The document discusses data security practices for SQL databases, emphasizing the importance of physical and logical access controls, client settings, and data governance. Key topics include hardening instances, managing service accounts, protecting sensitive data, and auditing access to classified information. It also highlights recent data breaches to underscore the necessity of implementing robust security measures.

1. EMBARCADERO EMBARCADERO TTEECCHHNNOOLLOOGGIIEESS
Secure your Data Assets
Tim Radney
SQL Server MVP

2. EMBARCADERO TECHNOLOGIES
2
Tim Radney
@tradney
Timradney.com
linked.com/in/tradney
facebook.com/radneysql
google.com/+TimRadney
Specialties / Focus Areas / Passions:
• Performance Tuning &
Troubleshooting
• Capacity Management
• Infrastructure
• Virtualization
• SQL Consolidation
• High Availability
• Disaster Recovery
• Health Monitoring
• Architecture
• License Efficiency
• Chicken & Tilapia
Farmer
Microsoft MVP
Chapter Leader “Columbus
GA SQL Users Group”
Pass Regional Mentor
“South East USA”

3. EMBARCADERO TECHNOLOGIES
Access Controls
Physical Security
• Your database server should be in a physically secure location with limited access
• Datacenter
• Locked room with logged access (badge reader)
• Backups should be stored securely
• Backups should be stored in a secure location, if you use external media those should be locked up
with logged access controls. If stored on the network logical access should be locked down.
• Encryption keys – should be backed up and stored secure
• Access to SQL files
• Access to mdf, ldf ndf, and sql binary files should be limited
3

4. EMBARCADERO TECHNOLOGIES
Access Controls
Hardening the Instance
• Ports – only listen on those ports needed TCPIP turn off
named pipes
• Endpoints – only use those needed
• Use Windows Authentication only whenever possible
• Audit failed and successful logins
4

5. EMBARCADERO TECHNOLOGIES
Access Controls
Hardening the Instance
• SA – has it been renamed, disabled, or password set to strong
authentication
• SQL Authentication – if required does it require strong
authentication
• SQL Features – are unneeded features uninstalled or disabled
• Are you using fixed ports so you can limit access via the firewall
• Certificates – have you secured communication by using certificates
5

6. EMBARCADERO TECHNOLOGIES
Access Controls
Hardening the Instance
• Service Accounts – are you using a different domain account
per service to avoid a compromised service from accessing
other services
• Are you resetting passwords for your service accounts
• Do you remove unnecessary or obsolete login accounts
• Can you be using Kerberos authentication for Windows
Authentication
6

7. EMBARCADERO TECHNOLOGIES
Access Controls
Hardening the Instance
• Is xp_cmdshell enabled, if so why
• Have you replaced remote servers with linked servers
• Have you installed the latest SP for your database engine
• Is Cross-Database Ownership set to OFF unless needed
• Are ad hoc queries through servers disabled unless
needed
7

8. EMBARCADERO TECHNOLOGIES
Access Controls
Client Settings
• Configure clients to use SSL – Force Protocol Encryption
• Configure clients to use least privilege, they only need what they need
• Admins should use unique accounts not SA
• Admins should use a different account with lesser privileges when not performing
admin functions
• Is the server and client OS configured to use Extended Protection for
Authentication, this limits password hashing
• Is the guest user account disabled in each database unless needed for anonymous
• Are users granted access through roles instead of individually
8

9. EMBARCADERO TECHNOLOGIES
Data Governance
• Know Your Data
• What are the types of governance your organization is governed by
• HIPPA – SOX – GLBA – PII – PCI
• Do you know the rules and guidelines around protecting this data
• Data Classifications
• Confidential – Internal Use Only – Public – Classified
• How do you handle this data depending on classification
• Where does it live
• Do you know where the PCI, HIPPA or PII data resides
• How do you handle new request for access
• How do you mark columns or tables with sensitive data
9

10. EMBARCADERO TECHNOLOGIES
Data Breaches
• Recent headlines
– Personal Data
• Ebay 145 million members - customer names, encrypted passwords, email
addresses, physical addresses, phone numbers and dates of birth.
Accomplished via compromised employee credentials
• JPMorgan Chase (76 million households, 7 million small businesses) personal
data “name, address, phone and email” not “SSN, account number, DOB,
passwords or ID’s”
– Credit Cards
• P.F. Chang’s, Sally Beauty Supply, Michaels Stores (3 million cards), Goodwill
Industries (868k cards), Jimmy John’s (216 stores), Neiman Marcus (1.1 million
cards), Home Depot (56 million cards), Target Corporation (70 million cards)
http://www.cutimes.com/2014/10/06/10-biggest-data-breaches-of-2014-so-far?page=11
10

11. EMBARCADERO TECHNOLOGIES
Logging
Auditing Access
• Is auditing scenario specific?
• Do you audit DDL, DML and specific server events by using SQL Server Audit or trace events?
• Are you monitoring who accesses classified data?
• Are you monitoring which classified data is accessed?
11

12. EMBARCADERO TECHNOLOGIES
Protecting the Data
Object Access
• Are the public server and database roles granted few permissions?
• Are similar objects grouped within the same schema?
• Do you set schema level permissions for database objects?
• Do you grant distinct schema owners rather than dbo?
12

13. EMBARCADERO TECHNOLOGIES
Share Metadata Across Business & IT
ER/Studio
Repository
ER/Studio
Team Server
Modeling Teams
• Business
Analysts
• Executives
• App and DB Developers
• Data Stewards
• DBAs
Push content to
other applications
and web
browsers

14. EMBARCADERO TECHNOLOGIES
Concluding Remarks
14

15. EMBARCADERO TECHNOLOGIES
Thank you!
• Learn more about the ER/Studio product family:
http://www.embarcadero.com/data-modeling
• Trial Downloads:
http://www.embarcadero.com/downloads
• To arrange a demo, please contact Embarcadero
Sales: sales@embarcadero.com, (888) 233-2224
15