who, what, where and how: why you want to know

Grab some

coffee and enjoy the pre-show banter

before the top of the

hour!

H T Technologiesof 2016

HOST:EricKavanagh

THISYEARis…

THELINEUP

ANALYST:

DezBlanchfieldDataScientist,TheBloorGroup

ANALYST:

RobinBloorChiefAnalyst,TheBloorGroup

GUEST:

BullettManaleDirectorofSalesEngineering,IDERA

INTRODUCING

RobinBloor

The Governance Imperative

Robin Bloor Ph.D.

The Governance Imperative

Data governance is a relatively recent concern and focus.

But in truth, ALL DATA needs to be governed and it always did.

The Governance Challenge

u  Increasing number of data sources

u  Unstructured data

u  Data provenance and lineage

u  Data encryption

u  Authentication

u  Data access monitoring

u  Compliance rules

u  Compliance reporting

u  Data lifecycle management

Data Pyramid

Rules, PoliciesGuidelines, Procedures

Linked data, Structured data,Visualization, Glossaries, Schemas, Ontologies

Signals, Measurements, Recordings,Events, Transactions, Calculations, Aggregations

NewData

Refinement

All of these are dynamic and change, so the change has to be managed

The Governance Empire

The Growth of Compliance u  International

–  GRC

–  ISO (standards)

u  US Government: –  SOX

–  GLBA

–  HIPAA

–  FISMA

–  FERPA

–  NIST standards

u  Europe

–  GDPR (data protection laws) with variances

–  New: The right to be forgotten

The Net Net

Because IT and data management are evolving so quickly,

GOVERNANCE must also evolve quickly.

INTRODUCING

DezBlanchfield

@dez_blanchfield

complianceconforming to a set of rules,

specifications, controls,

policies, standards or laws

@dez_blanchfield

areyoucompliant?

areyousure?

proveit!!

@dez_blanchfield

Canyoulocateourdatacompliance?

@dez_blanchfield

No,they’reerroneousFalsePosi;ves!

@dez_blanchfield

Okit’sWallynotacompliancemanager

@dez_blanchfield

bigdeal,whatcould

possiblygowrong!?

@dez_blanchfield

Whatcouldpossiblygowrong;-(

@dez_blanchfield

organiza;onsarenow“data

driven”&mostdatalivesin

adatabaseofsomeform

@dez_blanchfield

Database&Systemsmanagement

Mytop5datamanagementchallenges

1.  Security&Compliance

2.  Performance&Monitoring

3.  Incidentdetec<on&Response

4.  Management&Administra<on

5.  Design&Development

@dez_blanchfield

Reducingrisks&improvingsecurity

Mytop5datasecuritychallenges

1.  Mi<gateDatabaseBypass

2.  PreventaccountMisuse

3.  Audi<ng&ComplianceRepor<ng

4.  MonitorTrafficandblockThreats

5.  Protectnon-produc<onenvironments

@dez_blanchfield

complianceisnowan“always

on”issue,andachievingit

requirestherighttools

INTRODUCING

BullettManale

© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.

IDERA – SQL COMPLIANCE MANAGER Hot Technology Webcast

Bullett Manale Director, Sales Engineering


RESPONSIBILITIES OF THE DBA (ACCORDING TO WIKIPEDIA)


GLBA


PROCESS OF VALIDATING COMPLIANCE

§  Collect an audit trail for ONLY transactions relating to the sensitive data (best practice)

§  Use the audit trail to prove the controls are working

§  Keep the data to match with the standard’s retention policy (typically 7 years)

§  Real time controls put in place to alert when transactions don’t meet standard


THE COMMON DENOMINATOR

The Application is using SQL Server to Store Sensitive Data within the Database


THE THREE QUESTION AUDITOR CHALLENGE

§  Who has access to the sensitive data and how are they getting that access?

§  Can you prove that the right people are accessing the data (and that the wrong people are not)?

§  Can you also prove that the audit trail being used to validate the controls have not been tampered with in any way (immutable source)?


QUESTION 1: WHO HAS ACCESS TO THE SENSITIVE DATA

CHALLENGES: •  Must know where the sensitive data resides in order to report on who

has access

•  Must understand how permissions are being applied to the areas which are sensitive and how people are getting to the data (AD group, Inheritance, Role Membership, etc.)

•  Whatever is identified must be validated by the auditor / compliance officer before moving on to the second question


QUESTION 2: CAN YOU PROVE THAT THE RIGHT PEOPLE ARE ACCESSING THE DATA (AND THAT THE WRONG PEOPLE ARE NOT)

CHALLENGES: •  Be able to easily report and show access related to the user, object,

application, etc…

•  Be able to show the who, what, when, and where of every transaction related to the sensitive data

•  Be able to automate the delivery of this information on an ongoing basis

•  Whatever is identified must be validated by the auditor / compliance officer before moving on to the third question


QUESTION 3: CAN YOU PROVE THE AUDIT TRAIL ITSELF HAS NOT BEEN TAMPERED WITH IN ANY WAY?

CHALLENGES: •  Be able to show immutability of the audit data using hashing or CRC

checks

•  Can be quite complex

•  Integrity of the data is essential to passing the audit. Even if the audit trail shows compliance – many auditors will not trust the information without some form of integrity check of the audit trail itself.


§ FOCUS: SQL COMPLIANCE MANAGER

12 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.

SQL COMPLIANCE MANAGER

Monitor, Audit, and Alert SQL Server Activity and Data Changes

•  Audit sensitive data – see who did what, when, where, and how

•  Track changes – data access, failed logins, schema changes, and more

•  Uncover threats – get alerts of suspect activity by users or hackers

•  Satisfy audits – have the data to meet PCI, HIPAA, FERPA and SOX compliance

•  Generate reports – 25 built-in reports to validate audit trails

•  Low overhead – reduce footprint with light data collection agent

12

Security & Compliance


HOW SQL COMPLIANCE MANAGER WORKS

SQL compliance manager management

Console

SQL compliance manager repository & collection

server

SQL Server Instances

Windows Authentication

TCP/IP Ports 5200, 5201

SQL compliance

manager agent

MS SQL Server Reporting Services (SSRS)

Real-Time Monitoring of logstream data Pre-defined audit reports

Read-only auditors console

Lite SQLcompliance agent captures SQL Server trace logstream data (what, when who) Data Filtering Security/Change Alerting

Database repository version must be equal

or higher than the version being audited


FREE TOOL TO FIND THE SENSITIVE DATA: SQL COLUMN SEARCH

https://www.idera.com/productssolutions/freetools/sql-column-search


QUICK DEMONSTRATION: IDERA SQL COMPLIANCE MANAGER

TheArchiveTrifecta:•  InsideAnalysiswww.insideanalysis.com•  SlideSharewww.slideshare.net/InsideAnalysis•  YouTubewww.youtube.com/user/BloorGroup

THANKYOU!