programming4us
           
 
 
SQL Server

SQL Server 2008 : Security and Compliance

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
5/27/2011 11:15:31 AM

Exposure and Risk

You must understand that security is really “risk management” or “risk mitigation.” It can be very difficult to completely secure an application or environment. However, you are able to control or limit damage by following certain practices. Your data and applications have different levels of security requirements depending on the exposure endpoints (an exposure endpoint is defined by who is using the application and data). Figure 1 shows a simple matrix of data and application sensitivity versus the exposure endpoints of that application. By definition, the more external facing your application is (such as to the Internet) and the higher the sensitivity of the data involved, the higher risk precautions you have to take.

Figure 1. The exposure endpoints “risk” by category of data/application sensitivity.

Let’s say you have an internal company SQL Server–based application that has only very low sensitivity data (public-facing data such as benefits data). You freely share this type of data with whoever wants to see it. The types of controls or rigor are likely very small for this type of application—perhaps as simple as an integrated Active Directory with your SQL Server and read-only access for all user roles.

On the other side of the spectrum, you may have applications generating financial transactions with credit card data that must have zero vulnerabilities, encrypt data across the network, encrypt data at rest within SQL Server, and use the new SQL auditing feature for database-level monitoring of all data accesses.

A big part of the risk management aspect is understanding what the impact of this risk would be if your system is compromised. It is always best to identify this aspect up front in some type of risk “cost” or “impact.” Many financially strong companies have gone out of business as a result of security breaches they had not anticipated or considered. It is better to plan for such risk from the beginning.

Another aspect to consider is staying compliant with data you use in nonproduction environments. Often, companies needlessly put their entire livelihood at risk by using live data values in nonproduction environments. If PII or other company-sensitive data is available in your nonproduction environments (such as in Development, Test, and Quality Assurance platforms), you are violating laws and regulations around the globe and putting your company and your customers at risk. You can easily employ data subsetting and masking to your nonproduction data. Putting this practice in place is a great idea.

Across the Life Cycle

A part of good design is how you have complied with laws and regulations, how you have protected the data you access or store, how you have secured your application and data, and how you have verified all this. For these reasons, we provide some details and describe what must be done across the development life cycle to properly address security and compliance. We term this process the “risk mitigation” of what you build.

Figure 2 shows a formal waterfall development life cycle with key security and compliance items identified at each relevant phase. Getting into the risk mitigation business starts by giving security and compliance the full commitment and recognition they deserve.

Figure 2. Security and compliance across the development life cycle.

This step starts with a clear statement of security and compliance objectives as you are sizing up your application in the assessment phase. These objectives often take the form of stating how you will address the rules, laws, data sensitivities, access considerations, and eventual end users (and the countries they reside in).

Next, you focus on the clear identification and specification of all security and scope of compliance. You look at the details of exactly where the compliance or security lines need to be, determine how you must fully address them, and clearly identify which must be adhered to for your application. Often, organizations have security information analysts and data privacy groups that contribute to this part of your development efforts. They, in turn, bring others to the table, such as legal, auditing, and even corporate communications folks.

As you go into the design phase, you must complete the full analysis and design of every security and compliance element for your application. As part of this analysis and design phase, you should start enumeration test plans that must be completely verified before your application can be delivered to its users.

In the prototyping phase, you have a chance to start demonstrating how security, access, privacy, and compliance will be addressed. This phase is very important because of all the complications, rules, laws, and issues that are at stake and must be verified. We have not run a development effort without extensive prototyping of as many security and compliance tests as are humanly possible. It is this risk that must be fully addressed early and never as an afterthought!

As you fully code and test your database and application, you must never skip the security testing and validation. It is best to put these tests first in your overall test plans. As your application completely takes shape, a complete application scan for vulnerabilities can be performed. Popular tools such as AppScan are essential tools of the trade for performing this task.

Finally, as you near deployment, you should make sure all the security and compliance acceptance tests are met. You need to capture these results fully because the successful completion of this part of acceptance testing can be shown in SOX compliance auditing.

