SlideShare a Scribd company logo

Geek Sync | Meeting Security Benchmarks and Compliance with Microsoft SQL Server - K. Brian Kelley | IDERA

IDERA Software
IDERA Software

Meeting Security Benchmarks and Compliance with Microsoft SQL Server

Technology
1 of 24
Download to read offline
Meeting Security Benchmarks and Compliance with Microsoft SQL Server K. Brian Kelley
About Me • Security Related: – Infrastructure & Security Architect – Certified Information Systems Auditor (CISA) – Accredited CISA Trainer – Incident Handler / Penetration Tester • SQL Server Related: – Data Architect – SQL Server security columnist / blogger – SQL Server and Security speaker & trainer
Agenda • What Audit and Compliance Focuses On • The Three As • Data Security • Encryption and Obfuscation • Detecting Structural Change
Audit and Compliance Understanding the Jargon
What do I care about as an auditor? • Information Systems (IS) processes • Related business processes • Controls over those processes
What’s a Control? • Two parts: – Objective – Measure • Objective: what you’re trying to achieve • Measure: something done to fulfill said objective
The Control Mantra • Documentation alone isn’t a control. Therefore: • No evidence? No control. • No review? No control.
The Three A’s
What are the three A’s? • Authentication: proving who you are • Authorization: determining what rights/permissions you have • Accounting / Auditing: tracking what you do
Demo
Data Security
What to Look for in Data Security • Permissions are important, so start there • Should be tied to data classification • Encompasses data encryption and obfuscation • Data handling as well
Demo
Encryption / Obfuscation
Data Encryption • Sensitivity of the data (data classification) • Impact to the organization should information be stolen / lost • Regulations, compliance requirements, laws, industry standards • Algorithms for encryption and how they’re implemented
SQL Server Encryption Options • Built-in Encryption Objects and Functions • AlwaysEncrypted • Transparent Data Encryption
Data Encryption – Operations • Key Escrow must be specified, tested, and have approved controls • Performance impact • Situations where the data exists in plaintext (in memory, etc.)
Data Obfuscation • Typically data, in its resting state, is unprotected. • Could also exist at rest in non-encrypted way. • For less that privileged access, data is masked in some way. • Some include encryption as part of data obfuscation
Data Obfuscation in SQL Server • Dynamic Data Masking - Introduced in SQL Server 2017 • Built into table definition - Uses algorithm you define • Privileged users can still see unmasked data • Seamless to application / reporting layer
Detecting Structural Change DDL is important, too
What do I care about? • Changes to Security Principals • Changes to Security Permissions on Objects • Changes to Objects Themselves • Creation of New Databases • Creation of New Objects
Out-of-the-box Options • Extended Events are your friend. • Other Options: – Audit object (built on Extended Events) – Triggers – Default Trace – Transaction Log (maybe)
Demo
What We Covered • What Audit and Compliance Focuses On • The Three As • Data Security • Encryption and Obfuscation • Detecting Structural Change

Recommended

Geek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessGeek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessIDERA Software
 
Cas 4
Cas 4Cas 4
Cas 4Byju Antony
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationRobert Topley
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity ManagementKarthikeyan Dhayalan
 
Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Maximiliano Accotto
 
Microsoft Whitepaper: Cloud Privacy Guide
Microsoft Whitepaper: Cloud Privacy GuideMicrosoft Whitepaper: Cloud Privacy Guide
Microsoft Whitepaper: Cloud Privacy GuideDWP Information Architects Inc.
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksUsing Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksBeyondTrust
 
Windy City Rails - Layered Security
Windy City Rails - Layered SecurityWindy City Rails - Layered Security
Windy City Rails - Layered SecurityAaron Bedra
 

Recommended

Geek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessGeek Sync | Handling HIPAA Compliance with Your Data Access
Geek Sync | Handling HIPAA Compliance with Your Data AccessIDERA Software
 
Cas 4
Cas 4Cas 4
Cas 4Byju Antony
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationRobert Topley
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity ManagementKarthikeyan Dhayalan
 
Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Seguridad en sql server 2016 y 2017
Seguridad en sql server 2016 y 2017Maximiliano Accotto
 
