who, what, where and how: why you want to know
TRANSCRIPT
THELINEUP
ANALYST:
DezBlanchfieldDataScientist,TheBloorGroup
ANALYST:
RobinBloorChiefAnalyst,TheBloorGroup
GUEST:
BullettManaleDirectorofSalesEngineering,IDERA
The Governance Imperative
Data governance is a relatively recent concern and focus.
But in truth, ALL DATA needs to be governed and it always did.
The Governance Challenge
u Increasing number of data sources
u Unstructured data
u Data provenance and lineage
u Data encryption
u Authentication
u Data access monitoring
u Compliance rules
u Compliance reporting
u Data lifecycle management
Data Pyramid
Rules, PoliciesGuidelines, Procedures
Linked data, Structured data,Visualization, Glossaries, Schemas, Ontologies
Signals, Measurements, Recordings,Events, Transactions, Calculations, Aggregations
NewData
Refinement
All of these are dynamic and change, so the change has to be managed
The Growth of Compliance u International
– GRC
– ISO (standards)
u US Government: – SOX
– GLBA
– HIPAA
– FISMA
– FERPA
– NIST standards
u Europe
– GDPR (data protection laws) with variances
– New: The right to be forgotten
The Net Net
Because IT and data management are evolving so quickly,
GOVERNANCE must also evolve quickly.
@dez_blanchfield
complianceconforming to a set of rules,
specifications, controls,
policies, standards or laws
@dez_blanchfield
Database&Systemsmanagement
Mytop5datamanagementchallenges
1. Security&Compliance
2. Performance&Monitoring
3. Incidentdetec<on&Response
4. Management&Administra<on
5. Design&Development
@dez_blanchfield
Reducingrisks&improvingsecurity
Mytop5datasecuritychallenges
1. Mi<gateDatabaseBypass
2. PreventaccountMisuse
3. Audi<ng&ComplianceRepor<ng
4. MonitorTrafficandblockThreats
5. Protectnon-produc<onenvironments
© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.
IDERA – SQL COMPLIANCE MANAGER Hot Technology Webcast
Bullett Manale Director, Sales Engineering
© 2015 IDERA, Inc. All rights reserved. Proprietary and confidential. 3
RESPONSIBILITIES OF THE DBA (ACCORDING TO WIKIPEDIA)
© 2015 IDERA, Inc. All rights reserved. Proprietary and confidential. 5
PROCESS OF VALIDATING COMPLIANCE
§ Collect an audit trail for ONLY transactions relating to the sensitive data (best practice)
§ Use the audit trail to prove the controls are working
§ Keep the data to match with the standard’s retention policy (typically 7 years)
§ Real time controls put in place to alert when transactions don’t meet standard
© 2015 IDERA, Inc. All rights reserved. Proprietary and confidential. 6
THE COMMON DENOMINATOR
The Application is using SQL Server to Store Sensitive Data within the Database
© 2015 IDERA, Inc. All rights reserved. Proprietary and confidential. 7
THE THREE QUESTION AUDITOR CHALLENGE
§ Who has access to the sensitive data and how are they getting that access?
§ Can you prove that the right people are accessing the data (and that the wrong people are not)?
§ Can you also prove that the audit trail being used to validate the controls have not been tampered with in any way (immutable source)?
© 2015 IDERA, Inc. All rights reserved. Proprietary and confidential. 8
QUESTION 1: WHO HAS ACCESS TO THE SENSITIVE DATA
CHALLENGES: • Must know where the sensitive data resides in order to report on who
has access
• Must understand how permissions are being applied to the areas which are sensitive and how people are getting to the data (AD group, Inheritance, Role Membership, etc.)
• Whatever is identified must be validated by the auditor / compliance officer before moving on to the second question
© 2015 IDERA, Inc. All rights reserved. Proprietary and confidential. 9
QUESTION 2: CAN YOU PROVE THAT THE RIGHT PEOPLE ARE ACCESSING THE DATA (AND THAT THE WRONG PEOPLE ARE NOT)
CHALLENGES: • Be able to easily report and show access related to the user, object,
application, etc…
• Be able to show the who, what, when, and where of every transaction related to the sensitive data
• Be able to automate the delivery of this information on an ongoing basis
• Whatever is identified must be validated by the auditor / compliance officer before moving on to the third question
© 2015 IDERA, Inc. All rights reserved. Proprietary and confidential. 10
QUESTION 3: CAN YOU PROVE THE AUDIT TRAIL ITSELF HAS NOT BEEN TAMPERED WITH IN ANY WAY?
CHALLENGES: • Be able to show immutability of the audit data using hashing or CRC
checks
• Can be quite complex
• Integrity of the data is essential to passing the audit. Even if the audit trail shows compliance – many auditors will not trust the information without some form of integrity check of the audit trail itself.
© 2015 IDERA, Inc. All rights reserved. Proprietary and confidential. 11
§ FOCUS: SQL COMPLIANCE MANAGER
12 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.
SQL COMPLIANCE MANAGER
Monitor, Audit, and Alert SQL Server Activity and Data Changes
• Audit sensitive data – see who did what, when, where, and how
• Track changes – data access, failed logins, schema changes, and more
• Uncover threats – get alerts of suspect activity by users or hackers
• Satisfy audits – have the data to meet PCI, HIPAA, FERPA and SOX compliance
• Generate reports – 25 built-in reports to validate audit trails
• Low overhead – reduce footprint with light data collection agent
12
Security & Compliance
13 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.
HOW SQL COMPLIANCE MANAGER WORKS
SQL compliance manager management
Console
SQL compliance manager repository & collection
server
SQL Server Instances
Windows Authentication
TCP/IP Ports 5200, 5201
SQL compliance
manager agent
MS SQL Server Reporting Services (SSRS)
Real-Time Monitoring of logstream data Pre-defined audit reports
Read-only auditors console
Lite SQLcompliance agent captures SQL Server trace logstream data (what, when who) Data Filtering Security/Change Alerting
Database repository version must be equal
or higher than the version being audited
14 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.
FREE TOOL TO FIND THE SENSITIVE DATA: SQL COLUMN SEARCH
https://www.idera.com/productssolutions/freetools/sql-column-search
15 © 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.
QUICK DEMONSTRATION: IDERA SQL COMPLIANCE MANAGER