SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To...
Transcript of SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To...
![Page 1: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/1.jpg)
Data Platform Airlift21 de Outubro \\ Microsoft Lisbon Experience
SQL Server 2016Security3 wishes were satisfiedLuís Canastreiro
Microsoft
http://blogs.msdn.com/blogdoezequiel
![Page 2: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/2.jpg)
Agenda
• Row Level Security (RLS)
• Dynamic Data Masking (DDM)
• Always Encrypted
• Azure SQL Database• Cell Level Encryption
• Auditing
• TDE
• Dynamic Data Masking
![Page 3: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/3.jpg)
Security Investments Always
Encrypted
TDE for SQL DB,
TDE PerfCLE for SQL DB
Enhancements
to SQL Audit
Row-level
Security
Dynamic Data
Masking
Enhancements
to Crypto
Encryption
Auditing
![Page 4: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/4.jpg)
Azure SQL DatabaseCell Level Encryption
![Page 5: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/5.jpg)
Azure SQL DB vs SQL Server (on prem)
• In Azure, the key hierarchy is no longer based on an instance-specific Service Master Key (SMK), instead, the root is a certificate controlled and managed by the Azure SQL Database service, which means that management for the keys is simplified to the database-scoped key hierarchy.
![Page 6: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/6.jpg)
DEMO
![Page 7: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/7.jpg)
Row Level Security (RLS)
![Page 8: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/8.jpg)
Customer Benefit
Fine-grained
Access Control
Keeping multi-tenant
databases secure by limiting
access by other users who
share the same tables.
Application
Transparency
RLS works transparently at
query time, no app changes
needed.
Compatible with RLS in other
leading products.
Centralized
Security Logic
Enforcement logic resides
inside database and is
schema-bound to the table it
protects providing greater
security. Reduced application
maintenance and complexity.
Store data intended for many consumers in a single database/table while at the same time
restricting row-level read & write access based on users’ execution context.
![Page 9: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/9.jpg)
RLS Concepts
• User-defined inline table-valued function (iTVF) implementing security logic
• Can be arbitrarily complicated, containing joins with other tables
• Applies a predicate function to a particular table (SEMIJOIN APPLY)
• Two types: filter predicates and blocking predicates
• Collection of security predicates for managing security across multiple tables
CREATE SECURITY POLICY mySecurityPolicyADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients
![Page 10: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/10.jpg)
Database
How It Works
Policy Manager
CREATE FUNCTION dbo.fn_securitypredicate(@wing int)
RETURNS TABLE WITH SCHEMABINDING AS
return SELECT 1 as [fn_securitypredicate_result] FROM
StaffDuties d INNER JOIN Employees e
ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing;
CREATE SECURITY POLICY dbo.SecPol
ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients
WITH (STATE = ON)
Security
Policy
Application
Patients
1) Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients
table
2) App user (e.g., nurse) selects from Patients table
Nurse
3) Security Policy transparently rewrites query to apply filter predicate
SELECT * FROM PatientsSELECT FROM patients
SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing);
SELECT Patients.* FROM Patients,
StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;
![Page 11: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/11.jpg)
Common RLS Use Cases…
Traditional RLS workloads
• Custom business logic to determine which rows each user can SELECT, INSERT, UPDATE, DELETE based on their role, department, security level, etc.
• Target sectors: Finance, insurance, healthcare, oil/gas, Federal, etc.
Multi-tenant databases
• Ensuring tenants can only access their own rows of data in a shared database, with enforcement logic in the database rather than in the app tier
• E.g. multi-tenant shards with elastic database tools on Azure SQL Database
Reporting, analytics, data warehousing
• Different users access same database through various reporting tools, and work with different subsets of data based on their identity/role
![Page 12: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/12.jpg)
DEMO
![Page 13: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/13.jpg)
Dynamic Data Masking (DDM)
![Page 14: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/14.jpg)
Regulatory
Compliance
Sensitive Data
Protection
Customer Benefit
Agility and
Transparency
Data is masked on-the-fly,
underlying data in the
database remains intact.
Transparent to the application
and applied according to user
privilege.
Limit access to sensitive data by defining policies to obfuscate specific database fields,
without affecting the integrity of the database.
![Page 15: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/15.jpg)
How It Works
ALTER TABLE [Employee] ALTER COLUMN [SocialSecurityNumber]
ADD MASKED WITH (FUNCTION = 'Partial(0,"XXX-XX-",2)')
ALTER TABLE [Employee] ALTER COLUMN [Email]ADD MASKED WITH (FUNCTION = ‘EMAIL()’)
ALTER TABLE [Employee] ALTER COLUMN [Salary] ADD MASKED WITH (FUNCTION = ‘RANDOM(1,20000)’)
GRANT UNMASK to admin1
1) Security officer defines dynamic data masking policy in T-SQL over sensitive data in Employee table2) App user selects from Employee table3) Dynamic data masking policy obfuscates the sensitive data in the query results
SELECT [Name],
[SocialSecurityNumber],
[Email],
[Salary]
FROM [Employee]
![Page 16: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/16.jpg)
DEMO
![Page 17: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/17.jpg)
Always Encrypted
![Page 18: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/18.jpg)
Customer Benefit
Prevents Data
Disclosure
Client-side encryption of
sensitive data using keys that
are never given to the
database system.
Queries on
Encrypted Data
Support for equality
comparison, incl. join, group
by and distinct operators.
