Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting Data Across the Environment

Published byDomenic Fletcher Modified over 6 years ago

Similar presentations

Presentation on theme: "Protecting Data Across the Environment"— Presentation transcript:

1 Protecting Data Across the Environment
Welcome to 24 Hours of PASS: Data Security and Data Quality. We’re excited you could join us today for Brian Kelley’s session, Protecting Data Across the Environment. This 24 Hours of PASS event consists of 24 consecutive live webinars, delivered by expert speakers from the PASS community. The sessions will be recorded and posted online after the event. To access any on-demand sessions, please visit for all session links. My name is Satya Jayanty [you can say a bit about yourself here if you’d like] I have a few introductory slides before I hand over the reins to Brian. [move to next slide] Brian Kelley, Principal, Truth Solutions, LLC Moderated By: Satya Jayanty

2 If you require technical assistance please type your question into the question pane located on the right side of your screen and someone will assist you. This question pane is also where you may ask any questions throughout the presentation. Feel free to enter your questions at any time and once we get to the Q&A portion of the session, I’ll read your questions aloud to the speaker. You are able to zoom in on the presentation content by using the zoom button located on the top of the presentation window. Please note that there will be a short evaluation at the end of the session. Your feedback is important to us so please take a moment to complete it. It will appear in your web browser. [Note to moderators: You need to determine which questions are the most relevant and ask them out loud to the presenter].

3 Empower users with new insights through familiar tools while balancing the need for IT to monitor and manage user created content. Deliver access to all data types across structured and unstructured sources. Redgate Software makes ingeniously simple software used by 650,000 IT professionals who work with SQL Server, .NET, and Oracle. More than 100,000 companies use Redgate products, including 91% of the Fortune Redgate’s philosophy is to design highly usable, reliable tools which elegantly solve the problems that developers and DBAs face every day. I’d like to take a moment to thank our presenting sponsors, Microsoft and Redgate. The staging of 24 Hours of PASS would not be possible without their generous support, and they are the reason this event is available free of charge. [move to next slide]

4 Make sure you explore everything else PASS has on offer for data professionals! You can join local user groups around the world, special interest groups, find free online resources through our learning center and read up on the latest community news in the Connector Newsletter. [move to next slide]

5 Short Bio Infrastructure and security architect
Database Administrator / Architect Former Incident Response team lead Certified Information Systems Auditor (CISA) SQL Server security columnist / blogger Editor for SQL Server benchmarks at Center for Internet Security [Moderator Slide] This 24 Hours of PASS session is presented by Brian Kelley. Brian is a SQL Server author, columnist, and former Microsoft MVP, focusing primarily on security and administration of Active Directory, SQL Server, SharePoint, and related technologies.    [move to next slide,]

6 Protecting Data Across the Environment
And without further ado, here is Brian with Protecting Data Across the Environment. {speaker begins} Brian Kelley, Principal, Truth Solutions, LLC

7 Back-End Data Security
Not Just the Database! Three Things and Three Places…

8 Contact Information K. Brian Kelley Infrastructure/Security Blog: Personal Development Blog:

9 Goals Get you in an adversary mindset
Consider areas traditionally neglected Understand the “insider” threat

10 Agenda A Solid INFOSEC Model The “Insider” Threat
Three Things and Three Places Applying the Things to Places Two Examples to Consider

11 Information Security’s C-I-A Triad
It’s easy to focus on Confidentiality and Integrity, but Availability is important. If users can’t use the system, the system is worthless.

12 Principle of Least Privilege
The permission to do the job. Nothing more. Threatens confidentiality. Threatens integrity. Nothing less. Threatens availability.

13 The “Insider” Threat The vast majority aren’t the problem.
Sometimes you have bad people. Sometimes people turn bad. OR – An adversary can act like an insider.

14 My Miss Emma Example Miss Emma may be the purest soul walking today.
You can’t just think about Miss Emma. What if Miss Emma falls to a phishing attack? SC DOR or Anthem compromise Assume that a user account will be compromised Security posture has changed from prevention to detection “Hunting” for adversaries already in the environment Traditional assumptions are now invalid

15 Three Things to Worry About
Unauthorized Data Access Unauthorized Data Change Unauthorized Process Change

16 Three Places to Worry About
Source In-Flight Destination

17 Places: Web Servers / Services
Are they vulnerable to SQL Injection? What and who connect to them? Are they using HTTPS? What else is on the same web server?

