Sponsored by:

PASS Summit 2010 Preview

Enforcing Compliance With Policy-Based Management

Ken Simmons, DBA

Contact Info

• Blog: http://cybersql.blogspot.com/

• Email: kensimmonsii@gmail.com

• Twitter: @KenSimmons

• LinkedIN: http://www.linkedin.com/in/kensimmons

What is Compliance?

• “Conformity in fulfilling official requirements”*– External Regulations

• HIPAA• SOX• PCI

– Internal Standards• Naming Conventions

*http://www.merriam-webster.com/dictionary/compliance

http://www.flickr.com/photos/dunechaser/220636504/

• More than 494 million records have been breached since 2005*– Unintended Disclosure – Payment Card Fraud– Physical Loss (Non-Electronic) – Insider– Hacking or Malware– Portable Device Loss– Stationary Device Loss

Why Does Compliance Matter?

*http://www.privacyrights.org/data-breach/

474 million http://www.flickr.com/photos/bheathr/2253526798

What’s The Process?

• Identify Risks• Develop Policies To Mitigate Risks• Ensure Policies Are Being Enforced

Risk Management

Compliance

Governance

Policy-Based Management Can Help!

• Gives you the ability to define and enforce standards• Auditors Love Policies• It is NOT and Enterprise Edition Feature

http://www.flickr.com/photos/dunechaser/489467800/

The BIG Picture

Servers

CMS SQL 2008

EPMFramework

http://epmframework.codeplex.com

PBM L33T Speak

• Targets are objects such as a Instances, Databases, Tables, etc.

• Facets expose logical groupings of properties for those objects.

• Conditions are made up of expressions exposed by the properties from a single Facet.

• A Policy evaluates a Condition against one or more Targets.

Creating Policies

• Export the Current State of an Object

• Import Predefined Policies

• Create Custom Policies Based on Facets

• Create Custom Policies using Advanced Conditions

Evaluating Policies

• On Demand– Can “Auto Fix” Certain Violations

• On Schedule– Uses SQL Agent Job

• On Change – Log Only– Writes Violations to SQL and Windows Log

• On Change – Prevent – Uses DDL Triggers to Rollback Changes

Demo

http://www.flickr.com/photos/winterhalter/2883847843/

Alerts

• Error Number by Evaluation Mode– On change: prevent (automatic), 34050– On change: prevent (on demand), 34051– On schedule, 34052– On change, 34053

• Prerequisites– Configure Database Mail– Create Operator– Configure SQL Agent

Server Configuration

• Predefined Best Practice Policies• SAC for Database Engine 2005 and 2000 Features• SAC for Database Engine 2008 Features

• Service Account– Server Facet: Service Account != 'LocalSystem'

• Log Retention– Server Facet: NumberOfLogFiles = 99

Security

• Advanced Conditions• No Builtin\Administrators

• SELECT COUNT(*) FROM sysloginsWHERE name = 'Builtin\Administrators'

• SA Account Disabled• SELECT COUNT(*)

FROM sysloginsWHERE name = 'sa' ANDis_disabled = 0

Note: Using syslogins instead of sys.server_principals allows you to evaluate SQL 2000 Instances

Encryption

• Predefined Best Practice Policies– Asymmetric Key Encryption Algorithm– Symmetric Key Encryption for User Databases– Symmetric Key for master Database– Symmetric Key for System Databases

• Transparent Data Encryption– Database Facet: EncryptionEnabled = True

• Extensible Key Management– Server Configuration Facet:

ExtensibleKeyManagementEnabled = True

Audit

• Predefined Best Practice Policies– SQL Server Default Trace

• Login Auditing– Server Audit Facet: LoginAuditLevel = All

• SQL Server Audit– Server Facet: AuditLevel = All– Audit Facet: Enabled = True & OnFailure = Shutdown– Database Audit Specification Facet: Enabled = True– Server Audit Specification Facet: Enabled = True

Resources

• Pro SQL Server 2008 Policy-Based Management– http://www.apress.com/book/view/9781430229100

• MSDN Policy-Based Management Blog– http://blogs.msdn.com/sqlpbm/

• SQL Server 2008 Compliance Guide– http://www.microsoft.com/downloads/details.aspx?FamilyId=6E10

21DD-65B9-41C2-8385-438028F5ACC2&displaylang=en

• Deploying SQL Server 2008 Based on PCI DSS– http://www.parentebeard.com/Uploads/Files/Deploying_SQL_Serv

er_2008_Based_on_PCI_DSS.PDF

Celebrating SQL Server 2008 R2

Questions?