European pass conference 2008 - sql server development - security best practices - charley hanania
Upcoming SlideShare
Loading in...5
×
 

European pass conference 2008 - sql server development - security best practices - charley hanania

on

  • 937 views

 

Statistics

Views

Total Views
937
Views on SlideShare
937
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Hello and Welcome to this European PASS Conference session on SQL Server 2005 Security Best Practices for SQL Server Development, I’m Charley Hanania...I’m a Senior Database Specialist working for UBS Investment Bank as the Production Product Owner for MS SQL Server.I’ve been working in the industry for around 18 years now, focussed on databases for close to 15...In today’s session you'll find out what ways Microsoft SQL Server approaches security to help developers design systems to be secure by default.We’ll be focussing on key security concepts in SQL Server 2000, 2005 and 2008 and looking at a few examples along the way to bring these concepts to light.Let us start this session by going into more detail on exactly what we will be covering.
  • SQL Server 2000 permitted encrypted connections over all network libraries by using certificates and SSL encryption.
  • In SQL Server 2005, you can encrypt data in the database by writing custom Transact-SQL that uses the cryptographic capabilities of the database engine. SQL Server 2008 improves upon this situation by introducing transparent data encryption.Transparent data encryption performs all cryptographic operations at the database level removing any need for application developers to create custom code to encrypt and decrypt data. Data is encrypted as it is written to disk, and decrypted as it is read from disk. By using SQL Server to manage encryption and decryption transparently, you can help secure business data in the database without requiring any changes to existing applications

European pass conference 2008 - sql server development - security best practices - charley hanania European pass conference 2008 - sql server development - security best practices - charley hanania Presentation Transcript

