compliance lessons from operating sql server in azure sql db

ComplianceLessons from Operating SQL Server in Azure SQL DB

Audience

• How many have been through a Compliance Audit before?• How many planning on going through one in the near future?

Azure Compliance – Continuous Audits

http://azure.microsoft.com/en-us/support/trust-center/services/

ISO 27001/27002

SOC 1/SSAE 16/SAE 3402 and SOC 2

FedRAMP

PCI DSS Level 1

United Kingdom G-Cloud

HIPAA

EU Model Clause

Australian Government IRAP

Singapore MTCS Standard

FBI CJIS (Azure Government)

SQL Database • • • • • • • • •

Security Plan

• Review it and update it regularly• Security Development Lifecycle• Agile and Security Plan?• Inventory• Audit of inventory, patching of VMs, OS, SQL, etc. virus scanning

Access Control

• Isolate Production Environment• Just In Time Access only by humans• Multi-Factor Authentication – Azure Active Directory can make this easy• Data kept in environment or filtered according agreements.

• Use RBAC Groups – review regularly• Repeatable, signed, scanned builds of applications• Audit ACLs, security settings of system

Security Auditing

• Continuous Auditing - offloaded from node ASAP to central repository• Data Warehouse, HADOOP Cluster ETC. used to look for anomalous patterns

of activity• Alert based – volume of events makes regular reviews impractical for us.

• Many 3rd party products that will do threat detection and centralization of Audits• APT's mean we need to look across enterprise

Availability

• AlwaysOn –• Allows rapid deployment with continuous availability due to fault zones /

upgrade zones.

• Exercise full failovers – we always discover things.• Leverage new clusters as failover test

Secrets

• Centralize and have common reporting on expiring secrets (Certs, Passwords, Cryptographic Keys)• Rotate ahead of schedule – if required 90 days before expiration,

rotate at 120 days before to allow time to deal with failures.• Prioritize• Ability to rollback changes – keep keys in escrow• EKM allows you to centralize Keys or at least Key Encryption Keys in a

HSM or Network HSM for central managements

Pen Testing

• Red Team• Blue Team

Questions?

• Your challenges?• Certifications lacking?• Previous talks?