Symantec Altiris IT Management Suite 7.0, provides customers with complete management capabilities that enhance effectiveness through faster deployments and increased security, reduces costs by closing technology gaps and improves manageability amidst the increasing information and infrastructure sprawl.
Symantec Altiris IT Management Suite 7.0, provides customers with complete management capabilities that enhance effectiveness through faster deployments and increased security, reduces costs by closing technology gaps and improves manageability amidst the increasing information and infrastructure sprawl.
Protect Your End-of-Life Windows Server 2003 Operating SystemSymantec
End of Support is Not the End of Business When software vendors announce a product end-of-life (EOL), customers typically have 24 to 30 months to plan and execute their migration strategies. This period is typically referred to as limited support. After the last day of support (also known as “end of support life date”), the product becomes obsolete, and the vendor will no longer automatically issue security patches. Customers have the option to purchase “extended or custom support” from the vendor after this date.
In many instances, the window for the availability of vendor support for the EOL product could be shorter than the time it would take for the customer to effectively migrate applications and processes to a new platform.
Customers may also be running custom applications that may not be compatible with the new platform. These gaps potentially expose unsupported systems to zero-day threats and new malware attacks. In order to address these potential risks, businesses will need to make some hard decisions:
• Run the applications in the unsupported platform.
• Execute an aggressive migration strategy for the mission-critical applications.
• Purchase an expensive extended support contract from the software vendor.
• Implement a security solution to harden and monitor the unsupported systems.
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...Michael Noel
One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. Authenticating and authorizing users is a fairly straightforward task, and administration of security permissions is simplified. Too often, however, security for SharePoint stops there, and organizations don’t pay enough attention to all of the other considerations that are part of a SharePoint Security stack, and more often than not don’t properly build them into a deployment. This includes such diverse categories including Edge, Transport, Infrastructure, Data, and Rights Management Security, all areas that are often neglected but are nonetheless extremely important. This session discusses the entire stack of Security within SharePoint, from best practices around managing permissions and ACLs to comply with Role Based Access Control, to techniques to secure inbound access to externally-facing SharePoint sites. The session is designed to be comprehensive, and includes all major security topics in SharePoint and a discussion of various real-world designs that are built to be secure.
This document shows
Installation of Java
Installation of Web Logic
Installation of Discoverer 11.1.1.2
Installation of Discoverer 11.1.1.7
Integration with R12.1.3
Microsoft veröffentlichte vor kurzem das jüngste Update für System Center Configuration Manager - System Center 2012 R2 Configuration Manager. Viele der neuen Updates sind so gut, dass jeder das Upgrade so schnell wie möglich haben möchte. Wally Mead, Microsoft MVP, präsentierte in dieser Preäsentation die neuen Features von Configuration Manager 2012 R2.
CMX100 centralized management appliances allow customers
to monitor and manage up to 100 Array Networks APV or AG
appliances to reduce the time and cost of IT administration.
DATA STORAGE REPLICATION aCelera and WAN Series Solution Brief Array Networks
aCelera and WAN Series WAN Optimization Controllers: Accelerating storage backup, replication and recovery over the WAN, efficiently and cost-effectively.
Designing, Building, and Maintaining Large Cubes using Lessons LearnedDenny Lee
This is Nicholas Dritsas, Eric Jacobsen, and my 2007 SQL PASS Summit presentation on designing, building, and maintaining large Analysis Services cubes
Protect Your End-of-Life Windows Server 2003 Operating SystemSymantec
End of Support is Not the End of Business When software vendors announce a product end-of-life (EOL), customers typically have 24 to 30 months to plan and execute their migration strategies. This period is typically referred to as limited support. After the last day of support (also known as “end of support life date”), the product becomes obsolete, and the vendor will no longer automatically issue security patches. Customers have the option to purchase “extended or custom support” from the vendor after this date.
In many instances, the window for the availability of vendor support for the EOL product could be shorter than the time it would take for the customer to effectively migrate applications and processes to a new platform.
