SQL Server 2017+ and Azure SQL DB: Security Smackdown
Transcript of SQL Server 2017+ and Azure SQL DB: Security Smackdown
SQLintersectionThursday, June 13th 2019
11:15am - 12:30pm
SQL Server 2017+ and Azure SQL DB: Security Smackdown
David Pless
© SQLintersection. All rights reserved.http://www.SQLintersection.com
▪ SQL Server Security Features Overview Row Level Security
Dynamic Data Masking
Transparent Data Encryption
Always Encrypted
Advanced Threat Detection
▪ SQL Server Management Studio Improvements
Data Classification / Vulnerability Assessments
▪ The Rising Threats:
Ransomware
Spectre / Meltdown
Security Topics
Why SQL Security Intelligence?
Common threats • SQL injection• Brute force access• Password cracking • Credential theft/leak• Privilege abuse
Secure your database
1. Discover sensitive data
2. Identify & remediate SQL vulnerabilities
3. Detect & remediate suspicious database activities
4. Meet security regulations requirements
Common regulations• GDPR (Personal) • PCI (Payment)• HIPPA (Health)• FedRAMP (Government)
• No organization is immune to data breaches and security incidents • 75% perpetrated by outsiders, while 25% involved internal actors
Security Landscape
Available• TLS (link)
• TDE
• Dynamic Data Masking
• Always Encrypted
• Secure Enclaves
Available• Data Discovery &
Classification
• Vulnerability Assessment
• Advanced Threat Detection
• SQL Database Auditing with Power BI
• Azure Activity Log to Event Hubs
Available• Row-level Security
• Firewall
• Users & Permissions
• SQL Authentication
• Azure Active Directory Authentication
Limiting
Access
Tracking
Activities / Assessment
Protecting
Data
Compliance:• Microsoft Azure Trust Center
Monitoring:• Azure Security Center
• Azure Advisor and Monitor
Row Level Security• Azure SQL Database
• Azure SQL Managed Instance
• SQL Server 2016 / 2017 / 2019
• Fine-grained access control over specific rows
in a database table
• Help prevent unauthorized access when
multiple users share the same tables, or to
implement connection filtering in multitenant
applications
• Administer via SSMS, Azure Data Studio
or SQL Server Data Tools
• Enforcement logic inside the database
and schema is bound to the table
Protect data privacy by ensuring the right access across rows
SQL Database
The Need for Row Level Security (RLS)
Client App
Customer 1
Customer 2
Customer 3
CREATE SECURITY POLICY mySecurityPolicyADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients
Predicate functionUser-defined inline table-valued function (iTVF) implementing security logic
Can be arbitrarily complicated, containing joins with other tables
Security predicateBinds a predicate function to a particular table, applying it for all queries
Two types: filter predicates and blocking predicates
Security policyCollection of security predicates for managing security across multiple tables
Row Level Security Concepts
Security
What about performance?Inline functions get optimized to
provide comparable performance to
views—as if the logic were directly
embedded in the original query
statement.
Security Predicates
RLS supports two types of security predicates
• Filter Predicates silently filter rows available to read operations
(SELECT, UPDATE, and DELETE)
• Block Predicates explicitly block write operations
(AFTER INSERT, AFTER UPDATE, BEFORE UPDATE, BEFORE DELETE) that violate
predicate*
Access to row-level data in table is restricted by security predicate defined as inline
table-valued function, which is invoked and enforced by security policy
• For filter predicates, no indication to application that rows have been filtered from
result set; if all rows are filtered, a null set will be returned
• For block predicates, any operations that violate predicate will fail with error
--Create a new schema and predicate function, which will use the --application user ID stored in SESSION_CONTEXT to filter rows.CREATE SCHEMA Security; GOCREATE FUNCTION Security.fn_securitypredicate(@AppUserId int) RETURNS TABLE WITH SCHEMABINDING AS RETURN SELECT 1 AS fn_securitypredicate_resultWHERE DATABASE_PRINCIPAL_ID() = DATABASE_PRINCIPAL_ID('AppUser') AND CAST(SESSION_CONTEXT(N'UserId') AS int) = @AppUserId; GO
--Create a security policy that adds this function as a filter --predicate and a block predicate on Sales.CREATE SECURITY POLICY Security.SalesFilterADD FILTER PREDICATE Security.fn_securitypredicate(AppUserId) ON dbo.Sales,
