IDERA Software, profile picture
Uploaded byIDERA Software
PPTX, PDF288 views

Geek Sync | Handling HIPAA Compliance with Your Data Access

The document discusses how to ensure compliance with HIPAA regulations when handling electronic protected health information (ePHI) stored in SQL Server databases. It addresses five key questions around auditing access to ePHI, defining a secure SQL Server configuration baseline, implementing repeatable security processes, auditing permissions and changes in SQL Server, and maintaining ongoing compliance. The presenter provides recommendations for secure configurations, including role-based access control, encryption of data at rest and in transit, and auditing access through features like extended events and audit objects. Maintaining repeatable processes for security and change management is emphasized as important for compliance.

Embed presentation

Download to read offline
Handling HIPAA Compliance with Your Data Access November 15, 2017
About Me • Infrastructure and security architect • Database Administrator / Architect • Former Incident Response team lead • Certified Information Systems Auditor (CISA) • SQL Server security columnist / blogger • Editor for SQL Server benchmarks at Center for Internet Security
My Contact Information K. Brian Kelley Email: kbriankelley@acm.org Twitter: @kbriankelley Infrastructure/Security Blog: http://truthsolutions.wordpress.com Personal Development Blog: http://gkdba.wordpress.com
5 Key Questions 1. Who has access to my electronic PHI, and how do I audit the activity? 2. How do I define a secure baseline and maintain it across my SQL Server environment? 3. How can I implement repeatable processes to help maintain the security standards? 4. How do I audit permissions, logins, and object and data changes on my SQL Server? 5. What is the best way for me to ensure not only ongoing compliance with the HIPAA, HITECH, and Omnibus Rule regulations but also help maintain reasonable security across my SQL Server databases? Source: https://www.idera.com/resourcecentral/whitepapers/security-and-compliance-solutions-for-hipaa Search Engine Keywords: IDERA HIPAA
Agenda • Repeatable Processes (#3, #5) • User Security (#4) • Secure Configuration (#2, #5) • Auditing Access (#1, #4)
Some of what SQL Server brings to bear to comply with HIPAA are found in features only available in Enterprise Edition. What you will need Enterprise Edition for: • Extensible Key Management • Transparent Data Encryption (TDE) What was added to Standard Edition, starting with SQL Server 2016 SP1: • Always Encrypted • Database-level (Fine-grained) Auditing
Repeatable Processes
Repeatable Processes • Organizational Issue: Change Control • Workflows must be consistent • Documentation must be maintained • Exceptions must be reported “If there’s no evidence for a control, it’s not a control.”
What SQL Server Can Do • User security to restrict access • Data Definition Triggers: • Enforce when changes can be made • Enforce what types of changes can be made • Schema Change History report • SQL Server traces • Extended Events
User Security
Login Security The Best Practice: 1. All logins are via AD domain user accounts 2. All logins are placed in security groups (preferably domain security groups) 3. Security groups are granted login ability to SQL Server
If You Follow This Best Practice (and you should…) • Auditing and alerting must be present against Active Directory and OS • Track changes to groups which provide access into the DB • Track changes to groups which provide administrative rights to OS • Track changes to users with privileged access: • Through any applications • Into SQL Server itself
Server Level Access • Use Server-Level Roles for privileged access: • sysadmin • User-defined role with granular security • Don’t use securityadmin • Permissions to watch for: • CONTROL SERVER • IMPERSONATE
Database Level Access • Use roles for granting access • Minimal permissions (principle of least privilege) • Test permission scenarios (and have test results) • Take into account how privileged accounts have implicit access
Secure Configuration – SQL Server
Starting with a Secure Configuration • Build server template with baseline security configuration • Deploy server using template • Scripted SQL Server install with minimal features • After install scripts to harden SQL Server
Policy Based Management • Can target groups of SQL Servers • Most settings available to all components of SQL Server • Enforce or detect change to configuration • Can choose how to implement enforcement
Other Ways to Maintain • Custom Scripts • 3rd Party Products • Periodic Checks. Don’t Rely on initial setup and PBM –ALWAYS audit security –Server settings important for compliance requirements
Secure Communication • Don’t assume network is secure, even if it’s “internal.” • Most larger organizations have large capture capability. • Even if PHI data is encrypted in transit, other key information available. • Secure communications with SQL Server: • Server certificate – SSL / TLS • IPSEC (OS level)
Secure Configuration - Data
Encrypting Data at Rest • Easy Button: Transparent Data Encryption • OS Options: • Encrypting File System (not recommended) • Bitlocker • Don’t forget about backups • TDE – native backups encrypted automatically • Encrypted backups new feature as of SQL Server 2014 • Every major 3rd party solution supports backup encryption • Storage personnel may argue against it. Auditors will be on your side.
Encrypting Data in the DB • TDE and OS file level encryption don’t apply within SQL Server • SQL Server has built-in encryption options if home grown • Key management is a problem • If SQL Server manages the keys then admins can see the data • Always Encrypted is another option for home grown solutions • Verify PHI data is encrypted
Speaking of Key Management • With TDE, key management is crucial to recover the DB. • Built-in encryption has key management challenges as well. • Test your recovery scenarios extensively. • Consider Extensible Key Management (EKM) solutions.
Auditing Access
Default Trace and Server Traces • Default Trace runs by default • Rolling capture of particular events • Does capture schema change events • Build Your Own Trace • Use prior to Extended Events • C2 audit mode • Technically a trace • Writes significant amounts of data • Not recommended • Deprecated
Extended Events • Can audit for anything you should need • Can be made as lightweight as possible • Does require legwork to get right • Doesn’t send information to OS event logs by default • Easier solution: Audit objects
Audit Objects • Two levels: • Server • Database (fine-grained) • Track events at both levels • Database level events: • Can also grab SELECT queries (who is accessing the data) • Don’t assume all access is through the application(s) • Targets: • File system • Application event log • Security event log (recommended)
What We Looked at Today • Repeatable Processes (#3, #5) • User Security (#4) • Secure Configuration (#2, #5) • Auditing Access (#1, #4)
Further “Print” Resources: IDERA whitepaper: https://www.idera.com/resourcecentral/whitepapers/security-and-compliance-solutions-for-hipaa Microsoft SQL Server Compliance whitepaper: https://www.microsoft.com/en-us/download/details.aspx?id=6808 Experis Finance whitepaper: http://www.experis.us/Website-File-Pile/Whitepapers/Experis/FIN_HIPAA-Complaince-with-SQL_050211.pdf Securing SQL Server, Third Edition Denny Cherry (book published by Syngress)

