Upload
denny-lee
View
122
Download
0
Embed Size (px)
Citation preview
SQLCAT ‐ Data and Admin Security
Il-Sung Lee, Senior Program ManagerDenny Lee, Senior Program ManagerAyad Shammout, Caregroup Healthcare
PASS Community Summit 2008November 18 – 21, 2008 Seattle WA
SQL Server Customer Advisory Team (SQLCAT)
Works on the largest, most complex SQL Server projects worldwide– US: NASDAQ, Progressive, Premier Bankcard, Hilton Hotels– Europe: Barclays Capital, Danske Bank, McLaren, Bwin– Asia/Pacific: Korea Telecom, GMarket, Japan Railways East, China
Mobile– LATAM: Banco Itau, Oi– Strategic ISVs: SAP, Siebel, JDE, PeopleSoft, GE Healthcare, SunGard,
Siemens, Dynamics and more Drives product requirements back into SQL Server from our
customers and ISVs Shares deep technical content with SQL Server community
– SQLCAT.com– http://blogs.msdn.com/sqlcat – http://blogs.msdn.com/mssqlisv– http://technet.microsoft.com/en-us/sqlserver/bb331794.aspx
2PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security
SQL Server Design Win Program
Target the Most Challenging and Innovative Applications on SQL Server
Investing in Large Scale, Referenceable SQL Server Projects Across the World–Provide SQLCAT technical & project experience–Conduct architecture and design reviews covering
performance, operation, scalability and availability aspects–Offer use of HW lab in Redmond with direct access to SQL
Server development team Work with Marketing Team Developing Case Studies
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 3
AGENDA
SQL Server 2008 Security Features–Extensible Key Management–Transparent Data Encryption–SQL Server Audit
Customer Scenarios and Feedback–Transparent Data Encryption and Extensible Key Management–SQL Server Audit
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 4
SQL SERVER 2008 SECURITY FEATURES
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 5
EXTENSIBLE KEY MANAGEMENT
Key storage, management and encryption done by HSM module
SQL EKM key is a proxy to HSM key
SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 6
SQL EKM Provider DLL
SQL EKM Key(HSM key proxy)
Data
SQL Server
HSM
DATA ENCRYPTION
SQL Server 2005–Built-in encryption functions–Key management in SQL Server–Encrypted File System (EFS)–Bit-Locker
SQL Server 2008–Extensible Key Management (EKM)–Transparent Data Encryption (TDE)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 7
ADVANTAGES OF USING EKM
Security–Data and keys are physically separated (keys are stored in HSM
modules)–Centralized key management and storage for enterprise–Additional authentication layer–Separation of duties between db_owner and data owner
Performance–Pluggable hardware encryption boards
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 8
EKM KEY HIERARCHY IN SQL 2008
HSM
Data
Data
Native Symmetric key
TDE DEK key
EKM Symmetric key EKM Asymmetric key
SQL Server
Symmetric key Asymmetric key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 9
TRANSPARENT DATA ENCRYPTION
Encryption/decryption at database level
DEK is encrypted with:–Certificate–Key residing in a Hardware
Security Module (HSM) Certificate required to attach
database files or restore a backup
SQL Server 2008
DEK
Client Application
Encrypted data page
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 10
SQL Server 2008Instance Level Service Master Key
TDE – KEY HIERARCHY
Database Master Key encrypts Certificate In Master Database
SQL Server 2008 User Database
Database Encryption Key
DPAPI encrypts Service Master Key
Service Master Key encrypts Database Master KeyPassword
Operating System LevelData Protection API (DPAPI)
SQL Server 2008 Master Database Database Master Key
SQL Server 2008 Master Database
Certificate
Certificate encrypts Database Encryption Key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 11
SQL Server 2008 User Database
Database Encryption Key
TDE – KEY HIERARCHY WITH EKM
Asymmetric Key resides on the EKM device
Asymmetric Key encrypts Database Encryption Key
Hardware Security Module (HSM)Asymmetric Key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 12
REASONS TO USE TDE
Protects data-at-rest Entire database is protected Applications do not need to explicitly encrypt/decrypt data!–No restrictions with indexes or data types (except Filestream)
Performance cost is small Backups are unusable without key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 13
TDE CONSIDERATIONS
Compatible with Database Compression Not recommended with Backup Compression Database Mirroring–Copy certificate from primary to mirror
Log files are not retroactively encrypted–Encryption begins at next VLF boundary
Tempdb is encrypted when 1 db in instance uses TDE Enterprise only
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 14
Enabling TDE
demo
AUDITING DATABASE ACTIVITY
SQL Server 2005–SQL Trace–DDL/DML Triggers–Third-party tools to read transaction logs–No management tools support
SQL Server 2008–SQL Server Audit
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 16
SQL SERVER AUDIT
Audit now a 1st Class Server Object– Native DDL for Audit configuration and management– Security support
Create an Audit object to automatically log actions to:–File–Windows Application Log–Windows Security Log
Ability to define granular Audit Actions ofUsers or Roles on DB objects
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 17
AUDIT SPECIFICATIONS
Server and database audit specifications for–Pre-defined action groups– Individual action filters
Server action groups–Server config changes, login/logoff, role membership change, etc.
