Protecting Data Across the Environment Welcome to 24 Hours of PASS: Data Security and Data Quality. We’re excited you could join us today for Brian Kelley’s session, Protecting Data Across the Environment. This 24 Hours of PASS event consists of 24 consecutive live webinars, delivered by expert speakers from the PASS community. The sessions will be recorded and posted online after the event. To access any on-demand sessions, please visit http://www.pass.org/24hours/2017/security/Schedule.aspx for all session links. My name is Satya Jayanty [you can say a bit about yourself here if you’d like] I have a few introductory slides before I hand over the reins to Brian. [move to next slide] Brian Kelley, Principal, Truth Solutions, LLC Moderated By: Satya Jayanty
If you require technical assistance please type your question into the question pane located on the right side of your screen and someone will assist you. This question pane is also where you may ask any questions throughout the presentation. Feel free to enter your questions at any time and once we get to the Q&A portion of the session, I’ll read your questions aloud to the speaker. You are able to zoom in on the presentation content by using the zoom button located on the top of the presentation window. Please note that there will be a short evaluation at the end of the session. Your feedback is important to us so please take a moment to complete it. It will appear in your web browser. [Note to moderators: You need to determine which questions are the most relevant and ask them out loud to the presenter].
Empower users with new insights through familiar tools while balancing the need for IT to monitor and manage user created content. Deliver access to all data types across structured and unstructured sources. Redgate Software makes ingeniously simple software used by 650,000 IT professionals who work with SQL Server, .NET, and Oracle. More than 100,000 companies use Redgate products, including 91% of the Fortune 100. Redgate’s philosophy is to design highly usable, reliable tools which elegantly solve the problems that developers and DBAs face every day. I’d like to take a moment to thank our presenting sponsors, Microsoft and Redgate. The staging of 24 Hours of PASS would not be possible without their generous support, and they are the reason this event is available free of charge. [move to next slide]
Make sure you explore everything else PASS has on offer for data professionals! You can join local user groups around the world, special interest groups, find free online resources through our learning center and read up on the latest community news in the Connector Newsletter. [move to next slide]
Short Bio Infrastructure and security architect Database Administrator / Architect Former Incident Response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Editor for SQL Server benchmarks at Center for Internet Security [Moderator Slide] This 24 Hours of PASS session is presented by Brian Kelley. Brian is a SQL Server author, columnist, and former Microsoft MVP, focusing primarily on security and administration of Active Directory, SQL Server, SharePoint, and related technologies. [move to next slide,]
Protecting Data Across the Environment And without further ado, here is Brian with Protecting Data Across the Environment. {speaker begins} Brian Kelley, Principal, Truth Solutions, LLC
Back-End Data Security Not Just the Database! Three Things and Three Places…
Contact Information K. Brian Kelley Email: kbriankelley@acm.org Twitter: @kbriankelley Infrastructure/Security Blog: http://truthsolutions.wordpress.com Personal Development Blog: http://gkdba.wordpress.com
Goals Get you in an adversary mindset Consider areas traditionally neglected Understand the “insider” threat
Agenda A Solid INFOSEC Model The “Insider” Threat Three Things and Three Places Applying the Things to Places Two Examples to Consider
Information Security’s C-I-A Triad It’s easy to focus on Confidentiality and Integrity, but Availability is important. If users can’t use the system, the system is worthless.
Principle of Least Privilege The permission to do the job. Nothing more. Threatens confidentiality. Threatens integrity. Nothing less. Threatens availability.
The “Insider” Threat The vast majority aren’t the problem. Sometimes you have bad people. Sometimes people turn bad. OR – An adversary can act like an insider.
My Miss Emma Example Miss Emma may be the purest soul walking today. You can’t just think about Miss Emma. What if Miss Emma falls to a phishing attack? SC DOR or Anthem compromise Assume that a user account will be compromised Security posture has changed from prevention to detection “Hunting” for adversaries already in the environment Traditional assumptions are now invalid
Three Things to Worry About Unauthorized Data Access Unauthorized Data Change Unauthorized Process Change
Three Places to Worry About Source In-Flight Destination
Places: Web Servers / Services Are they vulnerable to SQL Injection? What and who connect to them? Are they using HTTPS? What else is on the same web server?
Places: File System Questions Who has ability to modify the files? Who has ability to read the files? What processes can touch the files? Can you detect file tampering?
Places: Database Questions Who can read the data? Who can modify the data? Can you verify data integrity?
Places: Network Questions Is sensitive data being sent across? If so, is it encrypted? If you're using SSL, who controls the CA? If it isn't encrypted, is someone watching?
Example: SSIS Packages Who can update the packages? Are you checking for updates? Can you detect an unauthorized update? How about during the ETL process?
Example: Web Services Who can administer the web server? Who can change the code? Can you detect a change? Can you reverse the change?
What Can You Use? DevOps methodologies to control/automate code deployment Hashing algorithms to check files at rest Products which can detect & alert on file / data access/change Privileged access managers Restrict who has access / when Logs when access is granted Tracks everything a user does Encryption wherever possible SQL Server – Encrypted connections (SSL/TLS) SQL Server – Always Encrypted / Built-in encryption options
Quick Demo – MD5 Hashing SSIS Package Data File
Goals Get you in an adversary mindset Consider areas traditionally neglected Understand the “insider” threat
Thank You! Questions? K. Brian Kelley Email: kbriankelley@acm.org Twitter: @kbriankelley Tech/Sec blog: http://truthsolutions.wordpress.com/ Prof. Dev. blog: http://gkdba.wordpress.com/ Center for Internet Security: http://cisecurity.org/
Configuring Kerberos Delegation for SSRS Kathi Kellenberger Make sure to stay tuned for our next session, Configuring Kerberos Delegation for SSRS with Kathi Kellenberger. [move to next slide]