Microsoft Database security and compliance capabilities, under General Data Protection Regulation (GDPR) perspective

Transcription

1 Microsoft Database security and compliance capabilities, under General Data Protection Regulation (GDPR) perspective

2 A NEW STANDARD TO PROTECT PERSONAL DATA The General Data Protection Regulation provides European Union citizens, wherever they reside, and lawful residents greater control of their data by requiring organizations to maintain appropriate security of personal data. GDPR includes Enhanced personal privacy rights Increased duty for protecting data Mandatory breach reporting Significant penalties for non-compliance

3 SOLUTIONS TO HELP YOU PREPARE FOR THE GDPR

4 DATA PROTECTION WITH SQL-BASED TECHNOLOGIES The SQL platform ensures secure processing and storage of personal data Discover Manage Protect Report Identify and track personal data Discover and classify specific data Tag data with sensitivity labels Track personal data access across resources Control access Help securely authenticate access to your database and apply granular authorization Restrict access to users with easyto-use tools Safeguard data Respond to breaches Help secure data whether at rest, in transit or in client applications Track unusual or suspicious activity to identify threats Keep records Track and report on all database activities Maintain an updated assessment of data security posture

5 SQL-BASED TECHNOLOGIES SUPPORT YOUR SECURITY NEEDS, INCLUDING GDPR Tra ck perso na l data Separation of duties Encryption everywhere Audit capabilities Consistent programmability experience E a sily que r y da tab ases to unc ove r personal data T a g da ta w ith sensitivity la be ls using E xtende d Properties Se c ur e ly a uthentica te to your da ta base a nd a pply gr a nula r a uthorization policies Re str ic t a cce ss to use rs using D yna mic D ata Ma sking a nd Row- L e vel Se c ur ity E nc r ypt da ta w hethe r a t r e st, in tr a nsit or in c lient applications T r a c k a nd r e port on a ll da ta ba se a ctivities w ith gr a nula rly configur able auditing U se c ontinuously lea rning a lgor ithms to ide ntify unusua l or suspicious a ctivity D e ve loper s a nd application pa r tne rs c an build to a single pr ogr amming surface Sc a le a c ross SQ L e ditions a nd the c loud Key features SQ L Q ue r y L a nguage V ulne r a bility A ssessment D a ta D isc ove ry & Classification D yna mic D a ta Ma sking (DDM) Row- L e vel Se c ur ity ( RL S) W indow s a uthentic ation/ AAD authentication T r a nspa rent D ata Encryption A lw a ys E nc rypte d Transport- Layer Se curity A uditing f or SQ L D atabase a nd SQ L Se r ve r a udit T e mpor a l tables SQ L D a ta ba se T hrea t D e te c tion Sinc e SQ L Se r ve r 2016 SP1

6 This image cannot currently be displayed.

7 STEP 1 Process Inventory personal data in database systems Review access model, understand the attack surface area Technology Data Discovery and Classification Vulnerability Assessment

8 DISCOVER AND CLASSIFY PERSONAL DATA Data Discovery & Classification forms a new SQL Information Protection paradigm to protect data Discovery & Classification recommendations engine scans database and identifies columns containing potentially sensitive data Sensitivity classification labels can be tagged on columns for advanced auditing and protection Query result set sensitivity is calculated in real time for auditing The database classification state can be viewed in a detailed dashboard or an Excel report Discover

9 UNCOVER AND MANAGE DATA WITH SPECIFIC TOOLS Easily query databases with SQL query language to identify and uncover personal data Create classified tables with Extended Properties and attribute-based label metadata Use Full-Text Search in Microsoft SQL to search for keywords located within freeform text Search and identify personal data using metadata queries SQL Discover

10 STEP 2 Process Manage authentication and authorization mechanisms Properly configure database firewall Limit application access according to authorization principles Technology Azure Active Directory authentication, role-based security, Windows authentication Azure SQL Firewall Dynamic Data Masking, Row-Level Security

11 MANAGE DATA ACCESS WITH ROW- LEVEL SECURITY Fine-grained access control over specific rows in a database Prevent unauthorized access when filtering in multitenant applications Enforcement logic inside the database and schema bound to the table Centralize Row-Level access logic within the database Provide better support services preventing your representative from getting access to customer s sensitive data Manage

12 CONTROL SENSITIVE DATA ACCESS WITH DYNAMIC DATA MASKING Non-privileged users cannot see sensitive data Table.CreditCardNo Apply data masking in real-time to query results based on security policy Av ailab le in th e Azu re p ortal and also v ia T-SQL CreditCardNo XXXX-XXXX-XXXX XXXX-XXXX-XXXX XXXX-XXXX-XXXX Manage

13 STEP 3 Process Encryption of data at rest, in motion, in use Maintain records and audits of all database activities Detect data breach and respond accordingly Ensure business continuity Technology Transparent Data Encryption, Always Encrypted Auditing Threat Detection Always On, Active Geo-Replication

14 ENCRYPT DATA IN USE WITH ALWAYS ENCRYPTED Protect data in use from highly privileged yet unauthorized users with Always Encrypted Configure Always Encrypted for individual database columns containing sensitive data Leverage column encryption keys and column master keys to protect data Enhanced SQL Server Library SQL Data set CIPHERTEXT Customer Credit card # Exp. Customer Credit card # Exp. Denny Usher 0x7ff654ae6d /17 Tim Irish 1x7fg655se2e /19 Denny Usher 0x7ff654ae6d /17 Alicia Hodge 0y8fj754ea2c /18 Protect Column master key Column encryption key

