This document contains the agenda and slides for a presentation on SQL Server security. The presentation covers security foundations for database administrators (DBAs), well-known risk factors from OSSTMM and OWASP, SQL Server security best practices, security enhancements in SQL Server 2014, 2016, and 2017, SQL Server security in the cloud, DBA security, and risk management for DBAs. The slides define key security concepts, categorize security realms, outline the OSSTMM and OWASP top 10 risks, and describe various SQL Server security features and configurations.
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
1. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Secure your data at rest
– on demand, now!
Tobiasz Koprowski
Data Platform MVP, MCT, Consultant
Founder of Shadowland Consulting
@KoprowskiT || @SHAConsultingUK
2. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
AGENDA
1 | Security Foundation for DBA
2 | Well Known Risks Factors (OSSTMM/OWASP)
3 | SQL Server Security Best Practices
4 | SQL Server 2014 Security Enhacements
5 | SQL Server 2016 Security Enhacements
6 | SQL Server 2017 Security Enhacements
7 | SQL Server Security in The Cloud
8 | DBA Security
9 | Summary
Appendix
6. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Application security | http://bit.ly/18u8J6p
Computing security | http://bit.ly/1ARdRLd
Data security | http://bit.ly/185wfph
Information security | http://bit.ly/1ARe0ya
Network security | http://bit.ly/1C443R8
Categorizing Security - part 1
{IT REALM}
7. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Airport security | http://bit.ly/1LPZcCZ
Food security | http://bit.ly/1MYnii6
Home security | http://bit.ly/1Gz3VI1
Infrastructure security | http://bit.ly/1Bm8LIF
Physical security | http://bit.ly/1Gz3VI1
Port security | http://bit.ly/1ARewMH
Supply chain security | http://bit.ly/1Ex7ob7
School security | http://bit.ly/17Dl735
Shopping center security | http://bit.ly/1EUb1FV
Categorizing Security - part 2
{PHYSICAL REALM}
8. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Homeland security | http://bit.ly/1AAwZhE
Human security | http://bit.ly/1DhojtU
International security | http://bit.ly/1MYoyli
National security | http://bit.ly/1FEnldu
Public security | http://bit.ly/1wqpX9P
Categorizing Security - part 3
{POLITICAL REALM}
9. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Categorizing Security - part 4
{SQL SERVER REALM}
application security computing security
data security information security
network security home security
infrastructure security physical security
national security public security
11. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Security is the degree of resistance to, or protection from, harm. It applies to any
vulnerable and valuable asset, such as a person, dwelling, community, nation, or
organization.
As noted by the Institute for Security and Open Methodologies (ISECOM) in the
OSSTMM 3 (Open Source Security Testing Methodology Manual), security provides
"a form of protection where a separation is created between the assets and the
threat." These separations are generically called "controls," and sometimes include
changes to the asset or the threat.
Security? What is this?
http://www.isecom.org/research/
12. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Fifteen Chapters:
• 1 – What You Need to Know
• 2 – What You Need to Do
• 3 – Security Analysis
• 4 – Operational Security Metrics
• 5 – Trust Analysis
• 6 – Work Flow
• 7 - Human Security Testing
The Open Source Security Testing Methodology Manual
8 - Physical Security Testing
9 - Wireless Security Testing
10 - Telecommunications Security Testing
11 - Data Networks Security Testing
12 - Compliance
13 – Reporting with the STAR
14 – What You Get
15 – Open Methodology License
13. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
The OWASP Foundation came online on December 1st 2001 it was established as a not-for-profit
charitable organization in the United States on April 21, 2004 to ensure the ongoing availability and
support for our work at OWASP. OWASP is an international organization and the OWASP Foundation
supports OWASP efforts around the world. OWASP is an open community dedicated to enabling
organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in
improving application security. We advocate approaching application security as a people, process,
and technology problem because the most effective approaches to application security include
improvements in all of these areas. We can be found at www.owasp.org.
The Open Web Application Security Project
14. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
A1-Injection
A2-Broken Authentication and Session Management
A3-Cross-Site Scripting (XSS)
A4-Broken Access Control
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Insufficient Attack Protection
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Underprotected APIs
OWASP – Top 10 Application Security Risks - 2017
16. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Efficiency and security have an inverse relationship to one another.