ADD BLOCK PREDICATE Security.fn_securitypredicate(AppUserId) ON dbo.Sales AFTER INSERT
WITH (STATE = ON);
Creates a security policy for row-level security
The following examples demonstrate the use of the CREATE SECURITY POLICY syntax
For an example of a complete security policy scenario, see Row-Level Security
Row Level Security – Application Scenario
Configure Row Level Security (End to End Example)
1. Create user accounts to test Row-Level Security
GRANT SELECT ON Sales.SalesOrderHeader TO Manager; GRANT SELECT ON Sales.SalesOrderHeader TO SalesPerson280;
2. Grant read access to users on a required table
CREATE SCHEMA Security; GO CREATE FUNCTION Security.fn_securitypredicate(@SalesPersonID AS int)
RETURNS TABLE WITH SCHEMABINDING AS
RETURN SELECT 1 AS fn_securitypredicate_result WHERE ('SalesPerson' + CAST(@SalesPersonId as VARCHAR(16)) = USER_NAME()) OR (USER_NAME() = 'Manager');
3. Create a new schema and inline table-valued function
USE AdventureWorks2014; GO CREATE USER Manager WITHOUT LOGIN; CREATE USER SalesPerson280 WITHOUT LOGIN;
CREATE SECURITY POLICY SalesFilterADD FILTER PREDICATE Security.fn_securitypredicate(SalesPersonID) ON Sales.SalesOrderHeader,
ADD BLOCK PREDICATE Security.fn_securitypredicate(SalesPersonID) ON Sales.SalesOrderHeader
WITH (STATE = ON);
4. Create a security policy, adding the function as both a filter and block predicate on the table
5. Execute the query to the required table so that each user sees the result (can also alter the security policy to disable)
Database
How Row Level Security Works
Policy Manager
CREATE FUNCTION dbo.fn_securitypredicate(@wing int)
RETURNS TABLE WITH SCHEMABINDING AS
return SELECT 1 as [fn_securitypredicate_result] FROM
StaffDuties d INNER JOIN Employees e
ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing;
CREATE SECURITY POLICY dbo.SecPol
ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients,
ADD BLOCK PREDICATE dbo.fn_securitypredicate(Wing) ON Patients
WITH (STATE = ON)
Security
Policy
Application
Patients
1) Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients table2) Nurse, using an app selects from Patients table3) Security Policy transparently rewrites query to apply filter predicate
SELECT FROM
SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing);
SELECT Patients.Name FROM Patients,
StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;
Nurse (Employee ID=100986)
SELECT Name FROM
Patients
Database
How Row Level Security Works
Policy Manager
Security
Policy
Application
Patients
4) Filtered rows are returned and nurse sees only the patients on her wing
Nurse (Employee ID=100986)
EmployeeId Wing
100986 a1
206985 a2
345906 a3
331225 b1
Name
Jones, Walker
Rickmann, Earnst
Polka, Dorothy
Wing PatientId Name
a1 100-207 Jones, Walker
b1 201-677 Smith, Weston
b2 898-045 Jarvis, Anne
a1 009-451 Rickmann, Earnst
b2 922-769 Gray, Jim
a1 801-345 Polka, Dorothy
Dynamic Data Masking• Azure SQL Database
• Azure SQL Managed Instance
• SQL Server 2016 / 2017 / 2019
+
• On-the-fly obfuscation of data in query results
• Policy-driven on the table and column
• Multiple masking functions available for various
sensitive data categories
• Flexibility to define a set of privileged logins for
un-masked data access
• By default, database owner is unmaskedhttps://msdn.microsoft.com/en-us/library/mt130841.aspx
SQL Database
SQL Server 2016+
Table.CreditCardNo
4465-6571-7868-5796
4468-7746-3848-1978
4484-5434-6858-6550
Real-time data masking;
partial masking
How Dynamic Data Masking Works
Limit sensitive data exposure by
obfuscating data to non-privileged users
How Dynamic Data Masking Works
Security
Officer
ALTER TABLE [Employee] ALTER COLUMN [SocialSecurityNumber]
ADD MASKED WITH (FUNCTION = 'partial(0,"XXX-XX-",2)’)
ALTER TABLE [Employee] ALTER COLUMN [Email]ADD MASKED WITH (FUNCTION = ‘EMAIL()’)
ALTER TABLE [Employee] ALTER COLUMN [Salary] ADD MASKED WITH (FUNCTION = ‘RANDOM(1,20000)’)
GRANT UNMASK to hrsupervisor
1) Security officer defines dynamic data masking policy in T-SQL over sensitive data in Employee table2) App user selects from Employee table3) Dynamic Data Masking policy obfuscates the sensitive data in the query results
SELECT [Name],
[SocialSecurityNumber],
[Email],
[Salary]
FROM [Employee]
hrsupervisor loginnon-privileged login
Combine with Row Level Security!
