IDERA Software, profile picture
Uploaded byIDERA Software
PDF, PPTX37 views

Geek Sync | Meeting Security Benchmarks and Compliance with Microsoft SQL Server - K. Brian Kelley | IDERA

This document discusses meeting security benchmarks and compliance with Microsoft SQL Server. It covers the key areas of focus for audits and compliance including authentication, authorization, and auditing ("the three A's"). It also discusses data security best practices such as permissions, encryption, and obfuscation techniques in SQL Server like AlwaysEncrypted and Transparent Data Encryption. The document demonstrates how to detect structural changes to databases and objects using extended events and other out-of-the-box SQL Server options.

Embed presentation

Download as PDF, PPTX
Meeting Security Benchmarks and Compliance with Microsoft SQL Server K. Brian Kelley
About Me • Security Related: – Infrastructure & Security Architect – Certified Information Systems Auditor (CISA) – Accredited CISA Trainer – Incident Handler / Penetration Tester • SQL Server Related: – Data Architect – SQL Server security columnist / blogger – SQL Server and Security speaker & trainer
Agenda • What Audit and Compliance Focuses On • The Three As • Data Security • Encryption and Obfuscation • Detecting Structural Change
Audit and Compliance Understanding the Jargon
What do I care about as an auditor? • Information Systems (IS) processes • Related business processes • Controls over those processes
What’s a Control? • Two parts: – Objective – Measure • Objective: what you’re trying to achieve • Measure: something done to fulfill said objective
The Control Mantra • Documentation alone isn’t a control. Therefore: • No evidence? No control. • No review? No control.
The Three A’s
What are the three A’s? • Authentication: proving who you are • Authorization: determining what rights/permissions you have • Accounting / Auditing: tracking what you do
Demo
Data Security
What to Look for in Data Security • Permissions are important, so start there • Should be tied to data classification • Encompasses data encryption and obfuscation • Data handling as well
Demo
Encryption / Obfuscation
Data Encryption • Sensitivity of the data (data classification) • Impact to the organization should information be stolen / lost • Regulations, compliance requirements, laws, industry standards • Algorithms for encryption and how they’re implemented
SQL Server Encryption Options • Built-in Encryption Objects and Functions • AlwaysEncrypted • Transparent Data Encryption
Data Encryption – Operations • Key Escrow must be specified, tested, and have approved controls • Performance impact • Situations where the data exists in plaintext (in memory, etc.)
Data Obfuscation • Typically data, in its resting state, is unprotected. • Could also exist at rest in non-encrypted way. • For less that privileged access, data is masked in some way. • Some include encryption as part of data obfuscation
Data Obfuscation in SQL Server • Dynamic Data Masking - Introduced in SQL Server 2017 • Built into table definition - Uses algorithm you define • Privileged users can still see unmasked data • Seamless to application / reporting layer
Detecting Structural Change DDL is important, too
What do I care about? • Changes to Security Principals • Changes to Security Permissions on Objects • Changes to Objects Themselves • Creation of New Databases • Creation of New Objects
Out-of-the-box Options • Extended Events are your friend. • Other Options: – Audit object (built on Extended Events) – Triggers – Default Trace – Transaction Log (maybe)
Demo
What We Covered • What Audit and Compliance Focuses On • The Three As • Data Security • Encryption and Obfuscation • Detecting Structural Change

More Related Content

PPTX
Chapter 5 - Identity Management
byKarthikeyan Dhayalan
 
PPTX
Geek Sync | Handling HIPAA Compliance with Your Data Access
byIDERA Software
 
PPTX
Cas 4
byByju Antony
 
PPTX
Gdpr presentation
byRobert Topley
 
PPTX
Seguridad en sql server 2016 y 2017
byMaximiliano Accotto
 
PDF
Microsoft Whitepaper: Cloud Privacy Guide
byDWP Information Architects Inc.
 
PDF
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
byBeyondTrust
 
PDF
Windy City Rails - Layered Security
byAaron Bedra
 
Chapter 5 - Identity Management
byKarthikeyan Dhayalan
 
Geek Sync | Handling HIPAA Compliance with Your Data Access
byIDERA Software
 
Cas 4
byByju Antony
 
Gdpr presentation
byRobert Topley
 
Seguridad en sql server 2016 y 2017
byMaximiliano Accotto
 
Microsoft Whitepaper: Cloud Privacy Guide
byDWP Information Architects Inc.
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
byBeyondTrust
 
Windy City Rails - Layered Security
byAaron Bedra
 

What's hot

PDF
LegalAnywhereConnect Brochure
byNancy DaCorsi
 
PDF
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
byMicro Focus
 
PDF
Eryem Talks Paris Avril 2013 - Titus
byGuillaume Meyer
 
PPTX
Boost privacy protections with attribute-based access control
byRaoul Miller
 
