This preentation is about -
Inbound SSL,
SSL Configuration object,
Outbound SSL,
Monitoring Certificate Expiry,
For more details visit -
http://vibranttechnologies.co.in/websphere-classes-in-mumbai.html
This preentation is about -
Inbound SSL,
SSL Configuration object,
Outbound SSL,
Monitoring Certificate Expiry,
For more details visit -
http://vibranttechnologies.co.in/websphere-classes-in-mumbai.html
Thi presentation is about -
SSL Concepts,
Configure SSL between IHS and WAS,
The ikeyman tool,
For more details visit -
http://vibranttechnologies.co.in/websphere-classes-in-mumbai.html
In today's modern world, security is a necessary fact of life. GreenSQL Security helps small to large organizations protect their sensitive information against internal and external threats. The rule-based engine offers database firewall, intrusion detection and prevention (IDS/IPS). GreenSQL Security Engine applies exception detection to prevent hacker attacks, end-user intrusion and unauthorized access by privileged insiders. The system provides a web based intuitive and flexible policy framework that enables users to create and edit their security rules quickly and easily. GreenSQL interfaces between your database and any source requiring a connection to it. This approach shields your database application and database operating system from direct, remote access. GreenSQL Database Security 1) Stops SQL Injection attacks on your web application 2) Blocks unauthorized database access and alerts you in real time about unwanted access 3) Separates your application database access privileges from administrator access 4) Gives you a complete event log for investigating database traffic and access 5) Ensures you achieve successful implementation with 24/7 support
As the need for data storage continues to grow, businesses of
every size struggle with the costs and complexity of maintaining their stored and rapidly growing data, especially in databases. Whether you're managing data locally, remotely, or in the cloud, securing that data has never been more important. Learn how to effectively secure your MS SQL databases.
Oracle Audit Vault Training | Audit Vault - Oracle TrainingsOracleTrainings
Oracle Audit Vault is a centralized Oracle database that stores all the audit data from the agents & secure data . Join Audit Vault Training at Oracle Trainings
Thi presentation is about -
SSL Concepts,
Configure SSL between IHS and WAS,
The ikeyman tool,
For more details visit -
http://vibranttechnologies.co.in/websphere-classes-in-mumbai.html
In today's modern world, security is a necessary fact of life. GreenSQL Security helps small to large organizations protect their sensitive information against internal and external threats. The rule-based engine offers database firewall, intrusion detection and prevention (IDS/IPS). GreenSQL Security Engine applies exception detection to prevent hacker attacks, end-user intrusion and unauthorized access by privileged insiders. The system provides a web based intuitive and flexible policy framework that enables users to create and edit their security rules quickly and easily. GreenSQL interfaces between your database and any source requiring a connection to it. This approach shields your database application and database operating system from direct, remote access. GreenSQL Database Security 1) Stops SQL Injection attacks on your web application 2) Blocks unauthorized database access and alerts you in real time about unwanted access 3) Separates your application database access privileges from administrator access 4) Gives you a complete event log for investigating database traffic and access 5) Ensures you achieve successful implementation with 24/7 support
As the need for data storage continues to grow, businesses of
every size struggle with the costs and complexity of maintaining their stored and rapidly growing data, especially in databases. Whether you're managing data locally, remotely, or in the cloud, securing that data has never been more important. Learn how to effectively secure your MS SQL databases.
Oracle Audit Vault Training | Audit Vault - Oracle TrainingsOracleTrainings
Oracle Audit Vault is a centralized Oracle database that stores all the audit data from the agents & secure data . Join Audit Vault Training at Oracle Trainings
The Document describes the SQL server security need and securing.
Server Attack
Port Scanning
Instance Name Browsing
Exposing Database Names
Accessing administrative objects
Data threats
Data theft.
Business logic theft.
Database object change/drop
>>
Authentication
Authorization
The process of verifying that user/person claiming is genuine or not
SQL Server supports two authentication modes.
Windows authentication mode
Mixed mode.
>>
Do
Install only required components.
Disable unnecessary features and services.
Install recent fixes & service packs from Microsoft.
Enforce strong password policy,
Disable SA account or rename it.