More Related Content

PPTX
Change Monitoring of Active Directory
byZoho Corporation
 
PPTX
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
byZoho Corporation
 
PPTX
Controlling Delegation of Windows Servers and Active Directory
byZoho Corporation
 
PPTX
Decrypting the security mystery with SIEM (Part 1) ​
byZoho Corporation
 
PPTX
Active Directory security and compliance: Comprehensive reporting for key sec...
byZoho Corporation
 
PPTX
Cloud Design Patterns - Hong Kong Codeaholics
byTaswar Bhatti
 
PPTX
7 tips to simplify Active Directory Management ​
byZoho Corporation
 
PPTX
Cloud Design Patterns
byTaswar Bhatti
 
Change Monitoring of Active Directory
byZoho Corporation
 
Protecting Windows Passwords and Preventing Windows Computer / Password Attacks
byZoho Corporation
 
Controlling Delegation of Windows Servers and Active Directory
byZoho Corporation
 
Decrypting the security mystery with SIEM (Part 1) ​
byZoho Corporation
 
Active Directory security and compliance: Comprehensive reporting for key sec...
byZoho Corporation
 
Cloud Design Patterns - Hong Kong Codeaholics
byTaswar Bhatti
 
7 tips to simplify Active Directory Management ​
byZoho Corporation
 
Cloud Design Patterns
byTaswar Bhatti
 

What's hot

PPTX
8 cloud design patterns you ought to know - Update Conference 2018
byTaswar Bhatti
 
PPTX
Azure Key Vault - Getting Started
byTaswar Bhatti
 
PDF
CSF18 - Securing the Cloud - Karim El-Melhaoui
byNCCOMMS
 
PPTX
Oracle Audit Vault Training | Audit Vault - Oracle Trainings
byOracleTrainings
 
PDF
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
byMicro Focus
 
PPTX
SQL Server 2012 Security Task
byYaakub Idris
 
PDF
CNIT 129S - Ch 6a: Attacking Authentication
bySam Bowne
 
PPTX
Isaca sql server 2008 r2 security & auditing
byAntonios Chatzipavlis
 
PPT
Restricted routing infrastructures PPT
bySai Charan
 
PPTX
Self-service password management and single sign-on for on-premises AD and cl...
byZoho Corporation
 
