Compliance Lessons from Operating SQL Server in Azure SQL DB.
-
Upload
leonard-hines -
Category
Documents
-
view
218 -
download
1
Transcript of Compliance Lessons from Operating SQL Server in Azure SQL DB.
ComplianceLessons from Operating SQL Server in Azure SQL DB
Audience
• How many have been through a Compliance Audit before?• How many planning on going through one in the near future?
Azure Compliance – Continuous Audits
http://azure.microsoft.com/en-us/support/trust-center/services/
ISO 27001/27002
SOC 1/SSAE 16/SAE 3402 and SOC 2
FedRAMP
PCI DSS Level 1
United Kingdom G-Cloud
HIPAA
EU Model Clause
Australian Government IRAP
Singapore MTCS Standard
FBI CJIS (Azure Government)
SQL Database • • • • • • • • •
Security Plan
• Review it and update it regularly• Security Development Lifecycle• Agile and Security Plan?• Inventory• Audit of inventory, patching of VMs, OS, SQL, etc. virus scanning
Access Control
• Isolate Production Environment• Just In Time Access only by humans• Multi-Factor Authentication – Azure Active Directory can make this easy• Data kept in environment or filtered according agreements.
• Use RBAC Groups – review regularly• Repeatable, signed, scanned builds of applications• Audit ACLs, security settings of system
Security Auditing
• Continuous Auditing - offloaded from node ASAP to central repository• Data Warehouse, HADOOP Cluster ETC. used to look for anomalous patterns
of activity• Alert based – volume of events makes regular reviews impractical for us.
• Many 3rd party products that will do threat detection and centralization of Audits• APT's mean we need to look across enterprise
Availability
• AlwaysOn –• Allows rapid deployment with continuous availability due to fault zones /
upgrade zones.
• Exercise full failovers – we always discover things.• Leverage new clusters as failover test
Secrets
• Centralize and have common reporting on expiring secrets (Certs, Passwords, Cryptographic Keys)• Rotate ahead of schedule – if required 90 days before expiration,
rotate at 120 days before to allow time to deal with failures.• Prioritize• Ability to rollback changes – keep keys in escrow• EKM allows you to centralize Keys or at least Key Encryption Keys in a
HSM or Network HSM for central managements
Pen Testing
• Red Team• Blue Team
Questions?
• Your challenges?• Certifications lacking?• Previous talks?