Presentation is loading. Please wait.

Presentation is loading. Please wait.

[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal.

Published byKory Phillips Modified over 8 years ago

Similar presentations

Presentation on theme: "[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal."— Presentation transcript:

1 [Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal

2 [Limited Access] 1. Purpose >Insure data security and not be modified arbitrarily >All operations to Sensitivity data by those who have permissions should be audited.(Contain read/write/…)

3 [Limited Access] 2. Mechanism >Database Account & Privileges Control >Database Operation Audit >Data files and Backup files security >Data encryption >Sensitivity Data separation

4 [Limited Access] Database Account & Privileges Control >Prod/UAT Server Server Type Account Account Owner Future Account Owner Owner PrivilegesNote Pord/UAT Server DBA ( Domain Account ) Xiaodan Tang /Hongtan Hongtan/Jian Xu dbcreator 、 SQLAgentOperatorRole 、 db_owner of all DB except "Aud"/"Security" DBA has no privileges to read or create uses in "Aud"/"Security" have more privileges than themselves. SecurityAccout Jiang Jingmin SecurityAdmin Alter any login, Db_datawriter in Security Management Users 、 Manage table in Security. Sqladmin backup accountJianxu ISO Departmentsysadmin An account for backup, in the situation of "sqladmin" forget his password. sqladminJingmin Jiang 非 IT 的人 sysadmin sqlamin have all privileges , For grant Privileges to DBA in some situations. Aud_userXiaodan Tang Audit work groupdb_owner of Security/Aud User AccountApp Team According to the application form and approval Email For Prod Server, the biggest privileges for app team is db_datareader, db_datawriter for some databases except SVP's approval. 2. Mechanism

5 [Limited Access] >Dev Server Server TypeAccountAccount Owner Future Account Owner Owner PrivilegesNote Dev Server DBA ( Domain Account ) Xiaodan Tang /HongtanHongtan/JianXu dbcreator 、 alter any login 、 SQLAgentOperatorRole 、 db_owner of all DB except "Aud"/"Security" DBA has no privileges to read or create uses in "Aud" /"Security" have more privileges than themselves. SecurityAccout Hongtan/JianXu SecurityAdmin Alter any login, Db_datawriter in Security Management Users 、 Manage table in Security. Sqladmin backup accountJianxu sysadmin An account for backup, in the situation of "sqladmin" forget his password. sqladminJingmin Jiang sysadmin sqlamin have all privileges , For grant Privileges to DBA in some situations. Aud_userXiaodan TangProject Managerdb_owner of Security/Aud User AccountApp Team According to the application form and Email For DEV Server, the biggest privileges for app team is db_owner for some databases. Database Account & Privileges Control 2. Mechanism

6 [Limited Access] Database Audit Method 2. Mechanism

7 [Limited Access] Database Audit Content Database Audit Content Global TracePrivileges Trace Server start/stop Schema Access Login Failed Filter: User who have sysadmin privileges User in security.dbo.user_data and audit is true User in security.dbo.firecalls And we can just audit specific database listed in Security.dbo.audit_db Object created/Deleted Database scope GDR Event Schema scope GDR Event ADD/GDR/change login event ADD/GDR/change db user/role event Statement permission event Backup/Restore event Note: Global trace is used for all logins and privileges trace is for all users who have sysadmin privileges and specify user in user_data or specify database. Change Audit event Object derived Permissions Server scope GDR event 2. Mechanism

8 [Limited Access] How to Query Audit Result How to Query Audit Result  Store Procedure: sp_audit_result: Query the audit result in Aud database. [The day before that day ] sp_audit_result_trc: Query the result from trace file. [That day]  User : aud_user  Usage: exec sp_audit_result ‘username’, ‘time’ ----or with no parameter exec sp_audit_result_trc 'username‘----or with no parameter 2. Mechanism

9 [Limited Access] 2. Mechanism >Data files and Backup files security Infrastructure: Keep the data files directory inaccessible by not related people. Move the backup files to security place at specific time after database backup taken. Audit access or other operations of the users who have permissions to backup/data files. DMS: Encrypt the backup file when backup the database contain Sensitivity data >Data encryption App Team(Optional): Encrypt the sensitivity data columns/Use Keys when design database.

10 [Limited Access] >Sensitivity Data separation >??????????????????Tan Hong ~~`

11 [Limited Access] 3. Difficulty >The sysadmin have all permissions, who should hold Sysadmin? If the sysadmin delete the audit database ? >Do Infrastructure monitor the copy operation? If some guys copy the backup file out and …

12 [Limited Access] 4. Proposal

Download ppt "[Limited Access] Content:  Purpose  Mechanism  Difficulty  Proposal Database Security & Audit Proposal."

Similar presentations

MySQL Access Privilege System

MySQL Access Privilege System
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Security Pertemuan 7 Matakuliah: T0413 Tahun: 2009.

Security Pertemuan 7 Matakuliah: T0413 Tahun: 2009.
1 Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner Cam Larner President President Absolute Technologies,

1 Auditing the DBA: What non-technical managers and auditors should know. Presented By Cam Larner Cam Larner President President Absolute Technologies,
Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,

Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.

Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.

Chapter 9 Security. Endpoints  A SQL Server endpoint is the point of entering into SQL Server.  It is implemented as a database object that defines.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
Database Management System

Database Management System
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.

Anil Desai SQL Saturday #35 (Dallas, TX).  Anil Desai ◦ Independent consultant (Austin, TX) ◦ Author of several SQL Server books ◦ Instructor, “Implementing.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Mike Fal - www.mikefal.net SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.

Mike Fal - SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS March 17, 2011.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.

Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.

Administration of Users Dr. Gabriel. 2 Documentation of User Administration Part of the administration process Reasons to document: –Provide a paper trail.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google