• You can have high efficiency or high security, but not both.
Example: `Small Bank Company` tend to favor efficiency over security:
• Cost limitations. This is the first and obvious reason. Community banks are fighting a constant
battle to remain competitive. Implementing security in systems adds costs - there is no way
around it.
• Risk. It's not always a conscious decision for a bank to improve efficiency by sacrificing security.
Sometimes there's a lack of understanding of the risks associated with the systems we deploy.
• Personnel limitations. The many-hats syndrome runs rampant in smaller community banks.
• Regulatory emphasis. The current regulatory environment stresses controls as they relate to policy
and procedures.
SQL Server Security Best Practices
17. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
authentication || use Windows Authentication mode unless legacy application require Mixed
Authentication for backward compatibility
secure sysadmin account || change name of sysadmin account after installation SSMS>Object
Explorer>Logins>Rename (right click) / T-SQL
use complex password || ensure that complex password are used for sa and other sql-server-specific
logins. Think about ENFORCE EXPIRATION & MUST_CHANGE for any new SQL login
use specific logins || use different accounts for different sql-server oriented services
sysadmin membership |carefully choose the membership of sysadmin fixed-server
SQL Server Security Best Practices
SECURITY
BEST
PRACTICES
18. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
general administration || use built-in fixed server roles and database roles or create your custom
roles, then apply for specific logins
revoke guest access || disable all guest user access from all user and system databases (excluding
msdb database)
limit public permission || revoke public role access for some extended procedures and check other
store procedures
hardening sql server ports || change default SQL Server port if it’s possible
disable sql server browser || disable SQL Server Browser if it’s possible
secure service accounts || create good plan and make note about service accounts and passwords
SQL Server Security Best Practices
SECURITY
BEST
PRACTICES
20. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
first introduced with SQL Server 2008 (!)
➢ protecting data by performing I/O encryption and decryption for database and log files
➢ passphrase (less secure),
➢ asymmetric key (strong protection, poor performance),
➢ symmetric key (good performance, strong enough protection),
➢ certificate (strong protection, good performance)
transparent data encryption
New functionality for backup:
➢ takes non-encrypted backup data
➢ encrypt data before writing to disk
➢ compression is performed on the backup
data first
➢ then encryption is applied to compressed
data
➢ support for backup to Azure
SQL14 SECURITY
ENHACEMENTS
21. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
➢ Encryption options include:
➢ encryption algorithm
➢ certificate or asymmetric key
➢ only asymmetric key reside in EKM (Enterprise Key Management) is supported
➢ multiple algorithm up to AES-256 are supported
➢ manageable by PowerShell, SMO, SSMS, T-SQL
➢ VERY IMPORTANT:
➢ asymmetric key or certificate MUST be backed up
➢ location MUST be different than backup location
➢ No RESTORE without asymmetric key or certificate
encryption key managementSQL14 SECURITY
ENHACEMENTS
22. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
new server-level permission
GRANT CONNECT ANY DATABASE to a login
GRANT IMPERSONATE ANY LOGIN to a login
GRANT SELECT ALL USER SECURABLES to a login
new server-level permissions
SQL14 SECURITY
ENHACEMENTS
23. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• by default:
• instance name: SQLExpress
• networking protocol: disabled
• sql server browser: disabled
• user (local) instances:
• separated instance generated from parent instance
• sysadmin privileges on SQL Express on local machine
• runs as user process not as service process
• only windows logins are supported
• RANU instance (run as normal user)
SQL Server Express Security
25. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
➢ Restricting access to financial data based on an employee's region and role
➢ Ensuring that tenants of a multi-tenant application can only access their own rows of data
➢ Enabling different analysts to report on different subsets of data based on their position
row-level securitySQL16 SECURITY
ENHACEMENTS
26. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Credit card {Masking method which exposes the last four digits of the designated fields and adds a constant string as a
prefix in the form of a credit card}. example: XXXX-XXXX-XXXX-1234
• Social security number {Masking method which exposes the last four digits of the designated fields and adds a constant
string as a prefix in the form of an American social security number.} example: XXX-XX-1234
• Email {Masking method which exposes the first letter and replaces the domain with XXX.com using a constant string prefix
in the form of an email address}. example: aXX@XXXX.com
• Random number {Masking method which generates a random number according to the selected boundaries and actual data
types. If the designated boundaries are equal, then the masking function will be a constant number}.