PDF
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
byMicro Focus
 
PDF
Community and Java EE @ DevConf.CZ
byMarkus Eisele
 
PDF
Cache Security- Adding Security to Non-Secure Applications
byInterSystems Corporation
 
PDF
Mobile platform for ECM System
byPrimož Javornik
 
PDF
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
byMicro Focus
 
KEY
SQL Server: Security
byLearnNowOnline
 
PPTX
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
byJakarta_EE
 
PDF
DevOps sensors 360° high availability in the cloud
byLahav Savir
 
PPTX
Microsoft Azure and Windows Application monitoring
bySite24x7
 
8 cloud design patterns you ought to know - Update Conference 2018
byTaswar Bhatti
 
Azure Key Vault - Getting Started
byTaswar Bhatti
 
CSF18 - Securing the Cloud - Karim El-Melhaoui
byNCCOMMS
 
Oracle Audit Vault Training | Audit Vault - Oracle Trainings
byOracleTrainings
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
byMicro Focus
 
SQL Server 2012 Security Task
byYaakub Idris
 
CNIT 129S - Ch 6a: Attacking Authentication
bySam Bowne
 
Isaca sql server 2008 r2 security & auditing
byAntonios Chatzipavlis
 
Restricted routing infrastructures PPT
bySai Charan
 
Self-service password management and single sign-on for on-premises AD and cl...
byZoho Corporation
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
byMicro Focus
 
Community and Java EE @ DevConf.CZ
byMarkus Eisele
 
Cache Security- Adding Security to Non-Secure Applications
byInterSystems Corporation
 
Mobile platform for ECM System
byPrimož Javornik
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
byMicro Focus
 
SQL Server: Security
byLearnNowOnline
 
JakartaOne Livestream CN4J: Eclipse MicroProfile - Your Cloud-Native Companion
byJakarta_EE
 
DevOps sensors 360° high availability in the cloud
byLahav Savir
 
Microsoft Azure and Windows Application monitoring
bySite24x7
 

Similar to Geek Sync | Handling HIPAA Compliance with Your Data Access

PPTX
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
byDenny Lee
 
PPTX
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
byWinWire Technologies Inc
 
PPT
SQL Server 2008 Security Overview
byukdpe
 
PPT
Fortress SQL Server
bywebhostingguy
 
PDF
The New Normal: Dealing with the Reality of an Unsecure World
byEric Kavanagh
 
PDF
Choosing Encryption for Microsoft SQL Server
byJerome J. Penna
 
PPTX
The Spy Who Loathed Me - An Intro to SQL Server Security
byChris Bell
 
PDF
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
byTobias Koprowski
 
PDF
Better to Ask Permission? Best Practices for Privacy and Security
byEric Kavanagh
 
PPTX
basic to advance network security concepts
byamansinght675
 
PDF
Seguridad en SQL Server 2012
byJuan Fabian
 
DOCX
Database Security – Issues and Best PracticesOutline
byOllieShoresna
 
PPTX
SQLCAT - Data and Admin Security
byDenny Lee
 
PDF
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
byTobias Koprowski
 
PDF
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
byTobias Koprowski
 
PPTX
Sql server security in an insecure world
byGianluca Sartori
 
PDF
Geek Sync | Meeting Security Benchmarks and Compliance with Microsoft SQL Ser...
byIDERA Software
 
PDF
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
byITCamp
 
PPT
SQL Server Basics Hello world iam here.ppt
bynanisaketh
 
PDF
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
byScott Sutherland
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
byDenny Lee
 
Modern Data Security for the Enterprises – SQL Server & Azure SQL Database
byWinWire Technologies Inc
 
SQL Server 2008 Security Overview
byukdpe
 
Fortress SQL Server
bywebhostingguy
 
The New Normal: Dealing with the Reality of an Unsecure World
byEric Kavanagh
 
Choosing Encryption for Microsoft SQL Server
byJerome J. Penna
 
The Spy Who Loathed Me - An Intro to SQL Server Security
byChris Bell
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
byTobias Koprowski
 
Better to Ask Permission? Best Practices for Privacy and Security
byEric Kavanagh
 
basic to advance network security concepts
byamansinght675
 
Seguridad en SQL Server 2012
byJuan Fabian
 
Database Security – Issues and Best PracticesOutline
byOllieShoresna
 
SQLCAT - Data and Admin Security
byDenny Lee
 
KoprowskiT_SQLRelayCaerdydd_SQLSecurityInTheClouds
byTobias Koprowski
 
KoprowskiT_SQLRelayBirmingham_SQLSecurityInTheClouds
byTobias Koprowski
 
Sql server security in an insecure world
byGianluca Sartori
 
Geek Sync | Meeting Security Benchmarks and Compliance with Microsoft SQL Ser...
byIDERA Software
 
