SQLCAT - Data and Admin Security

SQLCAT ‐ Data and Admin Security

Il-Sung Lee, Senior Program ManagerDenny Lee, Senior Program ManagerAyad Shammout, Caregroup Healthcare

PASS Community Summit 2008November 18 – 21, 2008 Seattle WA

SQL Server Customer Advisory Team (SQLCAT)

Works on the largest, most complex SQL Server projects worldwide– US: NASDAQ, Progressive, Premier Bankcard, Hilton Hotels– Europe: Barclays Capital, Danske Bank, McLaren, Bwin– Asia/Pacific: Korea Telecom, GMarket, Japan Railways East, China

Mobile– LATAM: Banco Itau, Oi– Strategic ISVs: SAP, Siebel, JDE, PeopleSoft, GE Healthcare, SunGard,

Siemens, Dynamics and more Drives product requirements back into SQL Server from our

customers and ISVs Shares deep technical content with SQL Server community

– SQLCAT.com– http://blogs.msdn.com/sqlcat – http://blogs.msdn.com/mssqlisv– http://technet.microsoft.com/en-us/sqlserver/bb331794.aspx

2PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security

http://www.microsoft.com/technet/prodtechnol/sql/bestpractice/default.mspx

http://blogs.msdn.com/sqlcat

http://blogs.msdn.com/mssqlisv

http://technet.microsoft.com/en-us/sqlserver/bb331794.aspx

SQL Server Design Win Program

Target the Most Challenging and Innovative Applications on SQL Server

Investing in Large Scale, Referenceable SQL Server Projects Across the World–Provide SQLCAT technical & project experience–Conduct architecture and design reviews covering

performance, operation, scalability and availability aspects–Offer use of HW lab in Redmond with direct access to SQL

Server development team Work with Marketing Team Developing Case Studies

PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 3

AGENDA

SQL Server 2008 Security Features–Extensible Key Management–Transparent Data Encryption–SQL Server Audit

Customer Scenarios and Feedback–Transparent Data Encryption and Extensible Key Management–SQL Server Audit


SQL SERVER 2008 SECURITY FEATURES


EXTENSIBLE KEY MANAGEMENT

Key storage, management and encryption done by HSM module

SQL EKM key is a proxy to HSM key

SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module


SQL EKM Provider DLL

SQL EKM Key(HSM key proxy)

Data

SQL Server

HSM

DATA ENCRYPTION

SQL Server 2005–Built-in encryption functions–Key management in SQL Server–Encrypted File System (EFS)–Bit-Locker

SQL Server 2008–Extensible Key Management (EKM)–Transparent Data Encryption (TDE)


ADVANTAGES OF USING EKM

Security–Data and keys are physically separated (keys are stored in HSM

modules)–Centralized key management and storage for enterprise–Additional authentication layer–Separation of duties between db_owner and data owner

Performance–Pluggable hardware encryption boards


EKM KEY HIERARCHY IN SQL 2008

HSM

Data

Data

Native Symmetric key

TDE DEK key

EKM Symmetric key EKM Asymmetric key

SQL Server

Symmetric key Asymmetric key


TRANSPARENT DATA ENCRYPTION

Encryption/decryption at database level

DEK is encrypted with:–Certificate–Key residing in a Hardware

Security Module (HSM) Certificate required to attach

database files or restore a backup

SQL Server 2008

DEK

Client Application

Encrypted data page


SQL Server 2008Instance Level Service Master Key

TDE – KEY HIERARCHY

Database Master Key encrypts Certificate In Master Database

SQL Server 2008 User Database

Database Encryption Key

DPAPI encrypts Service Master Key

Service Master Key encrypts Database Master KeyPassword

Operating System LevelData Protection API (DPAPI)

SQL Server 2008 Master Database Database Master Key

SQL Server 2008 Master Database

Certificate

Certificate encrypts Database Encryption Key


SQL Server 2008 User Database

Database Encryption Key

TDE – KEY HIERARCHY WITH EKM

Asymmetric Key resides on the EKM device

Asymmetric Key encrypts Database Encryption Key

Hardware Security Module (HSM)Asymmetric Key


REASONS TO USE TDE

Protects data-at-rest Entire database is protected Applications do not need to explicitly encrypt/decrypt data!–No restrictions with indexes or data types (except Filestream)

