Enforcing compliancewithpbm kensimmons
-
Upload
kensimmons -
Category
Documents
-
view
495 -
download
0
Transcript of Enforcing compliancewithpbm kensimmons
Sponsored by:
PASS Summit 2010 Preview
Enforcing Compliance With Policy-Based Management
Ken Simmons, DBA
Contact Info
• Blog: http://cybersql.blogspot.com/
• Email: [email protected]
• Twitter: @KenSimmons
• LinkedIN: http://www.linkedin.com/in/kensimmons
What is Compliance?
• “Conformity in fulfilling official requirements”*– External Regulations
• HIPAA• SOX• PCI
– Internal Standards• Naming Conventions
*http://www.merriam-webster.com/dictionary/compliance
http://www.flickr.com/photos/dunechaser/220636504/
• More than 494 million records have been breached since 2005*– Unintended Disclosure – Payment Card Fraud– Physical Loss (Non-Electronic) – Insider– Hacking or Malware– Portable Device Loss– Stationary Device Loss
Why Does Compliance Matter?
*http://www.privacyrights.org/data-breach/
474 million http://www.flickr.com/photos/bheathr/2253526798
What’s The Process?
• Identify Risks• Develop Policies To Mitigate Risks• Ensure Policies Are Being Enforced
Risk Management
Compliance
Governance
Policy-Based Management Can Help!
• Gives you the ability to define and enforce standards• Auditors Love Policies• It is NOT and Enterprise Edition Feature
http://www.flickr.com/photos/dunechaser/489467800/
The BIG Picture
Servers
CMS SQL 2008
EPMFramework
http://epmframework.codeplex.com
PBM L33T Speak
• Targets are objects such as a Instances, Databases, Tables, etc.
• Facets expose logical groupings of properties for those objects.
• Conditions are made up of expressions exposed by the properties from a single Facet.
• A Policy evaluates a Condition against one or more Targets.
Creating Policies
• Export the Current State of an Object
• Import Predefined Policies
• Create Custom Policies Based on Facets
• Create Custom Policies using Advanced Conditions
Evaluating Policies
• On Demand– Can “Auto Fix” Certain Violations
• On Schedule– Uses SQL Agent Job
• On Change – Log Only– Writes Violations to SQL and Windows Log
• On Change – Prevent – Uses DDL Triggers to Rollback Changes
Demo
http://www.flickr.com/photos/winterhalter/2883847843/
Alerts
• Error Number by Evaluation Mode– On change: prevent (automatic), 34050– On change: prevent (on demand), 34051– On schedule, 34052– On change, 34053
• Prerequisites– Configure Database Mail– Create Operator– Configure SQL Agent
Server Configuration
• Predefined Best Practice Policies• SAC for Database Engine 2005 and 2000 Features• SAC for Database Engine 2008 Features
• Service Account– Server Facet: Service Account != 'LocalSystem'
• Log Retention– Server Facet: NumberOfLogFiles = 99
Security
• Advanced Conditions• No Builtin\Administrators
• SELECT COUNT(*) FROM sysloginsWHERE name = 'Builtin\Administrators'
• SA Account Disabled• SELECT COUNT(*)
FROM sysloginsWHERE name = 'sa' ANDis_disabled = 0
Note: Using syslogins instead of sys.server_principals allows you to evaluate SQL 2000 Instances
Encryption
• Predefined Best Practice Policies– Asymmetric Key Encryption Algorithm– Symmetric Key Encryption for User Databases– Symmetric Key for master Database– Symmetric Key for System Databases
• Transparent Data Encryption– Database Facet: EncryptionEnabled = True
• Extensible Key Management– Server Configuration Facet:
ExtensibleKeyManagementEnabled = True
Audit
• Predefined Best Practice Policies– SQL Server Default Trace
• Login Auditing– Server Audit Facet: LoginAuditLevel = All
• SQL Server Audit– Server Facet: AuditLevel = All– Audit Facet: Enabled = True & OnFailure = Shutdown– Database Audit Specification Facet: Enabled = True– Server Audit Specification Facet: Enabled = True
Resources
• Pro SQL Server 2008 Policy-Based Management– http://www.apress.com/book/view/9781430229100
• MSDN Policy-Based Management Blog– http://blogs.msdn.com/sqlpbm/
• SQL Server 2008 Compliance Guide– http://www.microsoft.com/downloads/details.aspx?FamilyId=6E10
21DD-65B9-41C2-8385-438028F5ACC2&displaylang=en
• Deploying SQL Server 2008 Based on PCI DSS– http://www.parentebeard.com/Uploads/Files/Deploying_SQL_Serv
er_2008_Based_on_PCI_DSS.PDF
Celebrating SQL Server 2008 R2
Questions?