Microsoft Whitepaper: Cloud Privacy Guide
Microsoft Whitepaper: Cloud Privacy GuideMicrosoft Whitepaper: Cloud Privacy Guide
Microsoft Whitepaper: Cloud Privacy GuideDWP Information Architects Inc.
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksUsing Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksBeyondTrust
 
Windy City Rails - Layered Security
Windy City Rails - Layered SecurityWindy City Rails - Layered Security
Windy City Rails - Layered SecurityAaron Bedra
 
LegalAnywhereConnect Brochure
LegalAnywhereConnect BrochureLegalAnywhereConnect Brochure
LegalAnywhereConnect BrochureNancy DaCorsi
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTMicro Focus
 
Eryem Talks Paris Avril 2013 - Titus
Eryem Talks Paris Avril 2013 - TitusEryem Talks Paris Avril 2013 - Titus
Eryem Talks Paris Avril 2013 - TitusGuillaume Meyer
 
Boost privacy protections with attribute-based access control
Boost privacy protections with attribute-based access control Boost privacy protections with attribute-based access control
Boost privacy protections with attribute-based access control Raoul Miller
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
Security meeting 2012 ID Theft
Security meeting 2012 ID TheftSecurity meeting 2012 ID Theft
Security meeting 2012 ID TheftLuis Martins
 
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?Dutch Microsoft & Security Meetup - How to protect my data in Office 365?
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?Maarten Eekels
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
dataEstate® - Reimagining data governance for the Legal industry
dataEstate® - Reimagining data governance for the Legal industrydataEstate® - Reimagining data governance for the Legal industry
dataEstate® - Reimagining data governance for the Legal industryMorane Decriem
 
Hybrid identity and privacy
Hybrid identity and privacyHybrid identity and privacy
Hybrid identity and privacyOxford Computer Group
 
Oracle Database Security
Oracle Database SecurityOracle Database Security
Oracle Database SecurityTroy Kitch
 
Geek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlGeek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlIDERA Software
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingAntonios Chatzipavlis
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)Sam Bowne
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptDrBasemMohamedElomda
 
Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Andy Talbot
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
O365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicO365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicNCCOMMS
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 

More Related Content

What's hot

LegalAnywhereConnect Brochure
LegalAnywhereConnect BrochureLegalAnywhereConnect Brochure
LegalAnywhereConnect BrochureNancy DaCorsi
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTMicro Focus
 
Eryem Talks Paris Avril 2013 - Titus
Eryem Talks Paris Avril 2013 - TitusEryem Talks Paris Avril 2013 - Titus
Eryem Talks Paris Avril 2013 - TitusGuillaume Meyer
 
Boost privacy protections with attribute-based access control
Boost privacy protections with attribute-based access control Boost privacy protections with attribute-based access control
Boost privacy protections with attribute-based access control Raoul Miller
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
Security meeting 2012 ID Theft
Security meeting 2012 ID TheftSecurity meeting 2012 ID Theft
Security meeting 2012 ID TheftLuis Martins
 
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?Dutch Microsoft & Security Meetup - How to protect my data in Office 365?
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?Maarten Eekels
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
dataEstate® - Reimagining data governance for the Legal industry
dataEstate® - Reimagining data governance for the Legal industrydataEstate® - Reimagining data governance for the Legal industry
dataEstate® - Reimagining data governance for the Legal industryMorane Decriem
 
Oracle Database Security
Oracle Database SecurityOracle Database Security
Oracle Database SecurityTroy Kitch
 

What's hot (11)

LegalAnywhereConnect Brochure
LegalAnywhereConnect BrochureLegalAnywhereConnect Brochure
LegalAnywhereConnect Brochure
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
 
Eryem Talks Paris Avril 2013 - Titus
Eryem Talks Paris Avril 2013 - TitusEryem Talks Paris Avril 2013 - Titus
Eryem Talks Paris Avril 2013 - Titus
 
