IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Premises

© 2019 IDERA, Inc. All rights reserved. 2
UNDERSTANDING SQL SERVER
COMPLIANCE BOTH IN THE CLOUD AND
ON PREMISES
▪ Kim Brushaber, Senior Product Manager, SQL Compliance Manager

© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential.© 2019 IDERA, Inc. All rights reserved. 3
CLOUD COMPLIANCE

CLOUD/HYBRID COMPLIANCE VS ON PREM
▪ Processes happen faster
▪ Access points are more numerous
▪ Usage can scale up and down quickly as needed
▪ Servers are constantly changing and can be spun up or taken down
regularly
▪ Audit and Event Logs may or may not be available for you to review
▪ Physical Systems are managed by a CSP and not your IT
▪ Large CSPs are already managing security for all of their other clients

CLOUD COMPLIANCE RESPONSIBILITIES
▪ Many service providers say they are compliant with various regulations
▪ Discuss the definition of compliance with your Cloud Service Provider
(CSP) to ensure their definition fits with your compliance processes
▪ Some traditional on-premise compliance responsibilities may be deferred
to a CSP in the cloud, but many of the responsibilities are still yours
▪ The CSP maintains the physical equipment and location of it, they are
responsible for keeping those systems in compliance
▪ Ultimately, the responsibility falls on you and the way you choose to
configure your data

CLOUD COMPLIANCE AND HIPAA
▪ The HITECH Act (associated with HIPAA) states that you must notify OCR
after a breach of more than 500 individuals
▪ OCR’s breach database shows that many of the breaches are from:
• Stolen or lost laptops
• Mobile Devices
• Portable Media (IE Thumb Drives)
▪ A properly secured cloud environment could solve some of the challenges
with the exposure of these endpoints
▪ Many of the OCR’s cloud settlements deal with the lack of properly
executed BAAs (Business Associate Agreements) before uploading PHI
to the cloud

HIPAA COMPLIANCE AND BAAS
▪ Sign a Business Associate Agreement (BAA)
• The BAA needs to show that they appropriately safeguard PHI
▪ Conduct a HIPAA Security Risk Analysis with your BAA
▪ Implement HIPAA Security Safeguards
▪ Comply with the HIPAA Privacy Rule
▪ Comply with the HIPAA Breach Notification Rule

CRITERIA FOR EVALUATING CSP GDPR COMPLIANCE
▪ Security and Privacy – Do they comply with your IT Security Requirements?
• ISO 27001 or ISO 27018 certifications
▪ Risk Management – Do they conduct regular audits?
• Compliance with Article 28
▪ Data Location – Do you know where your data is stored?
• A company’s headquarters may not be where your data is hosted and it may move
around
▪ Security Features – Do they have the right security features?
• Verify if they have backup, encryption, access control policies, etc
▪ Data Ownership – Do they have Data Processing Agreements (DPAs)?
• Make sure you own your data and they can not share it with 3rd parties
▪ Deleting Data – Can you delete/erase the data?
• Confirm that they will also remove the data once you have terminated the service
▪ Breach Response – Do they have a breach response process in place?

SOX AND SOC 1 AND SOC2
▪ When it comes to SOX Compliance you want a vendor who can provide
reports known as Service Organization Controls (SOC 1 and SOC 2)
▪ SOC 1
• It includes auditor’s opinion on the effectiveness of the datacenter’s
design of controls and system and the accuracy and completeness of
those controls
▪ SOC 2
• It includes the auditor’s opinion on the security and availability of the
CSP’s systems as they relate to a set of predefined benchmarks
• It also includes opinions and results on the integrity of the systems and
privacy standards

UNDERSTANDING THE REGULATIONS

WHY WE HAVE REGULATIONS
▪ Improved Security
• Establishing a baseline keeps security levels relatively consistent across companies and
industries
▪ Minimize Loss
• Good practices in place prevents data breaches
▪ Increase Internal Control
• Reduce employee mistakes and insider theft
▪ Maintain Trust
• Customers trust people who follow set standards
▪ Reporting Consistency
• Consistent reports allow audits to go more smoothly

SOME OF THE DATA/SECURITY REGULATIONS
▪ CIS (Center for Internet Security) – Global Internet Security Standards
▪ DISA/STIG (Defense Information Systems Agency) – Anyone with Government Contracts
▪ FISMA/NIST (Federal Information Security Management Act) – All Federal Agencies
▪ FERPA (Family Education Rights and Privacy Act) – Educational Institutions
▪ GDPR (General Data Protection Regulation) – Anyone collecting data on EU Members
▪ HIPAA (Health Insurance Portability and Accountability Act) – Healthcare Institutions
▪ NERC-CIP (North American Electricity Reliability Corporation) – Electricity Providers
▪ PCI DSS (Payment Card Industry Data Security Standard) – Anyone capturing credit card data
▪ SOX (Sarbanes Oxley) – Publicly Traded Companies and management and accounting firms