Change default port
Hide instances
Valid every input.
Don’t use dynamic queries
>>
Don't
Don’t Install sample database on Production server.
Never Use SA account to interact application to database
Don’t remove the system databases/ system stored procedure.
Don’t use dictionary passwords.
Don’t treat input safe be valid all.
Don’t disable automatic updated for SQL server on production.
Don’t take manual backup also schedule things using scripts/ management plans
Today, financial services firms rely on data as the basis of their industry. In the absence of the means of production for physical goods, data is the raw material used to create value for and capture value from the market. However, as data volume and variety increase, so do the susceptibility to fraud and the temptation to hackers. Learn how an enterprise data hub built on Hadoop enables advanced security and machine learning on much more descriptive and real-time data to detect and prevent fraud, from payment encryption to anti-money-laundering processes.
PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data.
To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses.
The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.
Webinar presentation September 20, 2016.
This deck introduces the CSCC’s deliverable, Cloud Security Standards: What to Expect and What to Negotiate V2.0, which was updated in August 2016 to reflect the latest developments in cloud security standards. The presentation is an overview of the various security standards, frameworks, and certifications that exist for cloud computing. This information will help cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable here: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
Webinar presentation: November 17, 2016
Subject matter experts from the CSCC present an overview of the security standards, frameworks, and certifications that exist for cloud computing. We also discuss privacy considerations in light of new regulations (e.g., EU’s General Data Protection Regulation (GDPR)). This presentation helps cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable, Cloud Security Standards: What to Expect and What to Negotiate: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
ControlCase has an agentless Data Discovery tool, which allows you to scan for different types of data, produces scalable results and eliminated false positives.
ControlCase discusses the following:
- What is Data Discovery
- Why Data Discovery
- PCI DSS requirements
- Need for Data Discovery in the context of PCI DSS
- Challenges in the Data Discovery space
– What is Data Discovery
– Why Data Discovery
– PCI DSS requirements
– Need for Data Discovery in the context of PCI DSS
– Challenges in the Data Discovery space
ControlCase Data Discovery (CDD) addresses the risk of having encrypted, unknown, or otherwise prohibited cardholder data in your operational environment. It is one of the first comprehensive scanners to not only search for credit card data in file systems, but also in leading commercial and open source databases.
Decision Matrix for IoT Product DevelopmentAlexey Pyshkin
At first sight, the development of "hardware" products hardly differs from that of IoT devices. Here you can see the methodology of IoT product development based on an IoT framework by Daniel Elizalde. It’s a convenient and simple model that estimates expenses and potential income, evaluates the technological complexity and at the same time is easily understood by the client.
Made by notAnotherOne
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
Security Architecture Best Practices for SaaS ApplicationsTechcello
Gartner has predicted 18-20% growth in SaaS market, and expects it to hit US $22.1 billion by the year 2015. They have also measured that SaaS adoption rate has increased many fold in the last few years (almost 71% of enterprises use SaaS solutions).
ControlCase discusses the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
Accelerating Regulatory Compliance for IBM i SystemsPrecisely
In a recent survey of IBM Power Systems users, 52% state they are focusing security investments on compliance auditing and reporting while 28% said they anticipate increased regulatory complexity as a security challenge for the remainder of the year.
Do you need to accelerate compliance for your IBM i systems? Whether it be for PCI, SOX, GDPR or other regulations, view this 15-minute webcast on-demand to learn more about:
• The importance of security risk assessments for compliance
• Implementing compliance policies that align with regulations
• Generating reports and alerts that flag compliance issues
• Trade-offs between do-it-yourself and third-party solutions
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
Similar to SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008 (20)
Azure Cosmos DB: Globally Distributed Multi-Model Database ServiceDenny Lee
Azure Cosmos DB is the industry's first globally distributed multi-model database service. Features of Cosmos DB include turn-key global distribution, elastic throughput and storage, multiple consistency models, and financially backed SLAs. As well, we are in preview for Table, Graph, and Spark Connector to Cosmos DB. Also includes healthcare scenarios!
This presentation provides an introduction to Azure DocumentDB. Topics include elastic scale, global distribution and guaranteed low latencies (with SLAs) - all in a managed document store that you can query using SQL and Javascript. We also review common scenarios and advanced Data Sciences scenarios.