Boost privacy protections with attribute-based access control
Boost privacy protections with attribute-based access control Boost privacy protections with attribute-based access control
Boost privacy protections with attribute-based access control
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
Security meeting 2012 ID Theft
Security meeting 2012 ID TheftSecurity meeting 2012 ID Theft
Security meeting 2012 ID Theft
 
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?Dutch Microsoft & Security Meetup - How to protect my data in Office 365?
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
 
dataEstate® - Reimagining data governance for the Legal industry
dataEstate® - Reimagining data governance for the Legal industrydataEstate® - Reimagining data governance for the Legal industry
dataEstate® - Reimagining data governance for the Legal industry
 
Hybrid identity and privacy
Hybrid identity and privacyHybrid identity and privacy
Hybrid identity and privacy
 
Oracle Database Security
Oracle Database SecurityOracle Database Security
Oracle Database Security
 

Similar to Geek Sync | Meeting Security Benchmarks and Compliance with Microsoft SQL Server - K. Brian Kelley | IDERA

Geek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlGeek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlIDERA Software
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingAntonios Chatzipavlis
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)Sam Bowne
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptDrBasemMohamedElomda
 
Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Andy Talbot
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewallxKinAnx
 
O365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicO365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicNCCOMMS
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...drsajjad13
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGSri Latha
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101Jerod Brennen
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)Sam Bowne
 

Similar to Geek Sync | Meeting Security Benchmarks and Compliance with Microsoft SQL Server - K. Brian Kelley | IDERA (20)

Geek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server SprawlGeek Sync | Taking Control of Your Organization’s SQL Server Sprawl
Geek Sync | Taking Control of Your Organization’s SQL Server Sprawl
 
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditingIsaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditing
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
 
Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewall
 
O365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav LulicO365Con18 - Compliance Manager - Tomislav Lulic
O365Con18 - Compliance Manager - Tomislav Lulic
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
ch1.pptx Chapter 1 of CISSP ch1.pptx Chapter 1 of CISSPch1.pptx Chapter 1 of ...
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
Data Leakage Prevention
Data Leakage PreventionData Leakage Prevention
Data Leakage Prevention
 
Microsoft SQL Family and GDPR
Microsoft SQL Family and GDPRMicrosoft SQL Family and GDPR
Microsoft SQL Family and GDPR
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODING
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)
 

More from IDERA Software

The role of the database administrator (DBA) in 2020: Changes, challenges, an...
The role of the database administrator (DBA) in 2020: Changes, challenges, an...The role of the database administrator (DBA) in 2020: Changes, challenges, an...
The role of the database administrator (DBA) in 2020: Changes, challenges, an...IDERA Software
 
Problems and solutions for migrating databases to the cloud
Problems and solutions for migrating databases to the cloudProblems and solutions for migrating databases to the cloud
Problems and solutions for migrating databases to the cloudIDERA Software
 
Public cloud uses and limitations
Public cloud uses and limitationsPublic cloud uses and limitations
Public cloud uses and limitationsIDERA Software
 
Optimize the performance, cost, and value of databases.pptx
Optimize the performance, cost, and value of databases.pptxOptimize the performance, cost, and value of databases.pptx
Optimize the performance, cost, and value of databases.pptxIDERA Software
 
Monitor cloud database with SQL Diagnostic Manager for SQL Server
Monitor cloud database with SQL Diagnostic Manager for SQL ServerMonitor cloud database with SQL Diagnostic Manager for SQL Server
Monitor cloud database with SQL Diagnostic Manager for SQL ServerIDERA Software
 
Database administrators (dbas) face increasing pressure to monitor databases
Database administrators (dbas) face increasing pressure to monitor databasesDatabase administrators (dbas) face increasing pressure to monitor databases
Database administrators (dbas) face increasing pressure to monitor databasesIDERA Software
 
Six tips for cutting sql server licensing costs
Six tips for cutting sql server licensing costsSix tips for cutting sql server licensing costs
Six tips for cutting sql server licensing costsIDERA Software
 
Idera live 2021: The Power of Abstraction by Steve Hoberman
Idera live 2021: The Power of Abstraction by Steve HobermanIdera live 2021: The Power of Abstraction by Steve Hoberman
Idera live 2021: The Power of Abstraction by Steve HobermanIDERA Software
 