PERSONALLY IDENTIFIABLE INFORMATION (PII) COVERED
BY GDPR
Any information that can be classified as personal details – or that can be used to
determine your identity
▪ Name
▪ Identification number
▪ Email address
▪ Online user identifier
▪ Social media posts
▪ Physical, physiological or genetic information
▪ Medical information
▪ Location
▪ Bank details
▪ IP address
▪ Cookies

THE DATA ASPECTS OF REGULATIONS

DATA STANDARDS VS SECURITY STANDARDS
▪ Data Standards “WHAT”
• What information needs to be protected/audited
• What you should do if your data is breached
▪ Security Standards “HOW”
• How you should configure your network
• How you should configure your systems (i.e. SQL Server, Oracle)

WHAT THE REGULATIONS LOOK FOR
▪ Reporting (And Maintaining) Audit Data
▪ Tracking User Access
▪ Protecting The Data From The Bad Guys (And Watch for Data Breaches)
▪ Planning And Having Good Processes And Response Plans
▪ Assessing Your Risks

CIS
▪ Tracking
• Capture Logins and Failed Logins

DISA STIG
▪ Reporting
• Generate audit records for DoD-defined auditable events
• Generate audit records when privileges and permissions retrieved
• Initiate session auditing upon startup
• Audit records for events identified by type, location and subject
• Capture the audit information in a centralized place
▪ Tracking
• Capture, record and log all content related to a user session
• Protect audit information from unauthorized read access, modification or deletion
▪ Planning
• Alert support staff in real time for any failure events

FISMA/NIST
▪ Tracking
• Audit access
▪ Protecting
• Monitor, report and respond to incidents
▪ Planning
• Create an audit process and certification
• Plan for contingency
• Manage your configurations
▪ Assessing
• Assess your risks
• Confirm system and information integrity

FERPA
▪ Tracking
• Document who has access to student information
• Confirm that the instructors or officials only access records for legitimate purposes
• Authorized representatives may have access to education records in connection with
an audit
▪ Planning
• Student transfers must be handled appropriately

GDPR
▪ Reporting
• Provide audit details about how that data is processed and who interacted with it
▪ Tracking
• Know who has access to PII data
▪ Protecting
• Notify the supervising authority of a breach within 72 hours
▪ Planning
• Identify PII Data
• Process data lawfully, fairly and in a way that users understand
• Limit the collection of data to only what is necessary
▪ Assessing
• Conduct impact assessments for higher risk areas

HIPAA
▪ Tracking
• Monitor log-in attempts
▪ Protecting
• Protect, detect, contain and correct security violations
• Detect breaches and notify impacted individuals
▪ Planning
• Implement security measures to reduce risks and vulnerabilities
• Implement procedures to regularly review audit logs, access reports and security
incidents
• Implement procedures to terminate access

NERC - CIP
▪ Reporting
• Log events for identification of and after-the-fact investigations of Cyber Security
Incidents
▪ Tracking
• Log failed and successful logins

PCI DSS
▪ Reporting
• Implement automated audit trails for all database events
• Retain audit trail history for at least a year
▪ Tracking
• Assign a unique identifier for each person who has access
• Actions taken on critical data must be traced to known authorized users
• Track and monitor all access to the network
• Immediately revoke access for terminated users
▪ Protecting
• Change vendor supplied defaults and disable unnecessary default accounts
• Encrypt the data
• Secure audit trails so they can not be altered
▪ Planning
• Develop configuration standards

SOX
▪ Reporting
• Report on effectiveness of company’s internal controls and procedures
• Report on who changed permissions
• Report on who changed the financial data
▪ Tracking
• Report on who accessed the financial data

LET’S TALK A LITTLE ABOUT DATA BREACH

“
Almost 15 Billion Records have been lost or
stolen since 2013. Only 4% were secure
breaches where encryption was used and
the stolen data was useless.
Breachlevelindex.com

“
Over 6.3 million data records are lost or
stolen every day.
Breachlevelindex.com

WHAT ARE THE ODDS?
▪ 1 in 960,000 – odds of being struck by lightning
▪ 1 in 220 – odds of dating a millionaire
▪ 1 in 4 – odds of experiencing a data breach
https://securityintelligence.com/know-the-odds-the-cost-of-a-data-breach-in-2017/

2018 COST PER DATA BREACH
▪ The average cost for each lost or stolen record containing sensitive and
confidential information was $148 (a 4.8% increase from the year before)
▪ The average size of a data breach was 26,000 records
▪ $148 x 26,000 ~ $3.86 M (increased 6.4% over 2018)
https://www.ibm.com/security/data-breach

“
Hospitals spend 64% more annually on
advertising for the two years following a
breach
https://healthitsecurity.com/news/hospitals-spend-64-more-on-advertising-after-a-data-breach

“
Companies that contained a breach in less
than 30 days saved more than $1 million
compared to those that took more than 30
days
(the average time to contain a breach is 69
days)
https://www.ibm.com/downloads/cas/861MNWN2

“
A mega breach of 1 million records has an
average total cost of $40 million

“
A mega breach of 50 million records has an
average total cost of $350 million

SHOCKING, RIGHT??

IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Premises

More Related Content

What's hot (14)

Similar to IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Premises (20)

More from IDERA Software (20)

Recently uploaded (20)

IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Premises