Database action groups–Schema object access, database role membership change,
database object access, database config change
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 18
AUDIT SPECIFICATIONS
19
AuditSecurity Event Log
Application Event Log File system0..1
Server audit specification per Audit object
0..1DB audit specificationper database per Audit object
CREATE SERVER AUDIT SPECIFICATION SvrACTO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP);
CREATE DATABASE AUDIT SPECIFICATION AuditACTO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public)
Server Audit Specification
Server Audit ActionServer Audit Action
Server Audit ActionServer Audit Action
Server Audit Action
Database Audit ComponentsDatabase Audit
ComponentsDatabase Audit ComponentsDatabase
Audit Specification
Database Audit ActionDatabase Audit Action
Database Audit ActionDatabase Audit Action
Database Audit Action
File
REASONS TO USE SQL AUDIT
Leverages high performance eventing infrastructure to generate audits
Runs within engine rather than as a side/separate app Parity with SQL 2005 Audit Generation Faster than SQL Trace Records changes to Audit configuration Configuration and management in SSMS (Note: Enterprise Edition only)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 20
SQL Server Audit
demo
CUSTOMER SCENARIOS
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 22
Business Reasons
Compliance requirements for PCI, HIPAA, GLBA among many other acronyms
Key Management, Encryption, and Auditing are key components to meeting these compliance requirements
Refer to Compliance SDK that will be released on sqlcat.com and Technet this month
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 23
IT Control SOX
PCI
HIPA
A
GLB
A
ID Management
Separation of Duties
Encryption
Key Management
Auditing
Control Testing
Policy Management
Transparent Data EncryptionCustomer Scenarios
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 24
Transparent Data EncryptionWhat happens after encryption is enabled
When enabling encryption Immediate success provided not blocked by backup – Can be executed with applications online
Every page from this point forward is encrypted Background task will encrypt existing pages TempDB is encrypted with AES 256 (strongest key available)– This is done independent of algorithm chosen for user database– If you unencrypt all user database, this does not automatically unencrypt
TempDB– Consequences for other databases using TempDB intensively
Resources Using Transparent Data Encryption with large SAP databases will be
published by Juergen Thomas on sqlcat.com
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 25
Transparent Data EncryptionOperational Impact
Storage replication at hardware level– Background task to encrypt all pages– At HW level, all pages get changed, i.e. all pages need to be replicated– Need to test if your hardware replication can handle this throughput
When using Database Mirroring or Log Shipping, – Ensure that the mirror server has the master key and certificate as well– Bottleneck isn’t throughput of pages
Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted But, secondary server restore of transaction log uses less threads than principle/primary
servers, i.e. back log in restore activity– Possible Failover Issues
Synchronous mirroring backlog may result in not being able to failover since restoring received transaction log records could take a few hours
For log shipping restoration of the backups will fall behind, manual failover cannot take place before restore finally caught up.