Performance cost is small Backups are unusable without key


TDE CONSIDERATIONS

Compatible with Database Compression Not recommended with Backup Compression Database Mirroring–Copy certificate from primary to mirror

Log files are not retroactively encrypted–Encryption begins at next VLF boundary

Tempdb is encrypted when 1 db in instance uses TDE Enterprise only


Enabling TDE

demo

AUDITING DATABASE ACTIVITY

SQL Server 2005–SQL Trace–DDL/DML Triggers–Third-party tools to read transaction logs–No management tools support

SQL Server 2008–SQL Server Audit


SQL SERVER AUDIT

Audit now a 1st Class Server Object– Native DDL for Audit configuration and management– Security support

Create an Audit object to automatically log actions to:–File–Windows Application Log–Windows Security Log

Ability to define granular Audit Actions ofUsers or Roles on DB objects


AUDIT SPECIFICATIONS

Server and database audit specifications for–Pre-defined action groups– Individual action filters

Server action groups–Server config changes, login/logoff, role membership change, etc.

Database action groups–Schema object access, database role membership change,

database object access, database config change


AUDIT SPECIFICATIONS

19

AuditSecurity Event Log

Application Event Log File system0..1

Server audit specification per Audit object

0..1DB audit specificationper database per Audit object

CREATE SERVER AUDIT SPECIFICATION SvrACTO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP);

CREATE DATABASE AUDIT SPECIFICATION AuditACTO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public)

Server Audit Specification

Server Audit ActionServer Audit Action

Server Audit ActionServer Audit Action

Server Audit Action

Database Audit ComponentsDatabase Audit

ComponentsDatabase Audit ComponentsDatabase

Audit Specification

Database Audit ActionDatabase Audit Action

Database Audit ActionDatabase Audit Action

Database Audit Action

File

REASONS TO USE SQL AUDIT

Leverages high performance eventing infrastructure to generate audits

Runs within engine rather than as a side/separate app Parity with SQL 2005 Audit Generation Faster than SQL Trace Records changes to Audit configuration Configuration and management in SSMS (Note: Enterprise Edition only)


SQL Server Audit

demo

CUSTOMER SCENARIOS


Business Reasons

Compliance requirements for PCI, HIPAA, GLBA among many other acronyms

Key Management, Encryption, and Auditing are key components to meeting these compliance requirements

Refer to Compliance SDK that will be released on sqlcat.com and Technet this month


IT Control SOX

PCI

HIPA

A

GLB

A

ID Management

Separation of Duties

Encryption

Key Management

Auditing

Control Testing

Policy Management

Transparent Data EncryptionCustomer Scenarios


Transparent Data EncryptionWhat happens after encryption is enabled

When enabling encryption Immediate success provided not blocked by backup – Can be executed with applications online

Every page from this point forward is encrypted Background task will encrypt existing pages TempDB is encrypted with AES 256 (strongest key available)– This is done independent of algorithm chosen for user database– If you unencrypt all user database, this does not automatically unencrypt

TempDB– Consequences for other databases using TempDB intensively

Resources Using Transparent Data Encryption with large SAP databases will be

published by Juergen Thomas on sqlcat.com


Transparent Data EncryptionOperational Impact

Storage replication at hardware level– Background task to encrypt all pages– At HW level, all pages get changed, i.e. all pages need to be replicated– Need to test if your hardware replication can handle this throughput

When using Database Mirroring or Log Shipping, – Ensure that the mirror server has the master key and certificate as well– Bottleneck isn’t throughput of pages

Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted But, secondary server restore of transaction log uses less threads than principle/primary

servers, i.e. back log in restore activity– Possible Failover Issues

Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours

For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up.