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
byITCamp
 
SQL Server Basics Hello world iam here.ppt
bynanisaketh
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
byScott Sutherland
 

More from IDERA Software

PPTX
The role of the database administrator (DBA) in 2020: Changes, challenges, an...
byIDERA Software
 
PPTX
Problems and solutions for migrating databases to the cloud
byIDERA Software
 
PPTX
Public cloud uses and limitations
byIDERA Software
 
PPTX
Optimize the performance, cost, and value of databases.pptx
byIDERA Software
 
PPTX
Monitor cloud database with SQL Diagnostic Manager for SQL Server
byIDERA Software
 
PPTX
Database administrators (dbas) face increasing pressure to monitor databases
byIDERA Software
 
PPTX
Six tips for cutting sql server licensing costs
byIDERA Software
 
PDF
Idera live 2021: The Power of Abstraction by Steve Hoberman
byIDERA Software
 
PDF
Idera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian Flug
byIDERA Software
 
PDF
Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...
byIDERA Software
 
PDF
Idera live 2021: Managing Digital Transformation on a Budget by Bert Scalzo
byIDERA Software
 
PDF
Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...
byIDERA Software
 
PDF
Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...
byIDERA Software
 
PDF
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
byIDERA Software
 
PDF
Idera live 2021: Performance Tuning Azure SQL Database by Monica Rathbun
byIDERA Software
 
PPTX
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
byIDERA Software
 
PPTX
How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...
byIDERA Software
 
PPTX
Benefits of Third Party Tools for MySQL | IDERA
byIDERA Software
 
PPTX
Achieve More with Less Resources | IDERA
byIDERA Software
 
PPTX
Benefits of SQL Server 2017 and 2019 | IDERA
byIDERA Software
 
The role of the database administrator (DBA) in 2020: Changes, challenges, an...
byIDERA Software
 
Problems and solutions for migrating databases to the cloud
byIDERA Software
 
Public cloud uses and limitations
byIDERA Software
 
Optimize the performance, cost, and value of databases.pptx
byIDERA Software
 
Monitor cloud database with SQL Diagnostic Manager for SQL Server
byIDERA Software
 
Database administrators (dbas) face increasing pressure to monitor databases
byIDERA Software
 
Six tips for cutting sql server licensing costs
byIDERA Software
 
Idera live 2021: The Power of Abstraction by Steve Hoberman
byIDERA Software
 
Idera live 2021: Why Data Lakes are Critical for AI, ML, and IoT By Brian Flug
byIDERA Software
 
Idera live 2021: Will Data Vault add Value to Your Data Warehouse? 3 Signs th...
byIDERA Software
 
Idera live 2021: Managing Digital Transformation on a Budget by Bert Scalzo
byIDERA Software
 
Idera live 2021: Keynote Presentation The Future of Data is The Data Cloud b...
byIDERA Software
 
Idera live 2021: Managing Databases in the Cloud - the First Step, a Succes...
byIDERA Software
 
Idera live 2021: Database Auditing - on-Premises and in the Cloud by Craig M...
byIDERA Software
 
Idera live 2021: Performance Tuning Azure SQL Database by Monica Rathbun
byIDERA Software
 
Geek Sync | How to Be the DBA When You Don't Have a DBA - Eric Cobb | IDERA
byIDERA Software
 
How Users of a Performance Monitoring Tool Can Benefit from an Inventory Mana...
byIDERA Software
 
Benefits of Third Party Tools for MySQL | IDERA
byIDERA Software
 
Achieve More with Less Resources | IDERA
byIDERA Software
 
Benefits of SQL Server 2017 and 2019 | IDERA
byIDERA Software
 

Recently uploaded

PDF
How to Get Premium Capacity Power BI.pdf
byinfodobbsdataconsult
 
PPTX
Communicating Software Architecture using Arc42
byAshraf Fouad
 
DOCX
Data Governance and Compliance Choosing a Tableau Replacement with Strong Con...
byVarsha Nayak
 
DOCX
Tableau Alternative Offers the Best Data Visualization Experience.docx
byVarsha Nayak
 
PDF
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
PDF
Boobanker Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
PDF
How to do Portable Applicance Testing: example
byMaheswararajJ
 