• Custom text {Masking method which exposes the first and last characters and adds a custom padding string in the middle. If
the original string is shorter than the exposed prefix and suffix, only the padding string will be used. example:
prefix[padding]suffix
dynamic data maskingSQL16 SECURITY
ENHACEMENTS
27. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
The new version of SQL Server include an additional layer of security that keeps:
valuable personal data such as:
• Social Security numbers
• private healthcare data
• credit card information
protected even when the data is being used
always encryptedSQL16 SECURITY
ENHACEMENTS
30. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
With the introduction of SQL Server 2017, Microsoft has changed the security model for CLRs.
They did this because the Code Access Security (CAS) in the .NET Framework is no longer supported as a security
boundary, which means an assembly marked as SAFE may be able to run code that is unsafe, or accesses external
system resources.
To shore up possible SQL Server security holes around CLRs, SQL Server 2017 has implemented a new
configuration option named CLR strict Security and a new system stored procedure named
sys.sp_add_trusted_assembly
The new configuration option, named “CLR strict Security,” when enabled causes all SAFE and EXTERNAL_ACCESS
assemblies to be treated as if they are UNSAFE. Note this option is enabled by default.
CLR strict SecuritySQL17 SECURITY
ENHACEMENTS
31. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
The new configuration option, named “CLR strict Security,” when enabled causes all SAFE and EXTERNAL_ACCESS
assemblies to be treated as if they are UNSAFE. Note this option is enabled by default.
This stored procedure allows you to add a CLR to the list of trusted assemblies. This stored procedure allows you
to whitelist a CLR. By whitelisting a CLR, SQL Server will execute UNSAFE and EXTERNAL_ACCESS CLRs without
you having to sign them or set their databases to trustworthy.
sp_add_trusted_assembly
[ @hash = ] 'value'
[ , [ @description = ] 'description' ]
CLR strict SecuritySQL17 SECURITY
ENHACEMENTS
33. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Microsoft Cloud Security Approach in a Nutshell
• Principles, patterns, and practices
• Security engineering
• Threats and countermeasures
• Secure the network, host, and application
• Application scenarios and solutions
• Security frame
• People, process, and technology
• Application, infrastructure, and business
Cloud Security
http://bit.ly/1zmeYi2
36. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
➢ Same security principals like SQL Server on premise
➢ Full responsibility for DBA with Virtual Machine
➢ Partial responsibility for DBA with Azure SQL Database
➢ Automatic updates for Azure SQL Database
➢ New functionality implemented by Microsoft
➢ Some incompabilities with t-sql, functions, store procedures
➢ Increased security by default on Azure platform
SQL Server Security in the Cloud
39. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
❖ Same principals as always
❖ SQL server, users, roles, access, permissions
❖ SQL server engine but not only
❖ SSAS & SSRS & SSIS
❖ Other DBs (DB2, Oracle, Informix, MySQL, PostgreSQL)
❖ Daily, weekly auditing
❖ Monthly Reporting
SQL Server Security on premise
40. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
❖ Same security principals like SQL Server on premise
❖ Full responsibility for DBA with Virtual Machine
❖ Partial responsibility for DBA with Azure SQL Database
❖ Automatic updates for Azure SQL Database
❖ New functionality implemented by Microsoft
❖ Some incompabilities with t-sql, functions, store procedures
❖ Increased security by default on Azure platform
SQL Server Security in the Cloud
42. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Risk Management for DBA?
NASA's illustration showing high impact risk areas
for the International Space Station
44. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Database security concerns the use of a broad range of information security controls to protect
databases (potentially including the data, the database applications or stored functions, the database
systems, the database servers and the associated network links) against compromises of their
confidentiality, integrity and availability.
It involves various types or categories of controls, such as technical, procedural/administrative and
physical. Database security is a specialist topic within the broader realms of computer security,
information security and risk management.