– May want to consider disabling HA and perform resynchronization of your HA configuration


PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security

Transparent Data EncryptionMonitoring Progress of Encryption / Decryption

2727

select DB_NAME(database_id), case encryption_state

when 1 then 'Unencrypted'when 2 then 'Encryption in Progress'when 3 then 'Encrypted'when 4 then 'DEK change in progress'when 5 then 'Decryption in progress'

end as encryption_state_desc,key_algorithm, key_length, percent_complete from sys.dm_database_encryption_keys

Transparent Data EncryptionCustomer Scenario

Observations– 4 x 2 cores, one LUN for 6 data files on 30 spindles, 10 spindles for log– Write rate 10-15% higher than read rate– Writes bundled into 150-180k chunks – less I/O– ½ core CPU

Only one data LUN therefore one background and one coordinating thread Recall, CPU is dependent on number of LUNs

– 30MB/s volume for read, encrypt, write for 100GB volume 1h with AES algorithm 2.5h with TRIPLE_DES algorithm Same for encrypted to decrypted state

Performance Impact– Hard to predict … “it depends”–Will impact more write intensive workloads than vs. read-only workloads– Another customer 2008 (with TDE and PaGE compression) performance on

par with 2005


Transparent Data EncryptionQuick Guide

When implementing TDE Be sure to backup the certificate private key Rotate certificates and keys periodically as required by regulations Use EKM for stronger key protection and separation of duties Monitor key and encryption access

– Policy Based Management– Auditing (Audit action types: DATABASE_OBJECT_ACCESS_GROUP and

DATABASE_OBJECT_CHANGE_GROUP)


Possible algorithms include

Extensible KeyManagement

Rotation Key Server

BackupCertificate

Certificate Template

DatabaseEncryption Key

Possible algorithms includeAES (128, 192, 256bit) and 3DES

Protects

AuditingCustomer Scenarios


AuditingBusiness Reasons

Compliance requirements for SOX, PCI, HIPAA, GLBA among many other acronyms

Customers like the fact that SQL is attempting to address auditing issues with this feature

Additional guidance on how to use it for auditing scenarios can be found in the Compliance SDK.


IT Control SOX

PCI

HIPA

A

GLB

A

ID Management

Separation of Duties

Encryption

Key Management

Auditing

Control Testing

Policy Management

AuditingWhat to audit

Audit specific users– Typically want to do sysadmin– But, many scenarios require auditing of more users because those users

have insert, update access– Based on your policies

Audit specific tables– Audit all tables that can only be modified or deemed as sensitive

Audit Objects– Key and encryption access auditing (Audit action types:

DATABASE_OBJECT_ACCESS_GROUP and DATABASE_OBJECT_CHANGE_GROUP)

Audit everything approach– Can grow quite quickly (i.e. lots of data) so may want to limit data– Or have your audit reporting system filter out data you do not need

PASS Community Summit 2008 <Session ID #> <Session Name> 32

AuditingCentralizing audit logs and reporting


Compliance Reports

Process Audit InformationUse SSIS to process SQL2008 audit log data and store in its own SQL database.

File Server SQL 2008

SQL Audit

SSIS

Generate Reports

DB Servers

DB Server

DB Server

DB Server

Transfer Logs

SSRS 2008

AuditingCentralizing audit logs and reporting

Centralizing Logs– Allows you to have one server process all audit logs from your

servers– Easier manageability– Set files to 100MB in size (less files, but not too large to process)– Can also centralize processing – … and centralize reporting

Compliance SDK contains the full project–Organized by Server, Database, DDL, and DML actions


AuditingInteresting finds from auditing

Backup a user database: –Need CREATE permissions on the master database to look at the

backup media –The CREATE permission is a misnomer since you are not creating –Nevertheless required to do a backup hence the RESTORE

LABELONLY statements in your audit Server Principal Name is the user name A lot of VIEW SERVER STATE calls but is part of important

server audit specification (may want to filter this out)


AuditingCaregroup Hospitals Scenario

Auditing is critical component HIPAA compliance and ensuring patient privacy– 1 Billion rows of audit data – 146 mission critical clinical applications– Comprehensive audits yield 300-500k transactions/day– HIPAA requires audit system with 20 years of data

Auditing Project – Available to community as part of Compliance SDK– Collaboration of Caregroup, MCS, SQLCAT

Quote:– Creating an enterprise tool for consolidated storage, reporting and alerting of

all application audit data - that's cool!– John Halamka’s Cool Technology of the Week (Wellsphere Top Health

Blogger, Health Impact Award)


http://geekdoctor.blogspot.com/2008/10/cool-technology-of-week_24.html

Centralized Auditing Reporting in Action from Caregroup Healthcare

demo

Thank youfor attending this session and the PASS Community Summit 2008

PASS Community Summit 2008November 18 – 21, 2008 Seattle WA