SQL Server Integration Services Best PracticesDenny Lee
This is Thomas Kejser and my presentation at the Microsoft Business Intelligence Conference 2008 (October 2008) on SQL Server Integration Services Best Practices
SQL Server Reporting Services: IT Best PracticesDenny Lee
This is Lukasz Pawlowski and my presentation at the Microsoft Business Intelligence Conference 2008 (October 2008) on SQL Server Reporting Services: IT Best Practices
Introduction to Microsoft's Big Data Platform and Hadoop PrimerDenny Lee
This is my 24 Hour of SQL PASS (September 2012) presentation on Introduction to Microsoft's Big Data Platform and Hadoop Primer. All known as Project Isotope and HDInsight.
Differential Privacy Case Studies (CMU-MSR Mindswap on Privacy 2007)Denny Lee
These are the slides on differential privacy case studies I had presented at the MindSwap on Privacy Technology, October 19–20, 2007. Center for Computational Thinking, Carnegie Mellon, Pittsburgh, PA.
SQL Server Reporting Services Disaster Recovery webinarDenny Lee
This is the PASS DW|BI virtual chapter webinar on SQL Server Reporting Services Disaster Recovery with Ayad Shammout and myself - hosted by Julie Koesmarno (@mssqlgirl)
Building and Deploying Large Scale SSRS using Lessons Learned from Customer D...Denny Lee
This is Lukasz Pawlowski and my 2007 SQL PASS Summit presentation on building and deploying large scale SSRS using lessons learned from customer deployments
Designing, Building, and Maintaining Large Cubes using Lessons LearnedDenny Lee
This is Nicholas Dritsas, Eric Jacobsen, and my 2007 SQL PASS Summit presentation on designing, building, and maintaining large Analysis Services cubes
Jump Start into Apache Spark (Seattle Spark Meetup)Denny Lee
Denny Lee, Technology Evangelist with Databricks, will demonstrate how easily many Data Sciences and Big Data (and many not-so-Big Data) scenarios easily using Apache Spark. This introductory level jump start will focus on user scenarios; it will be demo heavy and slide light!
How Concur uses Big Data to get you to Tableau Conference On TimeDenny Lee
This is my presentation from Tableau Conference #Data14 as the Cloudera Customer Showcase - How Concur uses Big Data to get you to Tableau Conference On Time. We discuss Hadoop, Hive, Impala, and Spark within the context of Consolidation, Visualization, Insight, and Recommendation.
SQL Server Reporting Services Disaster Recovery WebinarDenny Lee
This is the PASS DW/BI Webinar for SQL Server Reporting Services (SSRS) Disaster Recovery webinar. You can find the video at: http://www.youtube.com/watch?v=gfT9ETyLRlA
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. SQL Server Customer Advisory Team
(SQLCAT)
• Works on the largest, most complex SQL Server projects worldwide
• MySpace - 4.4 million concurrent users at peak time, 8 billion friend relationships, 34
billion e-mails, 1 PetaByte store, scale-out using SSB and SOA
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000004532
• Bwin – Most popular European online gaming site – 30000 database transactions /
second, motto: “Failure is not an option”; 100 TB total storage
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000004138
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000001470
• Korea Telecom - Largest telco in Korea serves 26 million customers; 3 TB Data
Warehouse
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000001993
• Drives product requirements back into SQL Server from our customers and ISVs
• Shares deep technical content with SQL Server community
• SQLCAT.com
• http://blogs.msdn.com/mssqlisv
3. SQL Server Design Win Program
• Target the most challenging and innovative SQL Server
applications
• 10+ TB DW, 3k/tran/s OLTP, Large 500GB+ Cubes, Competitive
migrations, Complex deployments, Server Consolidation (1000+)
• Invest in large scale, referenceable SQL Server projects
across the world
• Provide SQLCAT technical & project experience
• Conduct architecture and design reviews covering performance,
operation, scalability and availability
• Offer use of HW lab in Redmond with direct access to SQL Server
development team
• Work with Marketing Team Developing PR
4. SQLCAT and SQL CSS Invite You…
ROOM 611
• To the SQL Server Clinic where the most experienced SQL Server experts in the world
will be waiting to talk with you.