PDF
AstuteAP - AI-enabled Supplier Invoice Processing Automation Tool.pdf
byAstuteBusiness
 
PDF
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
PDF
How to Make Your AI Reliable: Comprehensive Guide to Testing AI Applications ...
byQATestLab Quality is a rule
 
PDF
vMix Overview & Key Features Easily Produce, Record and Live Stream
byIGM Soraing
 
PDF
Top 10 Ways AI Can Improve SEO Strategies in 2025.pdf
bybpractseo
 
PDF
NFTMeme Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
PPTX
Scrape Grocery App Data from BigBasket, Zepto, and Blinkit.pptx
byMobile App Scraping
 
PPTX
How an AI Chatbot for Mental Health Is Redefining Patient Care and Emotional ...
byMatellio
 
PDF
The future Android App Development in 2025
byLoudOwls Solutions Private Limited
 
PDF
Free Versus Paid Enterprise IT Monitoring Tools
byEvaMariaBraun1
 
PPTX
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
PPTX
Mobile App Accessibility Standards Every Developer Should Know.pptx
byjanhammer1014
 
PPTX
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
How to Get Premium Capacity Power BI.pdf
byinfodobbsdataconsult
 
Communicating Software Architecture using Arc42
byAshraf Fouad
 
Data Governance and Compliance Choosing a Tableau Replacement with Strong Con...
byVarsha Nayak
 
Tableau Alternative Offers the Best Data Visualization Experience.docx
byVarsha Nayak
 
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
Boobanker Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
How to do Portable Applicance Testing: example
byMaheswararajJ
 
AstuteAP - AI-enabled Supplier Invoice Processing Automation Tool.pdf
byAstuteBusiness
 
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
How to Make Your AI Reliable: Comprehensive Guide to Testing AI Applications ...
byQATestLab Quality is a rule
 
vMix Overview & Key Features Easily Produce, Record and Live Stream
byIGM Soraing
 
Top 10 Ways AI Can Improve SEO Strategies in 2025.pdf
bybpractseo
 
NFTMeme Token – Smart Contract Security Audit Report by EtherAuthority
byEtherAuthority1
 
Scrape Grocery App Data from BigBasket, Zepto, and Blinkit.pptx
byMobile App Scraping
 
How an AI Chatbot for Mental Health Is Redefining Patient Care and Emotional ...
byMatellio
 
The future Android App Development in 2025
byLoudOwls Solutions Private Limited
 
Free Versus Paid Enterprise IT Monitoring Tools
byEvaMariaBraun1
 
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
Mobile App Accessibility Standards Every Developer Should Know.pptx
byjanhammer1014
 