PPTX
Android Security and Peneteration Testing
bySurabaya Blackhat
 
PDF
Security meeting 2012 ID Theft
byLuis Martins
 
PPTX
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?
byMaarten Eekels
 
PDF
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
byMicro Focus
 
PPTX
dataEstate® - Reimagining data governance for the Legal industry
byMorane Decriem
 
PDF
Hybrid identity and privacy
byOxford Computer Group
 
PPTX
Oracle Database Security
byTroy Kitch
 
LegalAnywhereConnect Brochure
byNancy DaCorsi
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
byMicro Focus
 
Eryem Talks Paris Avril 2013 - Titus
byGuillaume Meyer
 
Boost privacy protections with attribute-based access control
byRaoul Miller
 
Android Security and Peneteration Testing
bySurabaya Blackhat
 
Security meeting 2012 ID Theft
byLuis Martins
 
Dutch Microsoft & Security Meetup - How to protect my data in Office 365?
byMaarten Eekels
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
byMicro Focus
 
dataEstate® - Reimagining data governance for the Legal industry
byMorane Decriem
 
Hybrid identity and privacy
byOxford Computer Group
 
Oracle Database Security
byTroy Kitch
 

Similar to Geek Sync | Meeting Security Benchmarks and Compliance with Microsoft SQL Server - K. Brian Kelley | IDERA

PPTX
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
byWinWire Technologies Inc
 
PPT
SQL Server 2008 Security Overview
byukdpe
 
PPTX
Isaca sql server 2008 r2 security & auditing
byAntonios Chatzipavlis
 
PDF
Seguridad en SQL Server 2012
byJuan Fabian
 
PPTX
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
byDenny Lee
 
PPTX
SQLCAT - Data and Admin Security
byDenny Lee
 
PDF
Organizational compliance and security SQL 2012-2019 by George Walters
byGeorge Walters
 
PDF
Choosing Encryption for Microsoft SQL Server
byJerome J. Penna
 
PPTX
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
byKaren Lopez
 
PPTX
Designer's Favorite New Features in SQLServer
byKaren Lopez
 
PPT
Sql Server Security
byVinod Kumar
 
PPTX
The Spy Who Loathed Me - An Intro to SQL Server Security
byChris Bell
 
PPT
Under New Management
byukdpe
 
PDF
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
byITCamp
 
PPT
Fortress SQL Server
bywebhostingguy
 
PPTX
kjkl.pptxsdfdsafsadfsdagsadfsadfasdggasdf
byKhalidAhmadGhiasi
 
PPTX
Always encrypted overview
bySolidQ
 
PPTX
WBN_Securing Your IBM i_E_250300003.pptx
byPrecisely
 
PDF
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
byTobias Koprowski
 
PPTX
Database security
byArpana shree
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
byWinWire Technologies Inc
 
SQL Server 2008 Security Overview
byukdpe
 
Isaca sql server 2008 r2 security & auditing
byAntonios Chatzipavlis
 
Seguridad en SQL Server 2012
byJuan Fabian
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
byDenny Lee
 
SQLCAT - Data and Admin Security
byDenny Lee
 
Organizational compliance and security SQL 2012-2019 by George Walters
byGeorge Walters
 
Choosing Encryption for Microsoft SQL Server
byJerome J. Penna
 
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
byKaren Lopez
 
Designer's Favorite New Features in SQLServer
byKaren Lopez
 
Sql Server Security
byVinod Kumar
 
The Spy Who Loathed Me - An Intro to SQL Server Security
byChris Bell
 
Under New Management
byukdpe
 
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
byITCamp
 
Fortress SQL Server
bywebhostingguy
 
kjkl.pptxsdfdsafsadfsdagsadfsadfasdggasdf
byKhalidAhmadGhiasi
 
Always encrypted overview
bySolidQ
 
WBN_Securing Your IBM i_E_250300003.pptx
byPrecisely
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
byTobias Koprowski
 
Database security
byArpana shree
 

More from IDERA Software

PPTX
The role of the database administrator (DBA) in 2020: Changes, challenges, an...
byIDERA Software
 
PPTX
Problems and solutions for migrating databases to the cloud
byIDERA Software
 
PPTX
Public cloud uses and limitations
byIDERA Software
 
PPTX
Optimize the performance, cost, and value of databases.pptx
byIDERA Software
 
PPTX
Monitor cloud database with SQL Diagnostic Manager for SQL Server
byIDERA Software
 
PPTX
Database administrators (dbas) face increasing pressure to monitor databases
byIDERA Software
 
PPTX
Six tips for cutting sql server licensing costs
byIDERA Software
 
PDF
Idera live 2021: The Power of Abstraction by Steve Hoberman
byIDERA Software
 
PDF
Idera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian Flug
byIDERA Software
 
PDF
Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...
byIDERA Software
 
PDF
Idera live 2021: Managing Digital Transformation on a Budget by Bert Scalzo
byIDERA Software
 
PDF
Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...
byIDERA Software
 
PDF
Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...
byIDERA Software
 
PDF
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
byIDERA Software
 
PDF
Idera live 2021: Performance Tuning Azure SQL Database by Monica Rathbun
byIDERA Software
 
