Protecting Your Key Asset – Data Protection Best Practices V2.0 Final

772 views
718 views

Published on

The session that I did for Security Workshop on Data at a conference

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • APOSENTE-SE HOJE E GANHE R$ 4.650,00 PREVIDENCIA PRIVADA PLANO FUTURO E O PROJETO VENDA BRASIL ESTA OREFECENDO UMA APOSENTADORIA PARA O RESTO DE SUA VIDA NO VALOR DE 10 SALARIOS MINIMOS COM UM INVESTIMENTO DE APENAS R$ 10,00 MENSAIS ATÉ COMPLETAR OS 11 SETORES A SUA FRENTE, SAIBA MAIS EM UMA CONFERÊNCIA ON-LINE. E FAÇA SEU CADASTRO AQUI: http:// www. projetovendabras il.com.br/ ?p=3911 WWW. DANIELFARIA.COM. BR
    Website www.projetovendabrasil.com.br/?p=39…
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
772
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
51
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide
  • Protecting Your Key Asset – Data Protection Best Practices V2.0 Final

    1. 1. Protecting your Key Asset – Data Protection Best Practices Vinod Kumar M Technology Evangelist Microsoft Corporation www.ExtremeExperts.com
    2. 2. Agenda <ul><li>“ Best Practices” is a broad area </li></ul><ul><li>This talk focuses on operational tasks </li></ul><ul><li>Look at various Data aspects </li></ul>
    3. 3. “ Security…But isn’t that the Admin’s Job?”
    4. 4. Understanding Basic Security <ul><li>Restricting user access </li></ul><ul><li>Disabling services and restricting service configuration </li></ul><ul><li>Reducing the surface area of attack for new features </li></ul>
    5. 5. Defense in Depth <ul><li>Always design your countermeasures to have at least two levels of defense </li></ul><ul><li>This means that you put your defenses in serially rather than in parallel; attackers needs to overcome A and B – not A or B </li></ul><ul><li>Use all the available countermeasures – technology, process, people </li></ul><ul><li>Countermeasures and vulnerabilities are really two sides of the same coin </li></ul>
    6. 6. Incidents Reported Industry Wide <ul><li>CERT/CC incident statistics 1988 through 2006 </li></ul><ul><li>Incident: single security issue grouping together all impacts of that that issue </li></ul><ul><li>Issue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality </li></ul>Source: http://www.cert.org/stats/cert_stats.html 0 20000 40000 60000 80000 100000 120000 160000 180000 '88 '90 '92 '94 '96 '98 '00 '02
    7. 7. Know Your Enemy Port Scanners Black Hat Community Sharing Brute Force pwd crackers Dictionary Based pwd crackers Network Sniffers De-compilers Debuggers Cracker Tools
    8. 8. Mobile Device – Security Aspect
    9. 9. Mobile – Entry Points <ul><li>Access to Device </li></ul><ul><li>Access to Store-Data </li></ul><ul><li>Access to wireless networks </li></ul>
    10. 10. Mobile – Security Practices <ul><li>Risk Analysis </li></ul><ul><li>Make Security policies </li></ul><ul><ul><li>Password </li></ul></ul><ul><ul><li>Anti-Virus Software </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Need-to-know Data store </li></ul></ul>
    11. 11. Mobile – Security Practices <ul><li>Authentication </li></ul><ul><ul><li>Perimeter Security </li></ul></ul><ul><li>Encryption </li></ul><ul><ul><li>Data Encryption – Pocket PC (SQL CE – 128 bit encryption) </li></ul></ul><ul><ul><li>App Encryption – .NET CF & High Encryption Pack </li></ul></ul><ul><ul><li>Information Service Encryption </li></ul></ul><ul><ul><li>Network Encryption </li></ul></ul><ul><li>Lock- Down Functionality </li></ul>
    12. 12. Desktop Data Security
    13. 13. Where is Customer’s Data Stored? <ul><li>Q: Where is the biggest data exposure risk? </li></ul>SQL
    14. 14. Clients <ul><li>Documents </li></ul><ul><ul><li>Where do customers’ users keep their documents? </li></ul></ul><ul><li>User Profile </li></ul><ul><ul><li>Outlook, Sharepoint, Desktop, Temp, IE… </li></ul></ul><ul><li>per-machine data </li></ul><ul><ul><li>Search index, offline file cache, pagefile… </li></ul></ul><ul><li>Non-standard locations </li></ul><ul><ul><li>… ISV & in-house apps </li></ul></ul>
    15. 15. What is EFS?
    16. 16. Encrypting File System <ul><li>Privacy of data that goes beyond access control </li></ul><ul><ul><li>Protect confidential data on laptops </li></ul></ul><ul><ul><li>Configurable approach to data recovery </li></ul></ul><ul><li>Integrated with core operating system components </li></ul><ul><ul><li>Windows NT File System - NTFS </li></ul></ul><ul><ul><li>Crypto API key management </li></ul></ul><ul><ul><li>LSA security policy </li></ul></ul><ul><li>Transparent and very high performance </li></ul>
    17. 17. What EFS is not… <ul><li>A way to protect local user credentials </li></ul><ul><li>A way to protect data in transit (think IPSec) </li></ul><ul><li>A way to protect business transaction documents (think Windows Rights Management) </li></ul>
    18. 18. EFS File Encryption RNG Data decryption field generation (RSA) Data recovery field generation (RSA) DDF DRF User’s public key Recovery agent’s public key in recovery policy Randomly- generated file encryption key (FEK) File encryption (e.g. AES) A quick brown fox jumped... *#$fjda^j u539!3t t389E *&