Customers may also be running custom applications that may not be compatible with the new platform. These gaps potentially expose unsupported systems to zero-day threats and new malware attacks. In order to address these potential risks, businesses will need to make some hard decisions:
• Run the applications in the unsupported platform.
• Execute an aggressive migration strategy for the mission-critical applications.
• Purchase an expensive extended support contract from the software vendor.
• Implement a security solution to harden and monitor the unsupported systems.
SEASPC 2011 - SharePoint Security in an Insecure World: Understanding the Fiv...Michael Noel
One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. Authenticating and authorizing users is a fairly straightforward task, and administration of security permissions is simplified. Too often, however, security for SharePoint stops there, and organizations don’t pay enough attention to all of the other considerations that are part of a SharePoint Security stack, and more often than not don’t properly build them into a deployment. This includes such diverse categories including Edge, Transport, Infrastructure, Data, and Rights Management Security, all areas that are often neglected but are nonetheless extremely important. This session discusses the entire stack of Security within SharePoint, from best practices around managing permissions and ACLs to comply with Role Based Access Control, to techniques to secure inbound access to externally-facing SharePoint sites. The session is designed to be comprehensive, and includes all major security topics in SharePoint and a discussion of various real-world designs that are built to be secure.
This document shows
Installation of Java
Installation of Web Logic
Installation of Discoverer 11.1.1.2
Installation of Discoverer 11.1.1.7
Integration with R12.1.3
Microsoft veröffentlichte vor kurzem das jüngste Update für System Center Configuration Manager - System Center 2012 R2 Configuration Manager. Viele der neuen Updates sind so gut, dass jeder das Upgrade so schnell wie möglich haben möchte. Wally Mead, Microsoft MVP, präsentierte in dieser Preäsentation die neuen Features von Configuration Manager 2012 R2.
CMX100 centralized management appliances allow customers
to monitor and manage up to 100 Array Networks APV or AG
appliances to reduce the time and cost of IT administration.
DATA STORAGE REPLICATION aCelera and WAN Series Solution Brief Array Networks
aCelera and WAN Series WAN Optimization Controllers: Accelerating storage backup, replication and recovery over the WAN, efficiently and cost-effectively.
Designing, Building, and Maintaining Large Cubes using Lessons LearnedDenny Lee
This is Nicholas Dritsas, Eric Jacobsen, and my 2007 SQL PASS Summit presentation on designing, building, and maintaining large Analysis Services cubes
Building and Deploying Large Scale SSRS using Lessons Learned from Customer D...Denny Lee
This is Lukasz Pawlowski and my 2007 SQL PASS Summit presentation on building and deploying large scale SSRS using lessons learned from customer deployments
SQL Server Reporting Services: IT Best PracticesDenny Lee
This is Lukasz Pawlowski and my presentation at the Microsoft Business Intelligence Conference 2008 (October 2008) on SQL Server Reporting Services: IT Best Practices
Differential Privacy Case Studies (CMU-MSR Mindswap on Privacy 2007)Denny Lee
These are the slides on differential privacy case studies I had presented at the MindSwap on Privacy Technology, October 19–20, 2007. Center for Computational Thinking, Carnegie Mellon, Pittsburgh, PA.
SQL Server Security and Intrusion PreventionGabriel Villa
Is your data secured? Are you a victim of a SQL injection hack?
In this session, you'll discover some commonly overlooked practices in securing your SQL Server databases. Presenter Gabriel Villa will explain aspects on physical security, passwords, privileges and roles, and preventative best practices. He will also demonstrate auditing and look at some .Net code samples to use on your applications. He will also show the new security features in SQL Server 2012.
SQL Server Integration Services Best PracticesDenny Lee
This is Thomas Kejser and my presentation at the Microsoft Business Intelligence Conference 2008 (October 2008) on SQL Server Integration Services Best Practices
This is a high level overview of Microsoft Office SharePoint Server 2007 (MOSS) for technical decision makers and IT managers. It covers all sections of the technology from a product marketing point of view and gives a broad understanding of its usage scenarios and applications.
