Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

European pass conference 2008 - sql server development - security best practices - charley hanania

992 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

European pass conference 2008 - sql server development - security best practices - charley hanania

  1. 1. For SQL Server DevelopmentCharley HananiaB.Sc (Computing Science), MCP, MCDBA, MCITP, MCTS, MCTSenior Database SpecialistProduction Product Owner – MS SQL ServerUBS Investment Bank
  2. 2. 3Outline• Why is Security important?• Reducing Attack Surface• Trustworthy Computing• The Principle of Least PrivilegeD2-S5-AD – SQL Server Development: Security Best Practices
  3. 3. Authenticateand authoriseReduce surfaceareaAudit eventsEncryptSecurity PrinciplesD2-S5-AD – SQL Server Development: Security Best Practices
  4. 4. #ofCVENotes: Updated as of 10/18/2007.Vulnerabilities are included for SQL Server 2000 , SQL Server 2005 . Oracle (8i, 9i, 9iR2, 10g, 10gR2)Query for Oracle was run with vendor name: ‘Oracle’ , and product name: ‘any’ (all database product name variations were queried) .Query for Microsoft was run with vendor name: ‘Microsoft ‘ ; product name: ‘Microsoft SQL Server’; version name: ’Any’Source: NIST National Vulnerability Database040801201602002 2003 2004 2005 2006 2007243 0 0 0 04612256114441SQL Server Oracle DatabaseIs Security something that MS are focused on?D2-S5-AD – SQL Server Development: Security Best Practices
  5. 5. NetworkOperatingSystemDatabaseMgt SystemProtocolsPortsSharesServicesAccountsAuditing &LoggingFiles &DirectoriesRegistryFirewallsPacket FiltersInstalled FeaturesEnabled ComponentsAuthentication ModesEndpointsDefence in DepthUsing a layered ApproachD2-S5-AD – SQL Server Development: Security Best Practices
  6. 6. 7Context SwitchingD2-S5-AD – SQL Server Development: Security Best Practices
  7. 7. Authorization• Principle of Least Privileges• Rich Access Control Model– Granular permissions– Choice of appropriate scope (database, schema,object, sub-object)– Role Based Access control– Application module basedaccess control– Minimizing application impact for user management– Both Data (above) and Metadata• Ease of security managementD2-S5-AD – SQL Server Development: Security Best Practices
  8. 8. 9Data Encryption within TablesEncrypting Sensitive DataD2-S5-AD – SQL Server Development: Security Best Practices
  9. 9. Data Encryption• Why consider encryption?– Additional layer of security– Required by some regulatory compliancelaws• In SQL Server 2000– Vendor support required• In SQL Server 2005– Built-in support for explicit data encryption• In SQL Server 2008– Transparent data encryption– Extensible key managementThreatDetectedEmergencyProcedureServer HighlyProtectedD2-S5-AD – SQL Server Development: Security Best Practices
  10. 10. SQL Server Cryptographic Capabilities• Transparent Data Encryption and Decryption built-in• DDL for creation of– Symmetric Keys– Asymmetric Keys and Certificates• Symmetric Keys and Private Keys are stored encrypted• Securing the Keys themselves– Based on user passwords– Automatic, using SQL Server key managementD2-S5-AD – SQL Server Development: Security Best Practices
  11. 11. Encryption Algorithm Support• Algorithms andkey lengths vary;depends on CSP(Cryptographic ServicesProvider)• Performance dependson size of data beingcipheredXP SP2 WS2003DES 56 (64) 56 (64)3DES 128 128DESX 184 184AES128 - 128AES192 - 192AES256 - 256RC2 128 128RC4 40 40RC4_128 128 128RSA 2048 2048D2-S5-AD – SQL Server Development: Security Best Practices
  12. 12. 13User Schema SeparationMoving objects into other schemasD2-S5-AD – SQL Server Development: Security Best Practices
  13. 13. Sharepoint IntegrationTransparent Data EncryptionExternal Key ManagementHot Pluggable CPU supportData AuditingData Compression Backup CompressionEnhanced Database MirroringPerformance Data CollectionImproved Plan Guide SupportResource GovernorImproved DatatypesHierarchyIDLinQChange Data CaptureTable Valued ParametersLarge UDTSMERGE StatementsXML EnhancementsService Broker EnhancementsSpatial DataPolicy based ManagementMicrosoft System Center IntegrationExtended EventsData CompressionFILESTREAMIntegrated Full Text IndexingSparse ColumnsNew Index TypesPartition Table ParallelismStar Join SupportPersistent LookupsImproved Thread SchedulingMERGE StatementChange Data CaptureScale-out Analysis ServicesSubspace ComputationsData Mining Add-ins for ExcelIIS Agnostic RSRich Text SupportReport DesignerWord/Excel DesigningEntity Data ModelSo What’s New in SQL Server 2008?D2-S5-AD – SQL Server Development: Security Best Practices
  14. 14. Transparent Data Encryption• Encryption/decryption occurs at thedatabase– Uses Database Encryption Key (DEK)• Applications do not need to handleencryption/decryption of data– Treat encrypted and unencrypted data inan identical way• DEK is encrypted with:– Password– Service Master Key– Hardware Security Module• DEK must be decrypted to attachdatabase files or restore a backupSQL Server 2008DEKClient ApplicationEncrypted data pageD2-S5-AD – SQL Server Development: Security Best Practices
  15. 15. 16Links• Hello Secure Worldhttp://www.microsoft.com/click/hellosecureworld/default.mspx• Microsoft Security Assessment Toolhttp://www.microsoft.com/downloads/details.aspx?FamilyID=6D79DF9C-C6D1-4E8F-8000-0BE72B430212&displaylang=en• Microsoft Application Verifierhttp://www.microsoft.com/downloads/details.aspx?FamilyID=bd02c19c-1250-433c-8c1b-2619bd93b3a2&DisplayLang=en• Microsoft Threat Analysis & Modelling Toolhttp://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&DisplayLang=en• How To: Protect From SQL Injection in ASP.NEThttp://msdn2.microsoft.com/en-us/library/ms998271.aspx• Securing Your Database Serverhttp://msdn.microsoft.com/en-us/library/aa302434.aspx• Threats and Countermeasureshttp://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch00.mspxD2-S5-AD – SQL Server Development: Security Best Practices
  16. 16. Questions?
  17. 17. Thank you!

×