Risk Management for DBA
45. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Security risks to database systems include, for example:
• unintended activity or misuse by authorized database users, database administrators, or
network/systems managers, or by unauthorized users or hackers (e.g. inappropriate access to
sensitive data, metadata or functions within databases, or inappropriate changes to the database
programs, structures or security configurations);
• malware infections causing incidents such as unauthorized access, leakage or disclosure of
personal or proprietary data, deletion of or damage to the data or programs, interruption or
denial of authorized access to the database, attacks on other systems and the unanticipated
failure of database services;
Risk Management for DBA
46. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Security risks to database systems include, for example:
• overloads, performance constraints and capacity issues resulting in the inability of authorized
users to use databases as intended;
• physical damage to database servers caused by computer room fires or floods, overheating,
lightning, accidental liquid spills, static discharge, electronic breakdowns/equipment failures and
obsolescence;
• design flaws and programming bugs in databases and the associated programs and systems,
creating various security vulnerabilities (e.g. unauthorized privilege escalation ), data
loss/corruption, performance degradation etc.;
• data corruption and/or loss caused by the entry of invalid data or commands, mistakes in
database or system administration processes, sabotage/criminal damage etc.
Risk Management for DBA
47. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Step 1: Make A List Of What You're Trying To Protect
Step 2: Draw A Diagram And Add Notes
Step 3: Make A List Of Your Adversaries And What They Want
Step 4: Brainstorm Threats From These Adversaries
Step 5: Estimate Probability And Potential Damage (The Overall Risk)
Step 6: Brainstorm Countermeasures And Their Issues
Step 7: Plan, Test, Pilot, Monitor, Troubleshoot and Repeat
Cyber Defense
| Practical Risk Analysis and Threat Modeling
48. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Even a crude risk analysis and hardening plan is vastly better
than just winging it,
and in many ways a crude plan is better than an overly formal one
if the formal one will never be completed...
or even started
(another case of "the perfect is the enemy of the good").
I hope this seven-step recipe will help you get your own security projects underway!
Conclusion
50. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
➢ Security by Default in Azure
➢ Database Encryption (AzureDB by default)
➢ Storage Encryption (ARM by default) Azure VM Disk Encryption
➢ Vulnerability Management
➢ Azure Security Center
➢ Everywhere: express, standard, enterprise
Use Power of Tools
51. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
• Pillar One: risk assessment and management
– A definition of the risks that apply to various asset(s), based on their business criticality.
– An assessment of the current status of each risk before it’s moved to the cloud. Using this information, each
risk can be accepted, mitigated, transferred or avoided.
– An assessment of the risk profile of each asset, assuming it has been moved to the cloud.
• Pillar Two: policy and compliance
– Cloud providers need to understand that simply listing compliance certifications isn’t sufficient. In line with
the mantra of transparency explored in the previous point, providers should take a proactive stance to
sharing their security implementations and controls.
Dimension Data often assists clients by providing them with a list of questions
that we believe they should be posing to cloud providers as part of the
evaluation process, to ensure they’re covering all the bases.’
Three Pillars of a
Secure Hybrid Cloud Environment
52. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Pillar Three: provider transparency
• Governance: the ability of an organisation to govern and measure enterprise risk introduced by cloud.
• Legal issues: regulations, and requirements to protect the privacy of data, and the security of information and
computer systems.
• Compliance and audit: maintaining and proving compliance when using the cloud.
• Information management and data security: managing cloud data, and responsibility for data confidentiality,
integrity and availability.
• Portability and interoperability: the ability to move data or services from one provider to another, or bring
them back in-house.
• Business continuity and disaster recovery: operational processes and procedures for business continuity and
disaster recovery.
Three Pillars of a
Secure Hybrid Cloud Environment
53. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Pillar Three: provider transparency
• Data centre: evaluating any elements of a provider’s data centre architecture and operations that could be
detrimental to ongoing services.
• Incident response, notification and remediation: adequate incydent detection, response, notification, and
remediation.
• Application security: securing application software running on or developed in the cloud.
• Encryption and key management: identifying proper encryption usage and scalable key management.
• Identity and access management: assessing an organisation’s readiness to conduct cloud-based identity,
entitlement, and access management.
• Virtualisation: risks associated with multi-tenancy, virtual machine isolation and co- residence, hypervisor
vulnerabilities, etc.
Three Pillars of a
Secure Hybrid Cloud Environment
54. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals
Tobiasz J Koprowski
@KoprowskiT | @SHAConsultingUK
https://about.me/KoprowskiT
http://KoprowskiT.eu/geek
after session