ISSAISSA

Data Security for Audit and Data Security for Audit and ComplianceCompliance

Andrew FryerEvangelist Microsoft Ltd

Session Objectives

• Understand that Security is an important consideration for applications as well as the server

• Know what is available in SQL Server and how it can help you achieve security objectives

Agenda

• Protecting applications− Data protection− Authentication/Authorization− SQL Injection

• SQL 2008 Compliance New Features− Transparent Data Encryption− Extensible Key Management− Audit

A true story.....(kind of)

• The Company

• The Application

• The MD

• The IT Manager

• The DBA

What happened

• Day 1 due diligence− Review and change admin passwords

• 10 minutes later− Helpdesk reports problems− Login failures

• Smoking gun− ODBC DSN

• 10 minutes later− Helpdesk reports problems− Module failures, report failures− Code review !

using ‘sa’ context!

Code review

• Issues− No centralized data access layer− Embedded SQL

− Lookup Order:

− Lookup Customer:

− Connection strings with hardcoded passwords

“SELECT * FROM Orders WHERE OrderId=“ + varOrderId

SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”’”

Provider=sqloledb;Data Source=xxx;Initial Catalog=billingDB;User Id=sa;Password=‘’;

Protecting ApplicationsProtecting Applications

Authentication

Data Encryption

• In SQL Server 2000, 3rd party support required

• Since SQL Server 2005 − Built-in support for data encryption− Support for key management

• Encryption additions in SQL Server 2008− Transparent Data Encryption− Extensible Key Management

Channel Encryption

• Support for full SSL Encryption since SQL Server 2000− Clients: MDAC 2.6 or later− Force encryption from client or server

• Login packet encryption− Used regardless of encryption settings− Supported since 2000− Self-generated certificates avail since

2005

Permission Strategy

• Follow principal of least privilege!• Avoid using sysadmin/sa and

db_owner/dbo− Grant required perms to normal login

• Never use the dbo schema− User-schema separation

• Applications should have own schema− Consider multiple schemas

• Leverage Flexible Database Roles− Facilitates role separation

• Consider Auditing user activity

GRANT EXECUTE ONHR.Proc1 TO Bob

EXECUTE HR.Proc1

Proc1

View1

Table1

Check EXECUTE

No check

No check

Database

Alice’s HR Schema

Bob

Alice

Ownership Chaining

• Beware of Ownership Chaining

Module Signing

• Alice has permission to call SP• SP run under Alice’s context but

with elevated privilege• SP protected against tampering

Alice (non privileged login)

SP_ENABLE_LOGIN

ALTER LOGIN Bob ENABLE

Cert_login

ALTER ANY LOGIN

Execution ContextBest Practices

• Controlled escalation of privileges− DB scoped: EXECUTE AS and App Roles− Cross-DB scoped: Certificates− Avoid using dynamic SQL under an

escalated context

• Do not use use CDOC and SETUSER• Avoid allowing guest access on user

DBs

SQL Injection

• SQL Injection is an attack where malicious code is inserted into strings and later passed to SQL Server for parsing and execution.

SELECT * FROM Customer WHERE SurName Like ‘”+ varSearchTerm +”%’”

''';DROP TABLE CUSTOMERS--'

SELECT * FROM Customer WHERE SurName Like ‘%’; DROP TABLE CUSTOMERS—’SELECT * FROM Customer WHERE SurName Like ‘%’; DROP TABLE CUSTOMERS—’

SQL Injection – defence

• Use parameterized SQL queries• Use Type-Safe SqlParameter in .Net• Use parameterized SPs• Least-privilege Principle• Escape special characters• Escape quotes with

quotename/replace• Escape wildcards in LIKE statements• Validate buffer length to avoid

truncation

class DataAccess{ static void GetNewOrders(DateTime date, int qty) { using (NorthWindDB nw = new NorthWindDB ()) {

var orders = from o in nw.Orders where o.OrderDate > date select new { o.orderID, o.OrderDate, Total = o.OrderLines.Sum(l => l.Quantity);

foreach (SalesOrder o in orders) { Console.WriteLine("{0:d}\t{1}\t{2}", o.OrderDate, o.OrderId, o.Total); } } }}

class DataAccess{ static void GetNewOrders(DateTime date, int qty) { using (NorthWindDB nw = new NorthWindDB ()) {

var orders = from o in nw.Orders where o.OrderDate > date select new { o.orderID, o.OrderDate, Total = o.OrderLines.Sum(l => l.Quantity);

foreach (SalesOrder o in orders) { Console.WriteLine("{0:d}\t{1}\t{2}", o.OrderDate, o.OrderId, o.Total); } } }}

Query syntax is

native applicatio

n code

Data objects

are first-class

citizens

Data Access Code with LINQ

No dynamic SQL therefore no No dynamic SQL therefore no injectioninjection

Business Reasons

• Compliance requirements for PCI, HIPAA, GLBA among many other acronyms

• Key Management, Encryption, and Auditing are key components to meeting these compliance requirements

• Refer to Compliance SDK and the SQL Compliance site: http://www.microsoft.com/sql/compliance

IT Control SO

X

PC

I

HIP

AA

GL

BA

ID Management

Separation of Duties

Encryption

Key Management

Auditing

Control Testing

Policy Management

Data Encyption

• SQL Server 2005− Built-in encryption functions− Key management in SQL Server− Encrypted File System (EFS)− Bit-Locker

• SQL Server 2008− Extensible Key Management (EKM)− Transparent Data Encryption (TDE)