The Security Big Picture

Now, let’s turn to the bigger security and compliance picture that shows many of the layers involved in a broader security enforcement approach. Figure 3 shows many of these layers, starting at the top with solid guidelines, policies, and compliance-reporting capabilities. You must start with these components to guarantee that you are aware of what must be done and have a way to show you are doing what the policies outline.

Figure 3. Security enforcement layers and components.

Next, you must define and create other aspects of security and compliance, such as security event management, alerting and monitoring, complete threat models, and vulnerability assessment objectives. These types of components must also reach into and be enforceable across major events such as disaster recovery (to ensure business continuity) and continue to support what you have deployed around identity management and single sign-on.

The next inner layer is where your database security is defined, along with any database-level or database instance–level auditing you put into place. It is also this layer where messy things such as SQL injection can occur and Denial of Service often surfaces. Getting some type of intrusion detection and prevention scheme into place is essential.

Moving further down the layers of security, you find file integrity checking, secure Internet protocols, disk-level encryption, and other security-enhancing items. They all work together to bring you what should be a more secure (and compliant) place to deploy your applications within.

With SQL Server 2008 R2, you are essentially out-of-the-box ready to do absolutely nothing. In other words, Microsoft has taken the policy to “allow nothing,” and any access, execution, or other action must be explicitly granted. Believe it or not, this is the right thing to do. This approach ensures that all objects and accesses are explicitly declared and, by definition, are fulfilling security and many compliance regulations. The Open Web Application Security Project (OWASP; www.owasp.org) lists its recent top 10 application vulnerabilities as follows:

  • SQL Injection

  • Cross-Site Scripting

  • Broken Authentication and Session Management

  • Insecure Direct Object References

  • Cross-Site Request Forgery

  • Security Misconfiguration

  • Failure to Restrict URLs

  • Unvalidated Redirects and Forwards

  • Insecure Cryptographic Storage

  • Insufficient Transport Layer Protection


Identity Access Management Components

One of the key areas identified in the security big picture (as you can see looking back at Figure 3) is identity management. It is key in the sense that well-managed identities are essential to well-managed security. There is a quite a bit to consider when talking about identities. Figure 4 shows a common “identity universe” for a company that has both internal- and external-facing applications. In other words, identities are both customers that interact with the business and internal identities such as employees and other workforce identities (contractors, temps, partners, and so on). Both sets of identities must be managed well, and often there are overlapping identities that require accesses (and identity management) in both areas (internal and external).

Figure 4. Identity universes (internal and external-facing applications).

Often, companies use one internal-facing LDAP directory such as Microsoft’s Active Directory for managing their internal identities and then another LDAP directory such as Sun One LDAP for managing all external-facing identities (for forums, eStore, and so on). Then they create triggers or synchronization jobs that do a “search before create” type of processing when new identities are created within either LDAP directory. Because overlap is rare, not much extra “create” overhead occurs, but when they do overlap, only one identity (such as a partner identity that might be in that company’s internal and external LDAP directories) gets created. This is effectively “mastering” the user identities. It is recommended that you consider both sources of identities at all times. You should also establish strict access roles for all identities with the least rights going to anonymous identities.

More and more companies are also now moving to concepts such as Open ID, where a company can utilize the authentication and identification established by third-party Open ID providers and grant trust to these identities with very high confidence. The industry is moving this way fast. Figure 13.5 shows the logical components of identity access management.

Figure 13.5. Logical components of identity access management.

This figure shows that you must carefully address full identity life-cycle management, which includes user ID management, credential management, entitlement management, identity integration (between multiple LDAPs), and provisioning and deprovisioning identities. Access management is all about authentication, single sign-on, authorization, and impersonation and delegation rules. And, the directory services themselves define the users, groups, all attributes (or elements) of a user or group, roles, policies to enforce, and credentials to be used. All applications and access points must be plugged in to this identity access management framework. All risk is minimized by a sound identity access management foundation.

Compliance and SQL Server

On the global level, hundreds of compliance laws are in place that affect almost every aspect of data access, data protection, data movement, and even data storage. Countries such as Germany now have some of the most severe data compliance rules on the planet, such as strict control of how certain personal data is stored and what personal data can be stored; these rules even prohibit personal data from being transmitted (or moved) across German borders. If you are planning to create applications and databases that will span countries or contain sensitive or private data, you must “design in” the rules and enforcements from the beginning.