• Bring your toughest Questions / Challenges to the experts who have seen it all
• Architect and Design your future applications with experts who have done it before
with some of the largest, most complex systems in the world
• Or just stop in to say hello!
5. Agenda
• Introduction to Compliance
• Payment Credit Industry Compliance
Showcase
• Health Information Portability and
Accountability Act Compliance Showcase
• Application of SQL Server to fulfill HIPAA
compliance scenarios
• Enacted at CareGroup Healthcare
7. Importance of Compliance
• Widely cited within the academic
community, 87% of the US
population is uniquely identifiable
by the three attributes of zip
code, birth date, and gender
(Sweeney, 2002)
• Sweeney was able to identify the
medical records of Gov William
Weld (MA) by joining masked
medical data and a voter’s list.
Name
Address
Dates
Party
Voted Date
Ethnicity
Visit Date
Diagnosis
Procedure
Medication
Total Charge
Zip
DOB
Gender
*based on Sweeney L, k-Anonymity: A model for protecting
privacy, International Journal on Uncertainty, Fuzziness and
Knowledge-based Systems, 10(5), 2002, 557-570
9. GRC Example
Loss from theft,
vandalism and
injury to personnel
Review entrance
and guard logs,
tapes and news
reports
Locked door, guard,
camera, badges and
policies
12. Disclaimers
• I am not a QSA (Qualified Security Assessor)
• But I will provide guidance and best practice on
PCI DSS Compliance.
• No feature
deep dive
• More detailed
info available
in this
whitepaper
13. Overview of the PCI DSS
• Visa, Mastercard, AmEx, Discover, and JCB created the PCI
Security Standards Council in Dec. 2004 and released the PCI Data
Security Standard v1
• Created “to help facilitate the broad adoption of consistent data
security measures on a global basis” for enhancing payment account
data security
• Applies to any business that stores, processes, or transmits Primary
Account Number (PAN)
• Requires annual compliance audit
• Noncompliance leads to levy of significant fines.
• Latest version is 1.2.1,
https://www.pcisecuritystandards.org/security_standards/pci_dss.sht
ml
14. PCI Objectives and Requirements
Build and Maintain a Secure Network
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications
Implement StrongAccess Control Measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8:Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
• Requirement 12: Maintain a policy that addresses information security
15. SQL Server 2008 Compliance Toolbox
Audit
TDE
EKM
Signed
Module
PBM
CDC
16. Req 2: Do not use vendor-supplied defaults
for system pwds and other security params
• No default passwords in SQL Server
• Features/services Off-by-Default
• E.g., protocols, CLR, dbmail, XPcmdshell
• BUILTIN/Administrators are not sysadmin
• sa account is not enabled in Windows
Auth mode
17. Req 3: Protect stored cardholder data
• Enable Transparent Data Encryption on
databases containing credit card data
• Periodic key rotation – at least once a year
• EKM for split-key ownership
• HSM administrator different from db_owner and
sysadmin
• Key management without EKM permissible
• No single user with access to both db
backup and certificate backup files
18. Req 4: Encrypt transmission of cardholder
data across open, public networks
• Full support for TLS/SSL
• Can be set server-wide or on a per connection
basis.
• Enable for all connections transmitting
cardholder data
SSL
LOGIN
Userid
Password
...
19. Req 7: Restrict access to cardholder data by
business need-to-know
• Limit inclusion in sysadmin
• Windows authentication
• BUILTIN/Administrators are not sysadmin
• Using principals of least privilege
• Role-based access
• Instance and database permissions
• Signed modules
• Disable sa login
20. Req 8: Assign a unique ID to each person
with computer access
• SQL Server uses Windows SIDs for Windows
users and groups
• SQL Logins use GUID for generating SID
• Enable Windows password policy support
• Set to change password on next logon
• Enforce 90 day password expiration
• Do not use a single login for application
connections (or any shared accounts in
general); applies to sa – disable!