Extensible Key Management

• Key storage, management and encryption done by HSM module

• SQL EKM key is a proxy to HSM key

• SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module

SQL EKM Provider DLL

SQL EKM Key(HSM key proxy)

Data

SQL Server

HSM

Advantages of using EKM

• Security− Data and keys are physically separated

(keys are stored in HSM modules)− Centralized key management and

storage for enterprise− Additional authentication layer− Separation of duties between db_owner

and data owner

• Performance− Pluggable hardware encryption boards

EKM Key Hierarchy in SQL 2008

HSM

DatDataa

DatDataa

Native Symmetric key

TDE DEK key

EKM Symmetric key EKM Asymmetric key

SQL Server

Symmetric key Asymmetric key

Transparent Data Encryption (TDE)

• Encryption/decryption at database level

• DEK is encrypted with:− Certificate− Key residing in a

Hardware Security Module (HSM)

• Certificate required to attach database files or restore a backup

SQL Server 2008

DEK

Client Application

Encrypted data page

SQL Server 2008Instance Level

Service Master Key

TDE – Key Hierarchy

Database Master Key encrypts Certificate In Master Database

SQL Server 2008 User Database

Database Encryption Key

DPAPI encrypts Service Master Key

Service Master Key encrypts Database Master KeyPassword

Operating System LevelData Protection API (DPAPI)

SQL Server 2008 Master Database

Database Master Key

SQL Server 2008 Master Database

Certificate

Certificate encrypts Database Encryption Key

SQL Server 2008 User Database

Database Encryption Key

TDE – Key Hierarchy with EKM

Asymmetric Key resides on the EKM device

Asymmetric Key encrypts Database Encryption Key

Hardware Security Module (HSM)Asymmetric Key

TDE considerations

• Compatible with Database Compression

• Not recommended with Backup Compression

• Database Mirroring− Copy certificate from primary to mirror

• Log files are not retroactively encrypted− Encryption begins at next VLF boundary

• Tempdb is encrypted when 1 db in instance uses TDE

• Enterprise only

Transparent Data EncryptionOperational Impact• Storage replication at hardware level

− Background task to encrypt all pages− At HW level, all pages get changed, i.e. all pages need to be replicated− Need to test if your hardware replication can handle this throughput

• When using Database Mirroring or Log Shipping, − Ensure that the mirror server has the master key and certificate as well− Bottleneck isn’t throughput of pages

− Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted

− But, secondary server restore of transaction log uses less threads than principle/primary servers, i.e. back log in restore activity

− Possible Failover Issues− Synchronous mirroring backlog may result in not being able to failover since

restoring received transaction log records could take a few hours− For log shipping restoration of the backups will fall behind, manual failover

cannot take place before restore finally caught up.− May want to consider disabling HA and perform resynchronization of

your HA configuration

Auditing Database Activity

• SQL Server 2005− SQL Trace− DDL/DML Triggers− Third-party tools to read transaction logs− No management tools support

• SQL Server 2008− SQL Server Audit

Audit Specifications

2929

AuditAuditSecurity Event LogSecurity Event Log

Application Event LogApplication Event Log File syste

m0..1Server audit specification per Audit object

0..1DB audit specificationper database per Audit object

CREATE SERVER AUDIT SPECIFICATION SvrACTO SERVER AUDIT PCI_Audit    ADD (FAILED_LOGIN_GROUP);

CREATE SERVER AUDIT SPECIFICATION SvrACTO SERVER AUDIT PCI_Audit    ADD (FAILED_LOGIN_GROUP);

CREATE DATABASE AUDIT SPECIFICATION AuditACTO SERVER AUDIT PCI_Audit    ADD (SELECT ON Customers BY public)

CREATE DATABASE AUDIT SPECIFICATION AuditACTO SERVER AUDIT PCI_Audit    ADD (SELECT ON Customers BY public)

Server Audit

Specification

Server Audit Action

Server Audit ActionServer Audit

ActionServer Audit

ActionServer Audit Action

Server Audit ActionServer Audit

ActionServer Audit

ActionServer Audit Action

Server Audit Action

Database Audit ComponentsDatabase Audit

ComponentsDatabase Audit Components

Database Audit

Specification

Database Audit Action

Database Audit ActionDatabase Audit

ActionDatabase Audit

ActionDatabase Audit Action

Database Audit ActionDatabase Audit

ActionDatabase Audit

ActionDatabase Audit Action

Database Audit Action

FileFile

Reasons to use SQL Audit

• Leverages high performance eventing infrastructure to generate audits

• Runs within engine rather than as a side/separate app

• Parity with SQL 2005 Audit Generation• Faster than SQL Trace• Records changes to Audit

configuration• Configuration and management in

SSMS• (Note: Enterprise Edition only)

AuditingCentralizing audit logs and reporting

Compliance Reports

Process Audit InformationUse SSIS to process SQL2008 audit log data and store in its own SQL database.

File Server SQL 2008

SQL Audit

SSIS

Generate Reports

DB Servers

DB Server

DB Server

DB Server

Transfer Logs

SSRS 2008

FacetsCondition

s Policies

Policy-Based Management

Categories

Targets

Take aways

• Protect applications not just databases

• Get the basics right!• Leverage all of the features of SQL

Server to meet your compliance needs

Resources

• UK SQL Server 2008 Server Site http://www.microsoft.com/uk/sql

• SQL Server Compliance Micro-Sitehttp://www.microsoft.com/sqlserver/2008/en/us/compliance.aspx

• Whitepaper for PCI compliancehttp://www.parentebeard.com/lib/pdf/Deploying_SQL_Server_2008_Based_on_PCI_DSS.pdf

• Me http://blogs.technet.com/andrew

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.