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
This talk will review the advanced security features in DataStax Enterprise and discuss best practices for secure deployments. In particular, topics reviewed will cover: Authentication with Kerberos & LDAP/Active Directory, Role-based Authorization and LDAP role assignment, Auditing, Securing network communication, Encrypting data files and using the Key-Management Interoperability Protocol (KMIP) for secure off-host key management. The talk will also suggest strategies for addressing security needs not met directly by the built-in features of the database such as how to address applications that require Attribute Based Access Control (ABAC).
About the Speaker
Matt Kennedy Sr. Product Manager, DataStax
Matt Kennedy works at DataStax as the product manager for DataStax Enterprise Core. Matt has been a Cassandra user and occasional contributor since version 0.7 and was named a Cassandra MVP in 2013 shortly before joining DataStax. Unlike Cassandra, Matt is not partition tolerant.
Cloud computing transforms the way we can store, process and share our data. New applications and workloads are growing rapidly, which brings every day more sensitive data into the conversation about risk and what constitutes natural targets for bad actors. This presentation reflects on current best practices to address the most significant security concerns for sensitive data in the cloud, and offers participants a list of steps to achieve enterprise-grade safety with MongoDB deployments among the expanding service provider options.
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...Michael Noel
One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. Authenticating and authorizing users is a fairly straightforward task, and administration of security permissions is simplified. Too often, however, security for SharePoint stops there, and organizations don’t pay enough attention to all of the other considerations that are part of a SharePoint Security stack, and more often than not don’t properly build them into a deployment. This includes such diverse categories including Edge, Transport, Infrastructure, Data, and Rights Management Security, all areas that are often neglected but are nonetheless extremely important. This session discusses the entire stack of Security within SharePoint, from best practices around managing permissions and ACLs to comply with Role Based Access Control, to techniques to secure inbound access to externally-facing SharePoint sites. The session is designed to be comprehensive, and includes all major security topics in SharePoint and a discussion of various real-world designs that are built to be secure. • Understand how to use native technologies to secure all layers of a SharePoint environment, including Data, Transport, Infrastructure, Edge, and Rights Management. • Examine tools and technologies that can help secure SharePoint, including AD Rights Management Services, Forefront Unified Access Gateway, SQL Transparent Data Encryption, and more. • Understand a Role-Based Access Control (RBAC) permissions model and how it can be used to gain better control over authorization and access control to SharePoint files and data
Azure Cosmos DB: Globally Distributed Multi-Model Database ServiceDenny Lee
Azure Cosmos DB is the industry's first globally distributed multi-model database service. Features of Cosmos DB include turn-key global distribution, elastic throughput and storage, multiple consistency models, and financially backed SLAs. As well, we are in preview for Table, Graph, and Spark Connector to Cosmos DB. Also includes healthcare scenarios!
This presentation provides an introduction to Azure DocumentDB. Topics include elastic scale, global distribution and guaranteed low latencies (with SLAs) - all in a managed document store that you can query using SQL and Javascript. We also review common scenarios and advanced Data Sciences scenarios.
Introduction to Microsoft's Big Data Platform and Hadoop PrimerDenny Lee
This is my 24 Hour of SQL PASS (September 2012) presentation on Introduction to Microsoft's Big Data Platform and Hadoop Primer. All known as Project Isotope and HDInsight.
SQL Server Reporting Services Disaster Recovery webinarDenny Lee
This is the PASS DW|BI virtual chapter webinar on SQL Server Reporting Services Disaster Recovery with Ayad Shammout and myself - hosted by Julie Koesmarno (@mssqlgirl)
Jump Start into Apache Spark (Seattle Spark Meetup)Denny Lee
Denny Lee, Technology Evangelist with Databricks, will demonstrate how easily many Data Sciences and Big Data (and many not-so-Big Data) scenarios easily using Apache Spark. This introductory level jump start will focus on user scenarios; it will be demo heavy and slide light!