18 Places: File System Questions
Who has ability to modify the files? Who has ability to read the files? What processes can touch the files? Can you detect file tampering?

19 Places: Database Questions
Who can read the data? Who can modify the data? Can you verify data integrity?

20 Places: Network Questions
Is sensitive data being sent across? If so, is it encrypted? If you're using SSL, who controls the CA? If it isn't encrypted, is someone watching?

21 Example: SSIS Packages
Who can update the packages? Are you checking for updates? Can you detect an unauthorized update? How about during the ETL process?

22 Example: Web Services Who can administer the web server?
Who can change the code? Can you detect a change? Can you reverse the change?

23 What Can You Use? DevOps methodologies to control/automate code deployment Hashing algorithms to check files at rest Products which can detect & alert on file / data access/change Privileged access managers Restrict who has access / when Logs when access is granted Tracks everything a user does Encryption wherever possible SQL Server – Encrypted connections (SSL/TLS) SQL Server – Always Encrypted / Built-in encryption options

24 Quick Demo – MD5 Hashing SSIS Package Data File

25 Goals Get you in an adversary mindset
Consider areas traditionally neglected Understand the “insider” threat

26 Thank You! Questions? K. Brian Kelley
Twitter: @kbriankelley Tech/Sec blog: Prof. Dev. blog: Center for Internet Security:

27

28 Configuring Kerberos Delegation for SSRS
Kathi Kellenberger Make sure to stay tuned for our next session, Configuring Kerberos Delegation for SSRS with Kathi Kellenberger. [move to next slide]

29

30

Download ppt "Protecting Data Across the Environment"

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Faith Allington Program Manager Microsoft Corporation WSV322.

Faith Allington Program Manager Microsoft Corporation WSV322.
Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.

Windows XP Tutorial Securing Windows. Introduction This presentation will guide you through basic security principles for Windows XP.
CTS IT Security Enhancement Projects December 10, 2014.

CTS IT Security Enhancement Projects December 10, 2014.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Partner Network Portal Anna Jones :: July 2006 Partner Training Webinar Communications Sector.

Partner Network Portal Anna Jones :: July 2006 Partner Training Webinar Communications Sector.
© 2011 PLANET TECHNOLOGIES, INC. Augmenting User Profiles with Line of Business Data Patrick Curran, MCT APRIL 28, 2012.

© 2011 PLANET TECHNOLOGIES, INC. Augmenting User Profiles with Line of Business Data Patrick Curran, MCT APRIL 28, 2012.
© 2011 PLANET TECHNOLOGIES, INC. Extending User Profiles with Line of Business Data Patrick Curran, MCT FEBRUARY 24, 2013.

© 2011 PLANET TECHNOLOGIES, INC. Extending User Profiles with Line of Business Data Patrick Curran, MCT FEBRUARY 24, 2013.
© IGD 2011 For subscribers who usually log in via a company intranet link.

© IGD 2011 For subscribers who usually log in via a company intranet link.
1 Extending User Profiles with Line of Business Data Patrick Curran, MCT.

1 Extending User Profiles with Line of Business Data Patrick Curran, MCT.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
December accountant release webinar December 11, 2012.

December accountant release webinar December 11, 2012.
MGT305 - Application Management in Private and Public Clouds Sean Christensen Senior Product Marketing Manager Microsoft Corporation MGT305.

MGT305 - Application Management in Private and Public Clouds Sean Christensen Senior Product Marketing Manager Microsoft Corporation MGT305.
October 15-18, 2013 Charlotte, NC Being the DBA of the Future A World of On-Premises and Cloud Dandy Weyn, Snr. Technical Marketing Product Manager Microsoft.

October 15-18, 2013 Charlotte, NC Being the DBA of the Future A World of On-Premises and Cloud Dandy Weyn, Snr. Technical Marketing Product Manager Microsoft.
DevOps in the cloud Peter’s personal journey on how I found out, I need Dev skills to optimize my ‘Azure’ work… and so do you!!

DevOps in the cloud Peter’s personal journey on how I found out, I need Dev skills to optimize my ‘Azure’ work… and so do you!!
This presentation uses a free template provided by FPPT.com Using Tools in Kaspersky Internet Security 2017.

This presentation uses a free template provided by FPPT.com Using Tools in Kaspersky Internet Security 2017.
Defense In Depth: Minimizing the Risk of SQL Injection

Defense In Depth: Minimizing the Risk of SQL Injection
ArcGIS for Server Security: Advanced

ArcGIS for Server Security: Advanced

Similar presentations

Ads by Google