Upload
eric-kavanagh
View
76
Download
0
Embed Size (px)
Citation preview
Grab some
coffee and enjoy the pre-show banter
before the top of the
hour!
H T Technologiesof 2016
HOST:EricKavanagh
THISYEARis…
THELINEUP
ANALYST:
DezBlanchfieldDataScientist,TheBloorGroup
ANALYST:
RobinBloorChiefAnalyst,TheBloorGroup
GUEST:
IgnacioRodriguezSeniorProductManager,IDERA
INTRODUCING
RobinBloor
Securing Database
Robin Bloor, PhD
Database Security Evolution
It is easy to think of data security as a static target, but it isn’t
It’s a MOVING TARGET
A Very Brief Overview of Data Security
u Data theft is nothing new; data that is valuable is targeted
u Cyber-theft was born with the Internet and it exploded around 2005
u There are many players: governments, businesses, hacker groups, individuals…
u The technologies of attack and defense evolve
u Businesses have a duty of care over their data, whether they own it or not
About the Hackers
u They can be located anywhere and thus they may be difficult to bring to justice, even if identified
u Many are very skilled; they share technology and information
u They have considerable resources
u Some are profitable businesses
u There are government groups
– Economic warfare (stealing secrets)
– Cyber warfare
u It’s unlikely that the phenomenon will ever end
Compliance and Regulations
u Aside from sector initiatives there are many official regulations: HIPAA, SOX, FISMA, FERPA, GLBA (mainly US legislation)
u Standards (Global): PCI-DSS, ISO/IEC 17799 (data should be owned)
u National regulations differ country to country (even in Europe)
u GDPR being negotiated
Things to Think About
u DBMS vulnerabilities
u Identify vulnerable data
u Security policy particularly in relation to access security (who can read, write, grant permissions, etc.)
u Encryption
u The cost of a security breach
u The attack surface
The DBA and Data Security
Data Security is usually part of the DBA’s role. But it’s collaborative too. It NEEDS to be subject to corporate
policy.
INTRODUCING
DezBlanchfield
@dez_blanchfield
YOUR DATAIS THE
CURRENCY
@dez_blanchfield
DATABREACHESARERAPIDLY
BECOMINGNORMAL!!
@dez_blanchfield
@dez_blanchfield
THESHERESCALEOFTHESE
BREACHESISSTAGGERING
@dez_blanchfield
@dez_blanchfield
COSTSESTIMATEDTOCLEANUP
DONOTTAKEINTOACCOUNT
THEHUMANTOLL
INTRODUCING
IgnacioRodriguez
© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. © 2016 IDERA, Inc. All rights reserved.
THE NEW NORMAL: DEALING WITH THE REALITY OF AN UNSECURE WORLD Ignacio Rodriguez, Product Manager
2 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 2 © 2016 IDERA, Inc. All rights reserved.
DATABASE SECURITY CHALLENGES
Identify Vulnerabilities Manage creation of collection rules,
view collection history & analyze user access rights
Harden Security Policies Use recommended templates to
define policies with 3 distinct levels of protection
Assess Security Levels Identify factors that may allow SQL
Server to be attacked by a malicious user to reduce risk
Control User Permissions Analyze and manage user
permissions across all SQL Server objects
Control Server Security Review and update SQL Server security properties across your
environment
Comply with Audits Use customizable templates for user accesses to satisfy audits
3 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 3 © 2016 IDERA, Inc. All rights reserved.
SQL SECURE
§ Set strong security policies mapped to regulatory guidelines - View a complete history of SQL Server security settings and designate a baseline to compare against future changes.
§ Prevent security risks and violations - The security report card identifies top security vulnerabilities on your servers. Each security check is categorized as High, Medium, or Low Risk.
§ Identify vulnerabilities - Understand who has access to what and identify each user’s effective rights across all SQL Server objects.
§ Report on and analyze user, group, or role permissions - Analyze membership to powerful server roles and groups, such as administrators, systems administrators, and security administrators to ensure each user’s level of access is warranted.
4 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 4 © 2016 IDERA, Inc. All rights reserved.
SQL SECURE
§ Deliver detailed security risk reports – IDERA SQL Secure provides 23 reports out of the box, each of which contains flexible parameters to easily create the types of reports that display the data that auditors, security officers, managers, or administrators require.
§ Compare security, risk, and configuration changes over time - Reports such as the snapshot and assessment comparisons provide an easy way for comparing security, configuration, and risks between different time periods.
§ SQL Secure snapshot alerting - Notifications when SQL configuration changes are detected that present a new risk.
5 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 5 © 2016 IDERA, Inc. All rights reserved.
SQL SECURE ARCHITECTURE
SQL Secure Repository
Management and Collection Service
Enterprise Console SQL Secure Monitored
SQL Instances
Agentless capture of security model info
MS SQL Server Reporting Services
Active Directory
6 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 6 © 2016 IDERA, Inc. All rights reserved.
SECURITY REPORT CARD
7 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 7 © 2016 IDERA, Inc. All rights reserved.
AUDIT SQL USER PERMISSIONS
8 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 8 © 2016 IDERA, Inc. All rights reserved.
COMPARE SECURITY SETTINGS
9 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 9 © 2016 IDERA, Inc. All rights reserved.
POLICY TEMPLATES
10 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 10 © 2016 IDERA, Inc. All rights reserved.
SQL USER EFFECTIVE RIGHTS
11 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 11 © 2016 IDERA, Inc. All rights reserved.
SQL SERVER OBJECT ACCESS RIGHTS
12 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 12 © 2016 IDERA, Inc. All rights reserved.
SQL SECURE REPORTING
13 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 13 © 2016 IDERA, Inc. All rights reserved.
SNAPSHOT COMPARISONS
14 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 14 © 2016 IDERA, Inc. All rights reserved.
ASSESSMENT COMPARISON
15 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 15 © 2016 IDERA, Inc. All rights reserved.
SUMMARY
§ Database security is of critical importance • Doing it wrong will expose your company to significant risks • Doing it well and effectively requires both strategy and process
§ Database professionals need a tool to manage and monitor database access permissions
§ IDERA SQL Secure provides extensive capabilities to control database permissions, track access activities, and mitigate breach risks
16 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 16 © 2016 IDERA, Inc. All rights reserved.
THANKS! Any questions?
TheArchiveTrifecta:• InsideAnalysiswww.insideanalysis.com• SlideSharewww.slideshare.net/InsideAnalysis• YouTubewww.youtube.com/user/BloorGroup
THANKYOU!