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 

Geek Sync | Handling HIPAA Compliance with Your Data Access

  • 1.
    Handling HIPAA Compliance with YourData Access November 15, 2017
  • 2.
    About Me • Infrastructureand security architect • Database Administrator / Architect • Former Incident Response team lead • Certified Information Systems Auditor (CISA) • SQL Server security columnist / blogger • Editor for SQL Server benchmarks at Center for Internet Security
  • 3.
    My Contact Information K.Brian Kelley Email: kbriankelley@acm.org Twitter: @kbriankelley Infrastructure/Security Blog: http://truthsolutions.wordpress.com Personal Development Blog: http://gkdba.wordpress.com
  • 4.
    5 Key Questions 1.Who has access to my electronic PHI, and how do I audit the activity? 2. How do I define a secure baseline and maintain it across my SQL Server environment? 3. How can I implement repeatable processes to help maintain the security standards? 4. How do I audit permissions, logins, and object and data changes on my SQL Server? 5. What is the best way for me to ensure not only ongoing compliance with the HIPAA, HITECH, and Omnibus Rule regulations but also help maintain reasonable security across my SQL Server databases? Source: https://www.idera.com/resourcecentral/whitepapers/security-and-compliance-solutions-for-hipaa Search Engine Keywords: IDERA HIPAA
  • 5.
    Agenda • Repeatable Processes(#3, #5) • User Security (#4) • Secure Configuration (#2, #5) • Auditing Access (#1, #4)
  • 6.
    Some of whatSQL Server brings to bear to comply with HIPAA are found in features only available in Enterprise Edition. What you will need Enterprise Edition for: • Extensible Key Management • Transparent Data Encryption (TDE) What was added to Standard Edition, starting with SQL Server 2016 SP1: • Always Encrypted • Database-level (Fine-grained) Auditing
  • 7.
  • 8.
    Repeatable Processes • OrganizationalIssue: Change Control • Workflows must be consistent • Documentation must be maintained • Exceptions must be reported “If there’s no evidence for a control, it’s not a control.”
  • 9.
    What SQL ServerCan Do • User security to restrict access • Data Definition Triggers: • Enforce when changes can be made • Enforce what types of changes can be made • Schema Change History report • SQL Server traces • Extended Events
  • 10.
  • 11.
    Login Security The BestPractice: 1. All logins are via AD domain user accounts 2. All logins are placed in security groups (preferably domain security groups) 3. Security groups are granted login ability to SQL Server
  • 12.
    If You FollowThis Best Practice (and you should…) • Auditing and alerting must be present against Active Directory and OS • Track changes to groups which provide access into the DB • Track changes to groups which provide administrative rights to OS • Track changes to users with privileged access: • Through any applications • Into SQL Server itself
  • 13.
    Server Level Access •Use Server-Level Roles for privileged access: • sysadmin • User-defined role with granular security • Don’t use securityadmin • Permissions to watch for: • CONTROL SERVER • IMPERSONATE
  • 14.
    Database Level Access •Use roles for granting access • Minimal permissions (principle of least privilege) • Test permission scenarios (and have test results) • Take into account how privileged accounts have implicit access
  • 15.
  • 16.
    Starting with aSecure Configuration • Build server template with baseline security configuration • Deploy server using template • Scripted SQL Server install with minimal features • After install scripts to harden SQL Server
  • 17.
    Policy Based Management •Can target groups of SQL Servers • Most settings available to all components of SQL Server • Enforce or detect change to configuration • Can choose how to implement enforcement
  • 18.
    Other Ways toMaintain • Custom Scripts • 3rd Party Products • Periodic Checks. Don’t Rely on initial setup and PBM –ALWAYS audit security –Server settings important for compliance requirements
  • 19.
    Secure Communication • Don’tassume network is secure, even if it’s “internal.” • Most larger organizations have large capture capability. • Even if PHI data is encrypted in transit, other key information available. • Secure communications with SQL Server: • Server certificate – SSL / TLS • IPSEC (OS level)
  • 20.
  • 21.
    Encrypting Data atRest • Easy Button: Transparent Data Encryption • OS Options: • Encrypting File System (not recommended) • Bitlocker • Don’t forget about backups • TDE – native backups encrypted automatically • Encrypted backups new feature as of SQL Server 2014 • Every major 3rd party solution supports backup encryption • Storage personnel may argue against it. Auditors will be on your side.
  • 22.
    Encrypting Data inthe DB • TDE and OS file level encryption don’t apply within SQL Server • SQL Server has built-in encryption options if home grown • Key management is a problem • If SQL Server manages the keys then admins can see the data • Always Encrypted is another option for home grown solutions • Verify PHI data is encrypted
  • 23.
    Speaking of KeyManagement • With TDE, key management is crucial to recover the DB. • Built-in encryption has key management challenges as well. • Test your recovery scenarios extensively. • Consider Extensible Key Management (EKM) solutions.
  • 24.
  • 25.
    Default Trace andServer Traces • Default Trace runs by default • Rolling capture of particular events • Does capture schema change events • Build Your Own Trace • Use prior to Extended Events • C2 audit mode • Technically a trace • Writes significant amounts of data • Not recommended • Deprecated
  • 26.
    Extended Events • Canaudit for anything you should need • Can be made as lightweight as possible • Does require legwork to get right • Doesn’t send information to OS event logs by default • Easier solution: Audit objects
  • 27.
    Audit Objects • Twolevels: • Server • Database (fine-grained) • Track events at both levels • Database level events: • Can also grab SELECT queries (who is accessing the data) • Don’t assume all access is through the application(s) • Targets: • File system • Application event log • Security event log (recommended)
  • 28.
    What We Lookedat Today • Repeatable Processes (#3, #5) • User Security (#4) • Secure Configuration (#2, #5) • Auditing Access (#1, #4)
  • 29.
    Further “Print” Resources: IDERAwhitepaper: https://www.idera.com/resourcecentral/whitepapers/security-and-compliance-solutions-for-hipaa Microsoft SQL Server Compliance whitepaper: https://www.microsoft.com/en-us/download/details.aspx?id=6808 Experis Finance whitepaper: http://www.experis.us/Website-File-Pile/Whitepapers/Experis/FIN_HIPAA-Complaince-with-SQL_050211.pdf Securing SQL Server, Third Edition Denny Cherry (book published by Syngress)