How Concur uses Big Data to get you to Tableau Conference On TimeDenny Lee
This is my presentation from Tableau Conference #Data14 as the Cloudera Customer Showcase - How Concur uses Big Data to get you to Tableau Conference On Time. We discuss Hadoop, Hive, Impala, and Spark within the context of Consolidation, Visualization, Insight, and Recommendation.
SQL Server Reporting Services Disaster Recovery WebinarDenny Lee
This is the PASS DW/BI Webinar for SQL Server Reporting Services (SSRS) Disaster Recovery webinar. You can find the video at: http://www.youtube.com/watch?v=gfT9ETyLRlA
This is an excerpt of the "Tier-1 BI in the World of Big Data" by Thomas Kejser, Denny Lee, and Kenneth Lieu specific to the Yahoo! TAO Case Study published at: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=710000001707
How Klout is changing the landscape of social media with Hadoop and BIDenny Lee
Updated from the Hadoop Summit slides (http://www.slideshare.net/Hadoop_Summit/klout-changing-landscape-of-social-media), we've included additional screenshots to help tell the whole story.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
SQLCAT - Data and Admin Security
1. SQLCAT ‐ Data and Admin
Security
Il-Sung Lee, Senior Program Manager
Denny Lee, Senior Program Manager
Ayad Shammout, Caregroup Healthcare
PASS Community Summit 2008
November 18 – 21, 2008 Seattle WA
2. SQL Server Customer Advisory Team
(SQLCAT)
Works on the largest, most complex SQL Server projects worldwide
– US: NASDAQ, Progressive, Premier Bankcard, Hilton Hotels
– Europe: Barclays Capital, Danske Bank, McLaren, Bwin
– Asia/Pacific: Korea Telecom, GMarket, Japan Railways East, China
Mobile
– LATAM: Banco Itau, Oi
– Strategic ISVs: SAP, Siebel, JDE, PeopleSoft, GE Healthcare, SunGard,
Siemens, Dynamics and more
Drives product requirements back into SQL Server from our customers
and ISVs
Shares deep technical content with SQL Server community
– SQLCAT.com
– http://blogs.msdn.com/sqlcat
– http://blogs.msdn.com/mssqlisv
– http://technet.microsoft.com/en-us/sqlserver/bb331794.aspx
2PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security
3. SQL Server Design Win Program
Target the Most Challenging and Innovative
Applications on SQL Server
Investing in Large Scale, Referenceable SQL Server
Projects Across the World
– Provide SQLCAT technical & project experience
– Conduct architecture and design reviews covering performance,
operation, scalability and availability aspects
– Offer use of HW lab in Redmond with direct access to SQL
Server development team
Work with Marketing Team Developing Case Studies
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 3
4. AGENDA
SQL Server 2008 Security Features
– Extensible Key Management
– Transparent Data Encryption
– SQL Server Audit
Customer Scenarios and Feedback
– Transparent Data Encryption and Extensible Key Management
– SQL Server Audit
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 4
5. SQL SERVER 2008 SECURITY
FEATURES
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 5
6. EXTENSIBLE KEY MANAGEMENT
Key storage, management
and encryption done by HSM
module
SQL EKM key is a proxy to
HSM key
SQL EKM Provider DLL
implements SQLEKM
interface, calls into HSM
module
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 6
SQL EKM Provider DLL
SQL EKM Key
(HSM key proxy)
Data
SQL Server
HSM
7. DATA ENCRYPTION
SQL Server 2005
– Built-in encryption functions
– Key management in SQL Server
– Encrypted File System (EFS)
– Bit-Locker
SQL Server 2008
– Extensible Key Management (EKM)
– Transparent Data Encryption (TDE)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 7
8. ADVANTAGES OF USING EKM
Security
– Data and keys are physically separated (keys are stored in HSM
modules)
– Centralized key management and storage for enterprise
– Additional authentication layer
– Separation of duties between db_owner and data owner
Performance
– Pluggable hardware encryption boards
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 8
9. EKM KEY HIERARCHY IN SQL 2008
HSM
Data Data
Native
Symmetric key
TDE DEK key
EKM Symmetric key EKM Asymmetric key
SQL
Server
Symmetric key Asymmetric key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 9
