UAT Server

Server Type

AccountAccount Owner

Future Account Owner

Owner Privileges Note

Pord/UAT Server

DBA （ Domain Account ）

Xiaodan Tang/Hongtan

Hongtan/JianXu

dbcreator 、SQLAgentOperatorRole 、db_owner of all DB except "Aud"/"Security"

DBA has no privileges to read or create uses in "Aud"/"Security" have more privileges than themselves.

SecurityAccout

Jiang Jingmin

SecurityAdminAlter any login,Db_datawriter in Security

Management Users 、 Manage table in Security.

Sqladmin backup account Jianxu

ISO Department sysadmin

An account for backup, in the situation of "sqladmin" forget his password.

sqladmin Jingmin Jiang 非 IT的人 sysadminsqlamin have all privileges ， For grant Privileges to DBA in some situations.

Aud_user Xiaodan TangAudit work group db_owner of Security/Aud 　

User Account App Team 　

According to the application form and approval Email

For Prod Server, the biggest privileges for app team is db_datareader, db_datawriter for some databases except SVP's approval.

2. Mechanism

[Limited Access]

> Dev Server

Server Type

Account Account OwnerFuture Account

OwnerOwner Privileges Note

Dev Server

DBA （ Domain Account ）

Xiaodan Tang/Hongtan Hongtan/JianXu

dbcreator 、 alter any login 、 SQLAgentOperatorRole 、 db_owner of all DB except "Aud"/"Security"

DBA has no privileges to read or create uses in "Aud" /"Security" have more privileges than themselves.

SecurityAccout

Hongtan/JianXu

SecurityAdminAlter any login,Db_datawriter in Security

Management Users 、 Manage table in Security.

Sqladmin backup account Jianxu Jianxu sysadmin

An account for backup, in the situation of "sqladmin" forget his password.

sqladmin Jingmin Jiang Jingmin Jiang sysadminsqlamin have all privileges ， For grant Privileges to DBA in some situations.

Aud_user Xiaodan Tang Project Manager db_owner of Security/Aud 　

User Account App Team 　

According to the application form and Email

For DEV Server, the biggest privileges for app team is db_owner for some databases.

Database Account & Privileges ControlDatabase Account & Privileges Control2. Mechanism

[Limited Access]

Database Audit MethodDatabase Audit Method

2. Mechanism

[Limited Access]

Database Audit ContentDatabase Audit Content

Global Trace Privileges Trace

Server start/stop Schema Access

Login Failed Filter: User who have sysadmin privileges User in security.dbo.user_data and audit is true User in security.dbo.firecalls And we can just audit specific database listed in Security.dbo.audit_db

Object created/Deleted

Database scope GDR Event

Schema scope GDR Event

ADD/GDR/change login event

ADD/GDR/change db user/role event

Statement permission event

Backup/Restore event Note: Global trace is used for all logins and privileges trace is for all users who have sysadmin privileges and specify user in user_data or specify database.

Change Audit event

Object derived Permissions

Server scope GDR event

2. Mechanism

[Limited Access]

How to Query Audit ResultHow to Query Audit Result

Store Procedure:

sp_audit_result: Query the audit result in Aud database. [The day before that day ]

sp_audit_result_trc: Query the result from trace file. [That day]

User :

aud_user

Usage:

exec sp_audit_result ‘username’, ‘time’ ----or with no parameter

exec sp_audit_result_trc 'username‘----or with no parameter

2. Mechanism

[Limited Access]

2. Mechanism2. Mechanism

>Data files and Backup files security Infrastructure:

Keep the data files directory inaccessible by not related people.

Move the backup files to security place at specific time after database backup taken.

Audit access or other operations of the users who have permissions to backup/data files.

DMS:

Encrypt the backup file when backup the database contain Sensitivity data

>Data encryption

App Team(Optional):

Encrypt the sensitivity data columns/Use Keys when design database.

[Limited Access]

> Sensitivity Data separation

> ??????????????????Tan Hong ~~`

[Limited Access]

3. Difficulty3. Difficulty

> The sysadmin have all permissions, who should hold Sysadmin?

If the sysadmin delete the audit database？> Do Infrastructure monitor the copy operation? If some guys copy the

backup file out and …

[Limited Access]

4. Proposal4. Proposal