PPTX
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
byIDERA Software
 
PPTX
How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...
byIDERA Software
 
PPTX
Benefits of Third Party Tools for MySQL | IDERA
byIDERA Software
 
PPTX
Achieve More with Less Resources | IDERA
byIDERA Software
 
PPTX
Benefits of SQL Server 2017 and 2019 | IDERA
byIDERA Software
 
The role of the database administrator (DBA) in 2020: Changes, challenges, an...
byIDERA Software
 
Problems and solutions for migrating databases to the cloud
byIDERA Software
 
Public cloud uses and limitations
byIDERA Software
 
Optimize the performance, cost, and value of databases.pptx
byIDERA Software
 
Monitor cloud database with SQL Diagnostic Manager for SQL Server
byIDERA Software
 
Database administrators (dbas) face increasing pressure to monitor databases
byIDERA Software
 
Six tips for cutting sql server licensing costs
byIDERA Software
 
Idera live 2021: The Power of Abstraction by Steve Hoberman
byIDERA Software
 
Idera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian Flug
byIDERA Software
 
Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...
byIDERA Software
 
Idera live 2021: Managing Digital Transformation on a Budget by Bert Scalzo
byIDERA Software
 
Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...
byIDERA Software
 
Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...
byIDERA Software
 
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
byIDERA Software
 
Idera live 2021: Performance Tuning Azure SQL Database by Monica Rathbun
byIDERA Software
 
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
byIDERA Software
 
How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...
byIDERA Software
 
Benefits of Third Party Tools for MySQL | IDERA
byIDERA Software
 
Achieve More with Less Resources | IDERA
byIDERA Software
 
Benefits of SQL Server 2017 and 2019 | IDERA
byIDERA Software
 

Recently uploaded

PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Founder & Tech Lead | Web Development & Digital Growth Consultant | Helping B...
byShyamal Das
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 

Geek Sync | Meeting Security Benchmarks and Compliance with Microsoft SQL Server - K. Brian Kelley | IDERA

  • 1.
    Meeting Security Benchmarks andCompliance with Microsoft SQL Server K. Brian Kelley
  • 2.
    About Me • SecurityRelated: – Infrastructure & Security Architect – Certified Information Systems Auditor (CISA) – Accredited CISA Trainer – Incident Handler / Penetration Tester • SQL Server Related: – Data Architect – SQL Server security columnist / blogger – SQL Server and Security speaker & trainer
  • 3.
    Agenda • What Auditand Compliance Focuses On • The Three As • Data Security • Encryption and Obfuscation • Detecting Structural Change
  • 4.
  • 5.
    What do Icare about as an auditor? • Information Systems (IS) processes • Related business processes • Controls over those processes
  • 6.
    What’s a Control? •Two parts: – Objective – Measure • Objective: what you’re trying to achieve • Measure: something done to fulfill said objective
  • 7.
    The Control Mantra •Documentation alone isn’t a control. Therefore: • No evidence? No control. • No review? No control.
  • 8.
  • 9.
    What are thethree A’s? • Authentication: proving who you are • Authorization: determining what rights/permissions you have • Accounting / Auditing: tracking what you do
  • 10.
  • 11.
  • 12.
    What to Lookfor in Data Security • Permissions are important, so start there • Should be tied to data classification • Encompasses data encryption and obfuscation • Data handling as well
  • 13.
  • 14.
  • 15.
    Data Encryption • Sensitivityof the data (data classification) • Impact to the organization should information be stolen / lost • Regulations, compliance requirements, laws, industry standards • Algorithms for encryption and how they’re implemented
  • 16.
    SQL Server EncryptionOptions • Built-in Encryption Objects and Functions • AlwaysEncrypted • Transparent Data Encryption
  • 17.
    Data Encryption –Operations • Key Escrow must be specified, tested, and have approved controls • Performance impact • Situations where the data exists in plaintext (in memory, etc.)
  • 18.
    Data Obfuscation • Typicallydata, in its resting state, is unprotected. • Could also exist at rest in non-encrypted way. • For less that privileged access, data is masked in some way. • Some include encryption as part of data obfuscation
  • 19.
    Data Obfuscation inSQL Server • Dynamic Data Masking - Introduced in SQL Server 2017 • Built into table definition - Uses algorithm you define • Privileged users can still see unmasked data • Seamless to application / reporting layer
  • 20.
  • 21.
    What do Icare about? • Changes to Security Principals • Changes to Security Permissions on Objects • Changes to Objects Themselves • Creation of New Databases • Creation of New Objects
  • 22.
    Out-of-the-box Options • ExtendedEvents are your friend. • Other Options: – Audit object (built on Extended Events) – Triggers – Default Trace – Transaction Log (maybe)
  • 23.
  • 24.
    What We Covered •What Audit and Compliance Focuses On • The Three As • Data Security • Encryption and Obfuscation • Detecting Structural Change