10. TRANSPARENT DATA ENCRYPTION
Encryption/decryption at
database level
DEK is encrypted with:
– Certificate
– Key residing in a Hardware
Security Module (HSM)
Certificate required to attach
database files or restore a
backup
SQL Server 2008
DEK
Client Application
Encrypted data page
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 10
11. SQL Server 2008
Instance Level
Service Master Key
TDE – KEY HIERARCHY
Database Master Key
encrypts Certificate In Master
Database
SQL Server 2008
User Database
Database Encryption Key
DPAPI encrypts
Service Master Key
Service Master Key encrypts
Database Master Key
Password
Operating System Level
Data Protection API (DPAPI)
SQL Server 2008
Master Database
Database Master Key
SQL Server 2008
Master Database
Certificate
Certificate encrypts Database
Encryption Key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 11
12. SQL Server 2008
User Database
Database Encryption Key
TDE – KEY HIERARCHY WITH EKM
Asymmetric Key resides on
the EKM device
Asymmetric Key encrypts
Database Encryption Key
Hardware Security Module (HSM)
Asymmetric Key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 12
13. REASONS TO USE TDE
Protects data-at-rest
Entire database is protected
Applications do not need to explicitly encrypt/decrypt data!
– No restrictions with indexes or data types (except Filestream)
Performance cost is small
Backups are unusable without key
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 13
14. TDE CONSIDERATIONS
Compatible with Database Compression
Not recommended with Backup Compression
Database Mirroring
– Copy certificate from primary to mirror
Log files are not retroactively encrypted
– Encryption begins at next VLF boundary
Tempdb is encrypted when 1 db in instance uses TDE
Enterprise only
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 14
16. AUDITING DATABASE ACTIVITY
SQL Server 2005
– SQL Trace
– DDL/DML Triggers
– Third-party tools to read transaction logs
– No management tools support
SQL Server 2008
– SQL Server Audit
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 16
17. SQL SERVER AUDIT
Audit now a 1st Class Server Object
– Native DDL for Audit configuration and management
– Security support
Create an Audit object to
automatically log actions to:
–File
–Windows Application Log
–Windows Security Log
Ability to define granular Audit Actions of
Users or Roles on DB objects
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 17
18. AUDIT SPECIFICATIONS
Server and database audit specifications for
– Pre-defined action groups
– Individual action filters
Server action groups
– Server config changes, login/logoff, role membership change, etc.
Database action groups
– Schema object access, database role membership change,
database object access, database config change
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 18
19. AUDIT SPECIFICATIONS
19
Audit
Security Event Log
Application Event Log
File
system
0..1
Server audit specification
per Audit object
0..1
DB audit specification
per database
per Audit object
CREATE SERVER AUDIT SPECIFICATION
SvrAC
TO SERVER AUDIT PCI_Audit
ADD (FAILED_LOGIN_GROUP);
CREATE DATABASE AUDIT SPECIFICATION
AuditAC
TO SERVER AUDIT PCI_Audit
ADD (SELECT ON Customers BY
public)
Server Audit
Specification
Server Audit Action
Server Audit Action
Server Audit Action
Server Audit Action
Server Audit Action
Database Audit
ComponentsDatabase Audit
ComponentsDatabase Audit
Components
Database
Audit
Specification
Database Audit Action
Database Audit Action
Database Audit Action
Database Audit Action
Database Audit Action
File
20. REASONS TO USE SQL AUDIT
Leverages high performance eventing infrastructure to
generate audits
Runs within engine rather than as a side/separate app
Parity with SQL 2005 Audit Generation
Faster than SQL Trace
Records changes to Audit configuration
Configuration and management in SSMS
(Note: Enterprise Edition only)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 20
23. Business Reasons
Compliance requirements for PCI, HIPAA, GLBA among many
other acronyms
Key Management, Encryption, and Auditing are key components to
meeting these compliance requirements
Refer to Compliance SDK that will be released on sqlcat.com and
Technet this month