Idera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian Flug
Idera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian FlugIdera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian Flug
Idera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian FlugIDERA Software
 
Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...
Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...
Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...IDERA Software
 
Idera live 2021: Managing Digital Transformation on a Budget by Bert Scalzo
Idera live 2021: Managing Digital Transformation on a Budget by Bert ScalzoIdera live 2021: Managing Digital Transformation on a Budget by Bert Scalzo
Idera live 2021: Managing Digital Transformation on a Budget by Bert ScalzoIDERA Software
 
Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...
Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...
Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...IDERA Software
 
Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...
Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...
Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...IDERA Software
 
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...IDERA Software
 
Idera live 2021: Performance Tuning Azure SQL Database by Monica Rathbun
Idera live 2021: Performance Tuning Azure SQL Database by Monica RathbunIdera live 2021: Performance Tuning Azure SQL Database by Monica Rathbun
Idera live 2021: Performance Tuning Azure SQL Database by Monica RathbunIDERA Software
 
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERAGeek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERAIDERA Software
 
How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...
How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...
How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...IDERA Software
 
Benefits of Third Party Tools for MySQL | IDERA
Benefits of Third Party Tools for MySQL | IDERABenefits of Third Party Tools for MySQL | IDERA
Benefits of Third Party Tools for MySQL | IDERAIDERA Software
 
Achieve More with Less Resources | IDERA
Achieve More with Less Resources | IDERAAchieve More with Less Resources | IDERA
Achieve More with Less Resources | IDERAIDERA Software
 
Benefits of SQL Server 2017 and 2019 | IDERA
Benefits of SQL Server 2017 and 2019 | IDERABenefits of SQL Server 2017 and 2019 | IDERA
Benefits of SQL Server 2017 and 2019 | IDERAIDERA Software
 

More from IDERA Software (20)

The role of the database administrator (DBA) in 2020: Changes, challenges, an...
The role of the database administrator (DBA) in 2020: Changes, challenges, an...The role of the database administrator (DBA) in 2020: Changes, challenges, an...
The role of the database administrator (DBA) in 2020: Changes, challenges, an...
 
Problems and solutions for migrating databases to the cloud
Problems and solutions for migrating databases to the cloudProblems and solutions for migrating databases to the cloud
Problems and solutions for migrating databases to the cloud
 
Public cloud uses and limitations
Public cloud uses and limitationsPublic cloud uses and limitations
Public cloud uses and limitations
 
Optimize the performance, cost, and value of databases.pptx
Optimize the performance, cost, and value of databases.pptxOptimize the performance, cost, and value of databases.pptx
Optimize the performance, cost, and value of databases.pptx
 
Monitor cloud database with SQL Diagnostic Manager for SQL Server
Monitor cloud database with SQL Diagnostic Manager for SQL ServerMonitor cloud database with SQL Diagnostic Manager for SQL Server
Monitor cloud database with SQL Diagnostic Manager for SQL Server
 
Database administrators (dbas) face increasing pressure to monitor databases
Database administrators (dbas) face increasing pressure to monitor databasesDatabase administrators (dbas) face increasing pressure to monitor databases
Database administrators (dbas) face increasing pressure to monitor databases
 
Six tips for cutting sql server licensing costs
Six tips for cutting sql server licensing costsSix tips for cutting sql server licensing costs
Six tips for cutting sql server licensing costs
 
Idera live 2021: The Power of Abstraction by Steve Hoberman
Idera live 2021: The Power of Abstraction by Steve HobermanIdera live 2021: The Power of Abstraction by Steve Hoberman
Idera live 2021: The Power of Abstraction by Steve Hoberman
 
Idera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian Flug
Idera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian FlugIdera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian Flug
Idera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian Flug
 
Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...
Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...
Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...
 
Idera live 2021: Managing Digital Transformation on a Budget by Bert Scalzo
Idera live 2021: Managing Digital Transformation on a Budget by Bert ScalzoIdera live 2021: Managing Digital Transformation on a Budget by Bert Scalzo
Idera live 2021: Managing Digital Transformation on a Budget by Bert Scalzo
 
Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...
Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...
Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...
 
Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...
Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...
Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...
 
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
 
Idera live 2021: Performance Tuning Azure SQL Database by Monica Rathbun
Idera live 2021: Performance Tuning Azure SQL Database by Monica RathbunIdera live 2021: Performance Tuning Azure SQL Database by Monica Rathbun
Idera live 2021: Performance Tuning Azure SQL Database by Monica Rathbun
 
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERAGeek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
 
How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...
How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...
How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...
 
Benefits of Third Party Tools for MySQL | IDERA
Benefits of Third Party Tools for MySQL | IDERABenefits of Third Party Tools for MySQL | IDERA
Benefits of Third Party Tools for MySQL | IDERA
 
Achieve More with Less Resources | IDERA
Achieve More with Less Resources | IDERAAchieve More with Less Resources | IDERA
Achieve More with Less Resources | IDERA
 
Benefits of SQL Server 2017 and 2019 | IDERA
Benefits of SQL Server 2017 and 2019 | IDERABenefits of SQL Server 2017 and 2019 | IDERA
Benefits of SQL Server 2017 and 2019 | IDERA
 

Recently uploaded

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Recently uploaded (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

Geek Sync | Meeting Security Benchmarks and Compliance with Microsoft SQL Server - K. Brian Kelley | IDERA

  • 1. Meeting Security Benchmarks and Compliance with Microsoft SQL Server K. Brian Kelley
  • 2. About Me • Security Related: – Infrastructure & Security Architect – Certified Information Systems Auditor (CISA) – Accredited CISA Trainer – Incident Handler / Penetration Tester • SQL Server Related: – Data Architect – SQL Server security columnist / blogger – SQL Server and Security speaker & trainer
  • 3. Agenda • What Audit and Compliance Focuses On • The Three As • Data Security • Encryption and Obfuscation • Detecting Structural Change
  • 5. What do I care about as an auditor? • Information Systems (IS) processes • Related business processes • Controls over those processes
  • 6. What’s a Control? • Two parts: – Objective – Measure • Objective: what you’re trying to achieve • Measure: something done to fulfill said objective
  • 7. The Control Mantra • Documentation alone isn’t a control. Therefore: • No evidence? No control. • No review? No control.
  • 9. What are the three A’s? • Authentication: proving who you are • Authorization: determining what rights/permissions you have • Accounting / Auditing: tracking what you do
  • 10. Demo
  • 12. What to Look for in Data Security • Permissions are important, so start there • Should be tied to data classification • Encompasses data encryption and obfuscation • Data handling as well
  • 13. Demo
  • 15. Data Encryption • Sensitivity of the data (data classification) • Impact to the organization should information be stolen / lost • Regulations, compliance requirements, laws, industry standards • Algorithms for encryption and how they’re implemented
  • 16. SQL Server Encryption Options • Built-in Encryption Objects and Functions • AlwaysEncrypted • Transparent Data Encryption
  • 17. Data Encryption – Operations • Key Escrow must be specified, tested, and have approved controls • Performance impact • Situations where the data exists in plaintext (in memory, etc.)
  • 18. Data Obfuscation • Typically data, in its resting state, is unprotected. • Could also exist at rest in non-encrypted way. • For less that privileged access, data is masked in some way. • Some include encryption as part of data obfuscation
  • 19. Data Obfuscation in SQL Server • Dynamic Data Masking - Introduced in SQL Server 2017 • Built into table definition - Uses algorithm you define • Privileged users can still see unmasked data • Seamless to application / reporting layer
  • 20. Detecting Structural Change DDL is important, too
  • 21. What do I care about? • Changes to Security Principals • Changes to Security Permissions on Objects • Changes to Objects Themselves • Creation of New Databases • Creation of New Objects
  • 22. Out-of-the-box Options • Extended Events are your friend. • Other Options: – Audit object (built on Extended Events) – Triggers – Default Trace – Transaction Log (maybe)
  • 23. Demo
  • 24. What We Covered • What Audit and Compliance Focuses On • The Three As • Data Security • Encryption and Obfuscation • Detecting Structural Change