1. ISSA Data Security for Audit and Compliance Andrew Fryer Evangelist Microsoft Ltd

8. Authentication

17. class DataAccess { static void GetNewOrders(DateTime date, int qty) { using (NorthWindDB nw = new NorthWindDB ()) { var orders = from o in nw.Orders where o.OrderDate > date select new { o.orderID, o.OrderDate, Total = o.OrderLines.Sum(l => l.Quantity); foreach (SalesOrder o in orders) { Console.WriteLine("{0:d}{1}{2}", o.OrderDate, o.OrderId, o.Total); } } } } Data Access Code with LINQ Query syntax is native application code Data objects are first-class citizens No dynamic SQL therefore no injection

22. EKM Key Hierarchy in SQL 2008 Native Symmetric key TDE DEK key EKM Symmetric key EKM Asymmetric key SQL Server Symmetric key Asymmetric key Data Data

24. TDE – Key Hierarchy Database Master Key encrypts Certificate In Master Database DPAPI encrypts Service Master Key Service Master Key encrypts Database Master Key Certificate encrypts Database Encryption Key

25. TDE – Key Hierarchy with EKM Asymmetric Key resides on the EKM device Asymmetric Key encrypts Database Encryption Key

29. Audit Specifications Audit Security Event Log Application Event Log 0..1 Server audit specification per Audit object 0..1 DB audit specification per database per Audit object CREATE SERVER AUDIT SPECIFICATION SvrAC TO SERVER AUDIT PCI_Audit ADD (FAILED_LOGIN_GROUP); CREATE DATABASE AUDIT SPECIFICATION AuditAC TO SERVER AUDIT PCI_Audit ADD (SELECT ON Customers BY public) Server Audit Action Server Audit Action Server Audit Action Server Audit Action Server Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action Database Audit Action File File system Server Audit Specification Database Audit Components Database Audit Components Database Audit Components Database Audit Specification

31. Auditing Centralizing audit logs and reporting

32. Policy-Based Management Facets Conditions Policies Categories Targets

35. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.