Let’s address the most common “sensitive” data: Personal Identifiable Information (or PII for short). PII data is at the center of most global data privacy laws and regulations. As you can see from a subset of the PII data model in Figure 6, PII data is any personal information that identifies an individual, such as name; address; driver’s license number; other government-issued identification (such as passport number); and even gender, ethnicity, and age.

Figure 6. Personally Identifiable Information (PII).

If you have any databases or applications that have this type of data in it, you are bound by local and/or regional laws and regulations whether you like it or not. It is the law. You must then protect this data in accordance with those regulations and laws; otherwise, you become liable for fines, lawsuits, or worse (risk exposure of that data could put you out of business). As you can also see in Figure 13.6, there are different sensitivity levels around PII data. Something like a person’s name is considered low sensitivity, whereas an employee ID is considered medium sensitivity. And marital status, gender, Social Security number, bank account number, driver’s license number, and passport number are considered high sensitivity and often must be treated with special care and feeding with capabilities such as encryption in transit and at rest (while stored in a table).

Following is a list of some of the many laws and regulations that have been put into effect and that you will likely have to address in your application:

  • The Health Insurance Portability and Accountability Act (also known as HIPAA) was introduced in 1996 to protect critical health and patient information. HIPAA forces companies to strictly control data identified under its jurisdiction.

  • The Sarbanes-Oxley Act (known as SOX), put into place in 2002, requires auditors to assess and report on the effectiveness of a company’s internal controls on information and extend into the authorization of access and updates to data.

  • The Gramm-Leach-Bliley Act (GLBA) of 1999 further defines steps that must be taken by financial institutions to protect, secure, and prevent access of core financial data.

  • California’s Information Practices Act of 2005 details strict controls around PII data, what needs to be encrypted, and laws surrounding breaches of controlled data.

  • The Children’s Online Privacy Protection Act, passed in 1998, focuses on the procedures to protect the confidentiality, security, and integrity of personal information collected from children.

Other industry-oriented laws and regulations have emerged, such as the Payment Card Industry data security standard (PCI standard). It is focused on what must be done to ensure credit card information is secure from the moment a customer makes a purchase until the merchant disposes of the credit card transactions.
Other -----------------
- SQL Server 2008 : Transparent Data Encryption
- SQL Server 2008 : Data Encryption - Column-Level Encryption
- SQL Server 2008 : Data Encryption - SQL Server Key Management
- SQL Server 2008 : Data Encryption
- SQL Server 2008 : Client Data Access Technologies
- SQL Server 2008 : Client Configuration
- SQL Server 2008 R2 : Client Installation
- SQL Server 2008 R2 : Client and Server Networking Considerations
- Upgrading to SQL Server 2008 : Upgrading Other SQL Server Components
- Upgrading to SQL Server 2008 : Slipstreaming Upgrades
- Upgrading to SQL Server 2008 : Upgrading Using a Configuration File
- Destination: SQL Server 2008 or SQL Server 2008 R2 (part 2) - Upgrading In-Place
- Destination: SQL Server 2008 or SQL Server 2008 R2 (part 1) - Side-by-Side Migration
- Upgrading to SQL Server 2008 : Using the SQL Server Upgrade Advisor (UA)
- SQL Server 2008 : Developing Custom Managed Database Objects (part 7) - Using Transactions & Using the Related System Catalogs
- SQL Server 2008 : Developing Custom Managed Database Objects (part 6) - Developing Managed Triggers
- SQL Server 2008 : Developing Custom Managed Database Objects (part 5) - Developing Managed User-Defined Aggregates
- SQL Server 2008 : Developing Custom Managed Database Objects (part 4) - Developing Managed User-Defined Types
- SQL Server 2008 : Developing Custom Managed Database Objects (part 3) - Developing Managed User-Defined Functions
- SQL Server 2008 : Developing Custom Managed Database Objects (part 2) - Developing Managed Stored Procedures
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us