Application
Transparency
Minimal application changes
via server and client library
enhancements.
Allows customers to securely store sensitive data outside of their trust boundary.
Data remains protected from high-privileged, yet unauthorized users.
![Page 19: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/19.jpg)
How it Works
SQL Server or SQL Database
ADO .NET
Name
Wayne Jefferson
Name
0x19ca706fbd9a
Result SetResult Set
Client
Name SSN Country
0x19ca706fbd9a 0x7ff654ae6d USA
dbo.Customers
ciphertext
"SELECT Name FROM Customers WHERE SSN = @SSN",0x7ff654ae6d
ciphertext
"SELECT Name FROM Customers WHERE SSN = @SSN","111-22-3333"
Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server
trust boundary
![Page 20: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/20.jpg)
Types of Encryption
• Encrypt('123-45-6789') = 0x17cfd50a
• Repeat: Encrypt('123-45-6789') = 0x9b1fcf32
• Allows for transparent retrieval of encrypted data but NO operations
• More secure
• Encrypt('123-45-6789') = 0x85a55d3f
• Repeat: Encrypt('123-45-6789') = 0x85a55d3f
• Allows for transparent retrieval of encrypted data AND equality comparison• E.g. in WHERE clauses and joins, distinct, group by
![Page 21: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/21.jpg)
Key Provisioning
Security
Officer
Column
Encryption
Key
(CEK)
Column
Master Key
(CMK)
Encrypted
CEK
CMK
1. Generate CEKs and Master Key
2. Encrypt CEK
3. Store Master Key Securely
4. Upload Encrypted CEK to DB
CMK Store:
• Certificate Store
• HSM
• Azure Key Vault
• …
Database
Encrypted
CEK
![Page 22: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/22.jpg)
DEMO
![Page 23: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/23.jpg)
Azure SQL DatabaseAuditing
![Page 24: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/24.jpg)
Enable Auditing
![Page 25: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/25.jpg)
Deep analysis of Azure SQL DB Audit log data
![Page 26: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/26.jpg)
Deep analysis of Azure SQL DB Audit log data
![Page 27: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/27.jpg)
DEMO
![Page 28: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/28.jpg)
Azure SQL DatabaseTransparent Data Encryption (TDE)
![Page 29: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/29.jpg)
General Availability since 14/10/2015
• TDE for Azure SQL Database is based on SQL Server TDE technology, which encrypts the storage of an entire database by using an industry standard AES-256 symmetric key called the database encryption key. SQL Database protects this database encryption key with a service managed certificate. All key management for database copying, geo-replication, and database restores anywhere in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click Save.
• Transparent Data Encryption for Azure SQL Database is built on the transparent data feature that has been running reliably on SQL Server since 2008. Updates to this core technology include support for the Intel AES-NI hardware acceleration of encryption. This reduces the overhead of turning on Transparent Data Encryption.
![Page 30: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/30.jpg)
Enable TDE (Azure Management Portal)
![Page 31: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/31.jpg)
Enable TDE (SQL Server Management Studio)
-- CREATE DEK based on a SERVER CERTIFICATE (Not Mandatory)
CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM =AES_256
ENCRYPTION BY SERVER CERTIFICATE ##MS_TdeCertificate##
-- Check DEK list
select * from sys.dm_database_encryption_keys
-- Enable TDE
ALTER DATABASE AIRLIFT SET ENCRYPTION ON
![Page 32: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/32.jpg)
DEMO
![Page 33: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/33.jpg)
Overview of Encryption TechnologiesFeature
Capability
Always
Encrypted
Transparent
Data
Encryption
Cell-level
Encryption
Level of
protectionEnd-to-end At-rest At-rest
Can server see
sensitive data?No Yes Yes
T-SQL operations
on encrypted
data
Equality
comparison
All (after
decryption)
All (after
decryption)
App
development cost
to use feature
Low Very low High
Encryption
granularityColumn Database Cell
“Ad-hoc”
Client-side
Encryption
End-to-end
No
Possible with the
appropriate
encryption algo
Very High
Cell
![Page 34: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/34.jpg)
Azure Active Directory AuthenticationSQL Database v12
![Page 35: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/35.jpg)
Azure Active Directory Authentication
Central ID
Management
Provides an alternative to SQL
authentication, helps stop the
proliferation of user identities
across database servers, pwd
rotation in a single place.
Simplified
Permission
ManagementCustomers can manage
database permissions using
external (AAD) groups.
Can Eliminate
Storing
Password
Enables integrated Windows
authentication and certificate-
based authentication
Giving customers a single place to manage SQL Database users and their permissions.
![Page 36: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/36.jpg)
![Page 37: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/37.jpg)
Questões
![Page 38: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/38.jpg)
Muito Obrigado!
![Page 39: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/39.jpg)
SQL Server 2014: Security,
Optimizer, and Columnstore
Index Enhancements
www.microsoftvirtualacademy.comMicrosoft Virtual Academy
![Page 40: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/40.jpg)
Free Azure
Trial
Try SQL Server
2016 CTP2http://aka.ms/trysql2016
http://aka.ms/tryazureUse Power BI for Free
http://powerbi.microsoft.com
![Page 41: SQL Server 2016 Security - download.microsoft.com · in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click](https://reader034.fdocuments.us/reader034/viewer/2022050602/5fa9f2ebacec5434d33af9c0/html5/thumbnails/41.jpg)