    19. 19. EFS File Decryption *#$fjda^j u539!3t t389E *& DDF A quick brown fox jumped... DDF extraction (RSA) File decryption (e.g. AES) File encryption key DDF is decrypted using the user’s private key to get the file encryption key DDF contains file encryption key encrypted under user’s public key User’s private key
    20. 20. EFS File Recovery *#$fjda^j u539!3t t389E *& DRF A quick brown fox jumped... DRF extraction (RSA) File decryption (e.g. AES) File encryption key DRF is decrypted using the DRA ’s private key to get the file encryption key DRF contains file encryption key encrypted under DRA ’s public key DRA ’s private key
    21. 21. EFS best practices: recovery <ul><li>No local Recovery Agents </li></ul><ul><ul><li>Prevents data comprise in “stolen laptop” scenario </li></ul></ul><ul><ul><li>Prevents out-of-process data recovery… if encrypted data needs to be recovered, it should be an audited operation </li></ul></ul><ul><li>Have at least 2 Recovery Agents per domain </li></ul><ul><li>Encrypt directories, not files </li></ul><ul><ul><li>Ensures that temp files created in process are also encrypted </li></ul></ul><ul><ul><li>Prevents data recovery from free space on the file system </li></ul></ul><ul><li>Encrypt CSC cache (Offline Files) </li></ul><ul><ul><li>Protects temporary files that maybe written during application execution </li></ul></ul>
    22. 22. Document Protection
    23. 23. Windows Rights Management Services (RMS) <ul><li>Information protection technology that augments security strategies </li></ul><ul><li>Users can easily safeguard sensitive information from unauthorized use </li></ul><ul><li>Organizations can centrally manage internal information usage policies </li></ul><ul><li>Uses RMS Server, RMS Client and RMS-enabled apps </li></ul>RMS protects information both online and offline, inside and outside of the firewall.
    24. 24. RMS Publishing Flow (“online”) File Recipient File Author RM Server <ul><li>Author creates a file and defines a set of rights and rules. </li></ul><ul><li>Application encrypts file and sends unsigned “publishing license” to RMS; Server signs and returns publishing license. </li></ul><ul><li>Author distributes file. </li></ul><ul><li>Application renders file and enforces rights. </li></ul><ul><li>Recipient clicks file to open, the application calls to RMS which validates the user and the request and issues the “use license”. </li></ul>Database Server File Server
    25. 25. If I could choose one, which one would I choose when? <ul><li>EFS – to encrypt all local data files automatically, under my domain account, to minimize risk of offline attack </li></ul><ul><li>RMS – to share encrypted files easily among a group of people, or send them encrypted over the wire to any storage medium </li></ul>
    26. 26. Database Security
    27. 27. What are Principals? Principals Permissions Securables Server Role SQL Server Login SQL Server Windows Group Domain User Account Local User Account Windows User Database Role Application Role Group Database
    28. 28. What are Securables? Principals Permissions Securables Files Registry Keys Server Schema Database Server Role SQL Server Login SQL Server Windows Group Domain User Account Local User Account Windows User Database Role Application Role Group Database
    29. 29. What are Permissions? Principals Permissions Securables Files Registry Keys Server Schema Database CREATE ALTER DROP CONTROL CONNECT SELECT EXECUTE UPDATE DELETE INSERT TAKE OWNERSHIP VIEW DEFINITION BACKUP GRANT/REVOKE/DENY ACL Server Role SQL Server Login SQL Server Windows Group Domain User Account Local User Account Windows User Database Role Application Role Group Database
    30. 30. Database Security <ul><li>Surface Area Reduction </li></ul><ul><li>Authentication Mode </li></ul><ul><ul><li>Password Policies enforcement </li></ul></ul><ul><li>Administrative Privileges </li></ul><ul><li>Catalog Security </li></ul><ul><li>Encryption </li></ul><ul><li>Auditing </li></ul>
    31. 31. Demo …
    32. 32. Summary <ul><li>Security is integral part of all software </li></ul><ul><li>Maximize SQL Security to protect sensitive data </li></ul><ul><li>Encryption is cool : Use it carefully though </li></ul><ul><li>Understand the password policies of organization </li></ul><ul><li>Block standard/un-used default ports </li></ul><ul><li>Lastly, Understand all the entry points to your application </li></ul>
    33. 33. <ul><li>Questions ? </li></ul>
    34. 34. Resources <ul><li>Encrypting File System in Windows XP and Windows Server 2003 </li></ul><ul><li>http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx </li></ul><ul><li>Best practices for the Encrypting File System </li></ul><ul><li>http://support.microsoft.com/default.aspx?scid=kb;en-us;223316&sd=tech </li></ul><ul><li>What's New in Security for Windows XP Professional and Windows XP Home Edition </li></ul><ul><li>http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xpsec.mspx </li></ul>
    35. 35. Resources <ul><li>SQL Server : Security Blog </li></ul><ul><li>http://blogs.msdn.com/lcris/ </li></ul><ul><li>SQL Server Security and Protection </li></ul><ul><li>http://www.microsoft.com/technet/prodtechnol/sql/2005/library/security.mspx </li></ul><ul><li>What's New in Security for Windows XP </li></ul><ul><li>http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xpsec.mspx </li></ul>

    ×