  • For SQL Server DevelopmentCharley HananiaB.Sc (Computing Science), MCP, MCDBA, MCITP, MCTS, MCTSenior Database SpecialistProduction Product Owner – MS SQL ServerUBS Investment Bank
  • 3Outline• Why is Security important?• Reducing Attack Surface• Trustworthy Computing• The Principle of Least PrivilegeD2-S5-AD – SQL Server Development: Security Best Practices
  • Authenticateand authoriseReduce surfaceareaAudit eventsEncryptSecurity PrinciplesD2-S5-AD – SQL Server Development: Security Best Practices
  • #ofCVENotes: Updated as of 10/18/2007.Vulnerabilities are included for SQL Server 2000 , SQL Server 2005 . Oracle (8i, 9i, 9iR2, 10g, 10gR2)Query for Oracle was run with vendor name: ‘Oracle’ , and product name: ‘any’ (all database product name variations were queried) .Query for Microsoft was run with vendor name: ‘Microsoft ‘ ; product name: ‘Microsoft SQL Server’; version name: ’Any’Source: NIST National Vulnerability Database040801201602002 2003 2004 2005 2006 2007243 0 0 0 04612256114441SQL Server Oracle DatabaseIs Security something that MS are focused on?D2-S5-AD – SQL Server Development: Security Best Practices
  • NetworkOperatingSystemDatabaseMgt SystemProtocolsPortsSharesServicesAccountsAuditing &LoggingFiles &DirectoriesRegistryFirewallsPacket FiltersInstalled FeaturesEnabled ComponentsAuthentication ModesEndpointsDefence in DepthUsing a layered ApproachD2-S5-AD – SQL Server Development: Security Best Practices
  • 7Context SwitchingD2-S5-AD – SQL Server Development: Security Best Practices
  • Authorization• Principle of Least Privileges• Rich Access Control Model– Granular permissions– Choice of appropriate scope (database, schema,object, sub-object)– Role Based Access control– Application module basedaccess control– Minimizing application impact for user management– Both Data (above) and Metadata• Ease of security managementD2-S5-AD – SQL Server Development: Security Best Practices
  • 9Data Encryption within TablesEncrypting Sensitive DataD2-S5-AD – SQL Server Development: Security Best Practices
  • Data Encryption• Why consider encryption?– Additional layer of security– Required by some regulatory compliancelaws• In SQL Server 2000– Vendor support required• In SQL Server 2005– Built-in support for explicit data encryption• In SQL Server 2008– Transparent data encryption– Extensible key managementThreatDetectedEmergencyProcedureServer HighlyProtectedD2-S5-AD – SQL Server Development: Security Best Practices
  • SQL Server Cryptographic Capabilities• Transparent Data Encryption and Decryption built-in• DDL for creation of– Symmetric Keys– Asymmetric Keys and Certificates• Symmetric Keys and Private Keys are stored encrypted• Securing the Keys themselves– Based on user passwords– Automatic, using SQL Server key managementD2-S5-AD – SQL Server Development: Security Best Practices
  • Encryption Algorithm Support• Algorithms andkey lengths vary;depends on CSP(Cryptographic ServicesProvider)• Performance dependson size of data beingcipheredXP SP2 WS2003DES 56 (64) 56 (64)3DES 128 128DESX 184 184AES128 - 128AES192 - 192AES256 - 256RC2 128 128RC4 40 40RC4_128 128 128RSA 2048 2048D2-S5-AD – SQL Server Development: Security Best Practices
  • 13User Schema SeparationMoving objects into other schemasD2-S5-AD – SQL Server Development: Security Best Practices
  • Sharepoint IntegrationTransparent Data EncryptionExternal Key ManagementHot Pluggable CPU supportData AuditingData Compression Backup CompressionEnhanced Database MirroringPerformance Data CollectionImproved Plan Guide SupportResource GovernorImproved DatatypesHierarchyIDLinQChange Data CaptureTable Valued ParametersLarge UDTSMERGE StatementsXML EnhancementsService Broker EnhancementsSpatial DataPolicy based ManagementMicrosoft System Center IntegrationExtended EventsData CompressionFILESTREAMIntegrated Full Text IndexingSparse ColumnsNew Index TypesPartition Table ParallelismStar Join SupportPersistent LookupsImproved Thread SchedulingMERGE StatementChange Data CaptureScale-out Analysis ServicesSubspace ComputationsData Mining Add-ins for ExcelIIS Agnostic RSRich Text SupportReport DesignerWord/Excel DesigningEntity Data ModelSo What’s New in SQL Server 2008?D2-S5-AD – SQL Server Development: Security Best Practices
  • Transparent Data Encryption• Encryption/decryption occurs at thedatabase– Uses Database Encryption Key (DEK)• Applications do not need to handleencryption/decryption of data– Treat encrypted and unencrypted data inan identical way• DEK is encrypted with:– Password– Service Master Key– Hardware Security Module• DEK must be decrypted to attachdatabase files or restore a backupSQL Server 2008DEKClient ApplicationEncrypted data pageD2-S5-AD – SQL Server Development: Security Best Practices
  • 16Links• Hello Secure Worldhttp://www.microsoft.com/click/hellosecureworld/default.mspx• Microsoft Security Assessment Toolhttp://www.microsoft.com/downloads/details.aspx?FamilyID=6D79DF9C-C6D1-4E8F-8000-0BE72B430212&displaylang=en• Microsoft Application Verifierhttp://www.microsoft.com/downloads/details.aspx?FamilyID=bd02c19c-1250-433c-8c1b-2619bd93b3a2&DisplayLang=en• Microsoft Threat Analysis & Modelling Toolhttp://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&DisplayLang=en• How To: Protect From SQL Injection in ASP.NEThttp://msdn2.microsoft.com/en-us/library/ms998271.aspx• Securing Your Database Serverhttp://msdn.microsoft.com/en-us/library/aa302434.aspx• Threats and Countermeasureshttp://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch00.mspxD2-S5-AD – SQL Server Development: Security Best Practices
  • Questions?
  • Thank you!