– May want to consider disabling HA and perform resynchronization of your HA configuration
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 26
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security
Transparent Data EncryptionMonitoring Progress of Encryption / Decryption
2727
select DB_NAME(database_id), case encryption_state
when 1 then 'Unencrypted'when 2 then 'Encryption in Progress'when 3 then 'Encrypted'when 4 then 'DEK change in progress'when 5 then 'Decryption in progress'
end as encryption_state_desc,key_algorithm, key_length, percent_complete from sys.dm_database_encryption_keys
Transparent Data EncryptionCustomer Scenario
Observations– 4 x 2 cores, one LUN for 6 data files on 30 spindles, 10 spindles for log– Write rate 10-15% higher than read rate– Writes bundled into 150-180k chunks – less I/O– ½ core CPU
Only one data LUN therefore one background and one coordinating thread Recall, CPU is dependent on number of LUNs
– 30MB/s volume for read, encrypt, write for 100GB volume 1h with AES algorithm 2.5h with TRIPLE_DES algorithm Same for encrypted to decrypted state
Performance Impact– Hard to predict … “it depends”–Will impact more write intensive workloads than vs. read-only workloads– Another customer 2008 (with TDE and PaGE compression) performance on
par with 2005
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 28
Transparent Data EncryptionQuick Guide
When implementing TDE Be sure to backup the certificate private key Rotate certificates and keys periodically as required by regulations Use EKM for stronger key protection and separation of duties Monitor key and encryption access
– Policy Based Management– Auditing (Audit action types: DATABASE_OBJECT_ACCESS_GROUP and
DATABASE_OBJECT_CHANGE_GROUP)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 29
Possible algorithms include
Extensible KeyManagement
Rotation Key Server
BackupCertificate
Certificate Template
DatabaseEncryption Key
Possible algorithms includeAES (128, 192, 256bit) and 3DES
Protects
AuditingCustomer Scenarios
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 30
AuditingBusiness Reasons
Compliance requirements for SOX, PCI, HIPAA, GLBA among many other acronyms
Customers like the fact that SQL is attempting to address auditing issues with this feature
Additional guidance on how to use it for auditing scenarios can be found in the Compliance SDK.
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 31
IT Control SOX
PCI
HIPA
A
GLB
A
ID Management
Separation of Duties
Encryption
Key Management
Auditing
Control Testing
Policy Management
AuditingWhat to audit
Audit specific users– Typically want to do sysadmin– But, many scenarios require auditing of more users because those users
have insert, update access– Based on your policies
Audit specific tables– Audit all tables that can only be modified or deemed as sensitive
Audit Objects– Key and encryption access auditing (Audit action types:
DATABASE_OBJECT_ACCESS_GROUP and DATABASE_OBJECT_CHANGE_GROUP)
Audit everything approach– Can grow quite quickly (i.e. lots of data) so may want to limit data– Or have your audit reporting system filter out data you do not need
PASS Community Summit 2008 <Session ID #> <Session Name> 32
AuditingCentralizing audit logs and reporting
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 33
Compliance Reports
Process Audit InformationUse SSIS to process SQL2008 audit log data and store in its own SQL database.
File Server SQL 2008
SQL Audit
SSIS
Generate Reports
DB Servers
DB Server
DB Server
DB Server
Transfer Logs
SSRS 2008
AuditingCentralizing audit logs and reporting
Centralizing Logs– Allows you to have one server process all audit logs from your
servers– Easier manageability– Set files to 100MB in size (less files, but not too large to process)– Can also centralize processing – … and centralize reporting
Compliance SDK contains the full project–Organized by Server, Database, DDL, and DML actions
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 34
AuditingInteresting finds from auditing
Backup a user database: –Need CREATE permissions on the master database to look at the
backup media –The CREATE permission is a misnomer since you are not creating –Nevertheless required to do a backup hence the RESTORE
LABELONLY statements in your audit Server Principal Name is the user name A lot of VIEW SERVER STATE calls but is part of important
server audit specification (may want to filter this out)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 35
AuditingCaregroup Hospitals Scenario
Auditing is critical component HIPAA compliance and ensuring patient privacy– 1 Billion rows of audit data – 146 mission critical clinical applications– Comprehensive audits yield 300-500k transactions/day– HIPAA requires audit system with 20 years of data
Auditing Project – Available to community as part of Compliance SDK– Collaboration of Caregroup, MCS, SQLCAT
Quote:– Creating an enterprise tool for consolidated storage, reporting and alerting of
all application audit data - that's cool!– John Halamka’s Cool Technology of the Week (Wellsphere Top Health
Blogger, Health Impact Award)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 36
Centralized Auditing Reporting in Action from Caregroup Healthcare
demo
Thank youfor attending this session and the PASS Community Summit 2008
PASS Community Summit 2008November 18 – 21, 2008 Seattle WA