21. Req 10: Track and monitor all access to
network resources and cardholder data
• SQL Server Audit to monitor data access
• Granular auditing of tables
• Audit trail must be retained for 1 year
• Log should be protected from SQL users/DBA
• Configure Audit to shutdown on failure
• Change Data Capture to record committed
changes to data
• Policy-based Management to monitor server
settings and detect changes
22. Audit Settings
• At a minimum, Audit:
• Login success and failures
• Changes to server configurations, encryption keys,
logins, server level permissions, databases
• CREATE/DELETE/ALTER of schema objects
• SELECT/INSERT/UPDATE/DELETE and ALTER of
tables containing cardholder data
• Changes to Audit configuration
• Enable the CDC against any table containing
cardholder data
23. Achieving PCI Compliance
• With careful planning, proper organizational
procedures, and process controls, PCI
compliance with SQL Server 2008 attainable
• TDE, Audit, PBM and other 2008 features are
all useful tools in achieving compliance
• Take time to read the whitepaper
• http://www.parentebeard.com/lib/pdf/Deploying_
SQL_Server_2008_Based_on_PCI_DSS.pdf
• Consult a PCI Qualified Security Assessor
25. Business Drivers
• Avoiding disruptions in patient care
• Improving patient and staff access to medical records
and other vital information
• Complying with HIPAA regulations
• Maintaining privacy of medical information
• Its Expensive To Be Careless!
o Direct Costs – Customers lost, Revenue, Legal,
Audit Fees
o Indirect Losses – Reputation
26. The Challenges
Protecting the privacy and integrity of
patient medical records
Monitoring database access and capturing
access information for compliance and
audit purposes
Who accessed which databases, when and
how?
27. What we can and can’t do
We can ….
Enforce account/password policy
Define strong policies and procedures
We can’t …..
Enforce audit log in every vendor application
Determine who is doing what and when
28. How we are providing for data integrity
and security
Database classifications (AAA vs. AA)
Have policies and procedures for data access authorization
Online HIPAA and Security employee training
Automatically terminate data access when employees leave
Create scripts to collect data and user access details
Implement our Centralized Audit Solution on SQL Server
2008
29. Implementing IT Control with SQL
Server 2008
• Securing the Platform
• Controlling Identity and Separation of Duties
• Encrypting Database Data
• Auditing Sensitive Information
• Using Policy-Based Management to Define,
Deploy and Validate Policy
30. Securing the Platform
• Limit number of users have access to SQL Server
• Minimize surface area of attack by limiting running services,
installing only the software needed, disable unnecessary
ports and configuring the firewall
• Install latest OS/SQL service packs and security patches
31. Controlling Identity and Separation of
Duties
• Limit who can access the database and grant the least
privileges.
• Use Windows Authentication
• Use Policy-Based Management to validate security policies
36. Using Policy-Based Management to
Define, Deploy and Validate Policy
SQLAudit
Central Server
Server 1
Server 2
Server n
Policy Extract
Extract Policy
Data
Obtain Server
List
Load Policy Data
View
Reports
Extract Logs to
fileshare
38. Results
• Spend less time on regulatory compliance
• Automate compliance and IT security controls
• Proactively measure and remediate
deficiencies to sustain the control environment
• Embrace best practices and build policies and
processes
• Reduce the impact of a breach by providing
Analysis and Alerts of malicious or suspicious
activity.
• Complete audit log
39. Complete the Evaluation Form & Win!
• You could win a Dell Mini Netbook – every day – just for
handing in your completed form! Each session form is
another chance to win!
Pick up your Evaluation Form:
• Within each presentation room
• At the PASS Booth near registration area
Drop off your completed Form:
• Near the exit of each presentation room
• At the PASS Booth near registration area
Sponsored by Dell
41. Visit the
Microsoft Technical Learning Center
Located in the Expo Hall
Microsoft Ask the Experts Lounge
Microsoft Chalk Talk Theater Presentations
Microsoft Partner Village
Editor's Notes
Requirement 6 is mostly operational in nature and requires establishment of standard system development lifecycle procedures. However it does touch upon SoD of people with access to development and test environments
By split key ownership, we mean the requirement of more than 1 person in order to administer and manage the cryptographic key, e.g., restore key.