compliance lessons from operating sql server in azure sql db

10
Compliance Lessons from Operating SQL Server in Azure SQL DB

Upload: leonard-hines

Post on 21-Jan-2016

219 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Compliance Lessons from Operating SQL Server in Azure SQL DB

ComplianceLessons from Operating SQL Server in Azure SQL DB

Page 2: Compliance Lessons from Operating SQL Server in Azure SQL DB

Audience

• How many have been through a Compliance Audit before?• How many planning on going through one in the near future?

Page 3: Compliance Lessons from Operating SQL Server in Azure SQL DB

Azure Compliance – Continuous Audits

http://azure.microsoft.com/en-us/support/trust-center/services/

ISO 27001/27002

SOC 1/SSAE 16/SAE 3402 and SOC 2

FedRAMP

PCI DSS Level 1

United Kingdom G-Cloud

HIPAA

EU Model Clause

Australian Government IRAP

Singapore MTCS Standard

FBI CJIS (Azure Government)

SQL Database • • • • • • • • •

Page 4: Compliance Lessons from Operating SQL Server in Azure SQL DB

Security Plan

• Review it and update it regularly• Security Development Lifecycle• Agile and Security Plan?• Inventory• Audit of inventory, patching of VMs, OS, SQL, etc. virus scanning

Page 5: Compliance Lessons from Operating SQL Server in Azure SQL DB

Access Control

• Isolate Production Environment• Just In Time Access only by humans• Multi-Factor Authentication – Azure Active Directory can make this easy• Data kept in environment or filtered according agreements.

• Use RBAC Groups – review regularly• Repeatable, signed, scanned builds of applications• Audit ACLs, security settings of system

Page 6: Compliance Lessons from Operating SQL Server in Azure SQL DB

Security Auditing

• Continuous Auditing - offloaded from node ASAP to central repository• Data Warehouse, HADOOP Cluster ETC. used to look for anomalous patterns

of activity• Alert based – volume of events makes regular reviews impractical for us.

• Many 3rd party products that will do threat detection and centralization of Audits• APT's mean we need to look across enterprise

Page 7: Compliance Lessons from Operating SQL Server in Azure SQL DB

Availability

• AlwaysOn –• Allows rapid deployment with continuous availability due to fault zones /

upgrade zones.

• Exercise full failovers – we always discover things.• Leverage new clusters as failover test

Page 8: Compliance Lessons from Operating SQL Server in Azure SQL DB

Secrets

• Centralize and have common reporting on expiring secrets (Certs, Passwords, Cryptographic Keys)• Rotate ahead of schedule – if required 90 days before expiration,

rotate at 120 days before to allow time to deal with failures.• Prioritize• Ability to rollback changes – keep keys in escrow• EKM allows you to centralize Keys or at least Key Encryption Keys in a

HSM or Network HSM for central managements

Page 9: Compliance Lessons from Operating SQL Server in Azure SQL DB

Pen Testing

• Red Team• Blue Team

Page 10: Compliance Lessons from Operating SQL Server in Azure SQL DB

Questions?

• Your challenges?• Certifications lacking?• Previous talks?