15 MAXIMIZE AVA ILA B ILITY O N ANY PLATFORM Always On cross-platform capabilities with HA and DR for Linux and Windows Support for clusterless Av ailab ility Gro ups Ultimate HA with OS-level redundancy and low-downtime migration Load balancing of readable secondaries Protect

16 DETECT UNUSUAL AND POTENTIALLY HARMFUL ACTIVITY Azure SQL Threat Detection discovers and identifies anomalous activities Users receive alerts upon suspicious database activities, potential vulnerabilities, and SQL injection attacks Recommended actions on how to investigate and mitigate threats Protect

17 STEP 4 Process Maintain audit records of database activities Continuously assess and analyze security measures Technology Auditing, Temporal tables Vulnerability Assessment

18 TRACK AND LOG EVENTS WITH SQL SERVER AUDIT Enable, store, and view audits on various server and database objects with dedicated tools Define multiple server or database audits to run simultaneously Track and log user-defined database-level audits with the help of predefined templates Report

19 KNOW YOUR SECURITY STATE WITH SQL VULNERABILITY ASSESSMENT Meet compliance requirements that require database scan reports Meet security standards of GDPR Monitor a dynamic database environment where changes are difficult to track Drill-down on assessment results to understand the impacts of findings and use actionable remediation information to resolve issues Report

20 Discover Data identifica tion Tracking Manage Access control Granular authorization Protect Data security Data Discovery & Classification Scan, identify, and label columns containing potentially sensitive data in your database Access control Administrators can manage and govern access to personal data with Windows authentication and Azure Active Directory authentication Transparent Data Encryption Help secure personal data through encryption at the physical storage layer using encryptionat-rest Metadata queries, SQL queries and statements Helps you search and identify personal data using queries Role-based access control Apply role-based access control to help manage authorization policies in the database, and to implement the separation of duties principle Always Encrypted Prevent unauthorized, high-privileged users from accessing data in transit, at rest, and while in use DATA SECURITY SOLUTIONS WITH SQL-BASED TECHNOLOGIES Full text queries Using full-text queries against characterbased data in SQL Server tables Azure Data Catalog Unlock tribal knowledge by sharing information about data usage and intent throughout the organization Report Documentation Assessment of security Row-level security Prevent access to rows in a table (such as those that may contain sensitive information) based on characteristics of the user trying to access the data Dynamic Data Masking Control access to sensitive data by enabling how much data to reveal with minimal impacts to app layers SQL Server Audit Verify changes to data that occur in a SQL Server table Always On Availability Groups Maximize the availability of a group of user databases for an enterprise SQL Database Threat Detection Get help detecting anomalous database activities indicating potential security threats to the database SQL Server Audit Understand ongoing database activities, and analyze and investigate historical activity to identify potential threats or suspected abuse and security violations SQL Server Audit Maintain audit trails and gain useful input for performing a Data Protection Impact Assessment (DPIA) Master data services Keep personal data complete and ensure that requests to edit, delete, or discontinue the processing of data are propagated throughout the system Vulnerability assessment Reports that can serve as a security assessment for your database. These reports can also be used as part of a Data Protection Impact Assessment (DPIA)

21 MODERNIZE YOUR DATA PLATFORM TODAY Upgrade scenarios Shared Infrastructure / Lower cost Hybrid Cloud SQL PaaS & SaaS Azure SQL Database Virtualized Database On-premises: Complete data platform with mission critical performance and real time reporting IaaS SQL Server in Azure VM Virtualizes Machines Private Cloud: Dedicated business resources inside the enterprise IaaS: Keep management while reducing TCO with Azure VMs SaaS: No application code change, while taking advantage of scalable and highly available DBaaS PaaS: Fully managed solution with high availability and scalability Dedicated Infrastructure/ Higher cost SQL Physical SQL Server Physical Machine (raw iron) Virtu al SQL Server Private Cloud Virtualized Machine + Appliance Higher administration Lower administration

22 END OF SUPPORT MEANS END OF COMPLIANCE Businesses using unsupported SQL Server versions may not meet GDPR standards End of support means no more critical security updates, leading to greater threats and increased maintenance costs SQL Server end of support schedule Versi on Cu rren t support level End mainstream End extended SQL Server 2014 Currently supporting all versions July 9, 2019 July 9, 2024 SQL Server 2012 SQL Server 2008 and SQL Server 2008 R2 SQL Server 2012 SP2+ is in mainstream support until CY 2017 SQL Server 2008 and 2008 R2 are in extended support which includes security updates, paid support, and requires purchasing non-security hotfix support July 11, 2017 July 12, 2022 July 8, 2014 July 9, 2019 SQL Server 2005 SQL Server 2005 support ended on April 12, 2016 April 12, 2011 April 12, 2016

23 SQL SERVER 2017 Strengthen data security on a leading data platform Choice of platform and language Industry-leading performance Most secure over the last 8 years 6 Only commercial DB with AI built-in End-to-end mobile BI on any device 200+ $2, T-SQL Java C/C++ C#/VB.NET PHP Node.js Python Ruby #1 OLTP performance 1 #1 DW performance on 1TB 2, 10TB 3, and 30TB 4 #1 OLTP price/performance 5 #1 DW price/performance on 1TB 2, 10TB 3, and 30TB 4 Vulnerabilities ( ) R R and Python + in-memory at massive scale Native T-SQL scoring Self-service BI per user $480 $120 Microsoft Tableau Oracle A fraction of the cost In-memory across all workloads Private cloud Most consistent data platform Public cloud National Institute of Standards and Technology Comprehensive Vulnerability Database

24