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 23
IT Control
SOX
PCI
HIPAA
GLBA
ID Management
Separation of Duties
Encryption
Key Management
Auditing
Control Testing
Policy Management
25. Transparent Data Encryption
What happens after encryption is enabled
When enabling encryption
Immediate success provided not blocked by backup
– Can be executed with applications online
Every page from this point forward is encrypted
Background task will encrypt existing pages
TempDB is encrypted with AES 256 (strongest key available)
– This is done independent of algorithm chosen for user database
– If you unencrypt all user database, this does not automatically unencrypt
TempDB
– Consequences for other databases using TempDB intensively
Resources
Using Transparent Data Encryption with large SAP databases will be
published by Juergen Thomas on sqlcat.com
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 25
26. Transparent Data Encryption
Operational Impact
Storage replication at hardware level
– Background task to encrypt all pages
– At HW level, all pages get changed, i.e. all pages need to be replicated
– Need to test if your hardware replication can handle this throughput
When using Database Mirroring or Log Shipping,
– Ensure that the mirror server has the master key and certificate as well
– Bottleneck isn’t throughput of pages
Transaction log will have 1 entry for 4 extents (32 pages) noting extents are encrypted
But, secondary server restore of transaction log uses less threads than principle/primary
servers, i.e. back log in restore activity
– Possible Failover Issues
Synchronous mirroring backlog may result in not being able to failover since restoring received
transaction log records could take a few hours
For log shipping restoration of the backups will fall behind, manual failover cannot take place
before restore finally caught up.
– May want to consider disabling HA and perform resynchronization of your HA
configuration
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 26
27. PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security
Transparent Data Encryption
Monitoring Progress of Encryption / Decryption
2727
select DB_NAME(database_id),
case encryption_state
when 1 then 'Unencrypted'
when 2 then 'Encryption in Progress'
when 3 then 'Encrypted'
when 4 then 'DEK change in progress'
when 5 then 'Decryption in progress'
end as encryption_state_desc,
key_algorithm,
key_length,
percent_complete
from sys.dm_database_encryption_keys
28. Transparent Data Encryption
Customer Scenario
Observations
– 4 x 2 cores, one LUN for 6 data files on 30 spindles, 10 spindles for log
– Write rate 10-15% higher than read rate
– Writes bundled into 150-180k chunks – less I/O
– ½ core CPU
Only one data LUN therefore one background and one coordinating thread
Recall, CPU is dependent on number of LUNs
– 30MB/s volume for read, encrypt, write for 100GB volume
1h with AES algorithm
2.5h with TRIPLE_DES algorithm
Same for encrypted to decrypted state
Performance Impact
– Hard to predict … “it depends”
– Will impact more write intensive workloads than vs. read-only workloads
– Another customer 2008 (with TDE and PaGE compression) performance on
par with 2005
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 28
29. Transparent Data Encryption
Quick Guide
When implementing TDE
Be sure to backup the certificate private key
Rotate certificates and keys periodically as required by regulations
Use EKM for stronger key protection and separation of duties
Monitor key and encryption access
– Policy Based Management
– Auditing (Audit action types: DATABASE_OBJECT_ACCESS_GROUP and
DATABASE_OBJECT_CHANGE_GROUP)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 29
Possible algorithms include
Extensible Key
Management
Rotation
Key Server
BackupCertificate
Certificate Template
Database
Encryption
Key
Possible algorithms include
AES (128, 192, 256bit) and 3DES
Protects
31. Auditing
Business Reasons
Compliance requirements for SOX, PCI, HIPAA, GLBA among
many other acronyms
Customers like the fact that SQL is attempting to address auditing
issues with this feature
Additional guidance on how to use it for auditing scenarios can be
found in the Compliance SDK.
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 31
IT Control
SOX
PCI
HIPAA
GLBA
ID Management
Separation of Duties
Encryption
Key Management
Auditing
Control Testing
Policy Management
32. Auditing
What to audit
Audit specific users
– Typically want to do sysadmin
– But, many scenarios require auditing of more users because those users
have insert, update access
– Based on your policies
Audit specific tables
– Audit all tables that can only be modified or deemed as sensitive
Audit Objects
– Key and encryption access auditing (Audit action types:
DATABASE_OBJECT_ACCESS_GROUP and
DATABASE_OBJECT_CHANGE_GROUP)
Audit everything approach
– Can grow quite quickly (i.e. lots of data) so may want to limit data
– Or have your audit reporting system filter out data you do not need
PASS Community Summit 2008 <Session ID #> <Session Name> 32
33. Auditing
Centralizing audit logs and reporting
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 33
Compliance Reports
Process Audit Information
Use SSIS to process SQL2008 audit log data and store in its own SQL database.
File Server SQL 2008
SQL Audit
SSIS
Generate Reports
DB Servers
DB Server
DB Server
DB Server
Transfer Logs
SSRS 2008
34. Auditing
Centralizing audit logs and reporting
Centralizing Logs
– Allows you to have one server process all audit logs from your
servers
– Easier manageability
– Set files to 100MB in size (less files, but not too large to process)
– Can also centralize processing
– … and centralize reporting
Compliance SDK contains the full project
– Organized by Server, Database, DDL, and DML actions
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 34
35. Auditing
Interesting finds from auditing
Backup a user database:
– Need CREATE permissions on the master database to look at the
backup media
– The CREATE permission is a misnomer since you are not creating
– Nevertheless required to do a backup hence the RESTORE
LABELONLY statements in your audit
Server Principal Name is the user name
A lot of VIEW SERVER STATE calls but is part of
important server audit specification (may want to filter this
out)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 35
36. Auditing
Caregroup Hospitals Scenario
Auditing is critical component HIPAA compliance and ensuring patient
privacy
– 1 Billion rows of audit data
– 146 mission critical clinical applications
– Comprehensive audits yield 300-500k transactions/day
– HIPAA requires audit system with 20 years of data
Auditing Project
– Available to community as part of Compliance SDK
– Collaboration of Caregroup, MCS, SQLCAT
Quote:
– Creating an enterprise tool for consolidated storage, reporting and alerting of
all application audit data - that's cool!
– John Halamka’s Cool Technology of the Week (Wellsphere Top Health
Blogger, Health Impact Award)
PASS Community Summit 2008 DBA-402-A SQLCAT - Security -- Data Security, Admin Security 36
38. Thank you
for attending this session and the
PASS Community Summit 2008
PASS Community Summit 2008
November 18 – 21, 2008 Seattle WA
Editor's Notes
1
Why consider encryption?
Additional layer of security
Required by some regulatory compliance laws
Database security is a growing concern for many enterprises
Recent regulations have mandated strict requirements for data security, data privacy and data integrity
2005 Cons
Built-in encryption functions require application change
EFS has performance issues with SQL
Bit-Locker – encryption doesn’t stick to data and only available on Vista/Windows Server 2008
Consolidation across enterprise
Simplify key management and storage
Includes, key generation, retrieval, aging, etc.
Offer functionality not available in SQL Server
In SQL Server 2005, you can encrypt data in the database by writing custom Transact-SQL that uses the cryptographic capabilities of the database engine. SQL Server 2008 improves upon this situation by introducing transparent data encryption.
Transparent data encryption performs all cryptographic operations at the database level removing any need for application developers to create custom code to encrypt and decrypt data/logs. Data is encrypted as it is written to disk, and decrypted as it is read from disk. By using SQL Server to manage encryption and decryption transparently, you can secure business data in the database without requiring any changes to existing applications