Security
Officer
ALTER TABLE [Employee] ALTER COLUMN [SocialSecurityNumber]
ADD MASKED WITH (FUNCTION = 'partial(0,"XXX-XX-",2)’)
ALTER TABLE [Employee] ALTER COLUMN [Email]ADD MASKED WITH (FUNCTION = ‘EMAIL()’)
ALTER TABLE [Employee] ALTER COLUMN [Salary] ADD MASKED WITH (FUNCTION = ‘RANDOM(1,20000)’)
GRANT UNMASK to hrsupervisor
4) Data masking obscures columns, row level security filters rows
SELECT [Name],
[SocialSecurityNumber],
[Email],
[Salary]
FROM [Employee]
hrsupervisor loginnon-privileged login
© SQLintersection. All rights reserved.http://www.SQLintersection.com
Leveraging Row Level Security and Dynamic Data Masking
SQL Server 2016 / 2017+ (T-SQL)
Azure SQL Database Portal
Application Example
Demonstration
Transparent Data Encryption (TDE)• Azure SQL Database
• Azure SQL Managed Instance
• SQL Server 2008+ Enterprise Edition
Protects the user database and all of its backups, Transaction Logs and TempDB
Alternatively: 2 T-SQL statements
Azure SQL DB manages your keys (Service managed TDE)
BYOK support
Using INTEL’s AES-NI Hardware Acceleration
Transparent Data Encryption - How It Works
Customer A Customer B
Customer A
Customer B
SQL DB Management
Service
Best Practice: Enable Transparent Data Encryption on all databases
On Premise vs. Azure: Implementing TDE
Always Encrypted• Azure SQL Database
• Azure SQL Managed Instance
• SQL Server 2016 / 2017 / 2019
Always Encrypted - Protect your Data at Rest and In-Motionwithout impacting database performance
Always Encrypted
Query
TrustedApps
SELECT Name FROM
Patients WHERE SSN=@SSN
@SSN='198-33-0987'
Result Set
SELECT Name FROM
Patients WHERE SSN=@SSN
@SSN=0x7ff654ae6d
Column Encryption
Key
Enhanced
ADO.NET
Library
ColumnMasterKey
Client side
ciphertext
Name
243-24-9812
SSN Country
Denny Usher 198-33-0987 USA
Alicia Hodge 123-82-1095 USA
Philip Wegner USA
dbo.Patients
SQL Server
dbo.Patients
Philip Wegner
Name SSN
USA
Denny Usher 0x7ff654ae6d USA
Alicia Hodge 0y8fj754ea2c USA
1x7fg655se2e
Country
Philip Wegner
Name
1x7fg655se2e
SSN
USA
Country
Denny Usher 0x7ff654ae6d USA
Alicia Hodge 0y8fj754ea2c USA
dbo.Patients
Result Set
Denny Usher
Name
0x7ff654ae6d
SSN
USA
Country
198-33-0987
1x7fg655se2e
0x7ff654ae6d
0y8fj754ea2c
5se20x7fy8fjk
&#^&#%!!
> SELECT SSN FROMdbo.Patients
Randomized EncryptionEncrypt('123-45-6789') = 0x17cfd50aRepeat: Encrypt('123-45-6789') = 0x9b1fcf32Allows for transparent retrieval of encrypted data but NO operationsMore secure
Deterministic EncryptionEncrypt('123-45-6789') = 0x85a55d3fRepeat: Encrypt('123-45-6789') = 0x85a55d3fAllows for transparent retrieval of encrypted data AND equality comparison (i.e. in WHERE clauses and Joins, DISTINCT, GROUP BY)
Two Types of
Encryption:
Randomized Encryption
uses a method that encrypts
data in a less predictable
manner
Deterministic Encryption
uses a method which always
generates the same encrypted
value for any given plaintext
value
Types of Encryption for Always Encrypted
Security
Security
Officer
1. Generate CEKs and master key
2. Encrypt CEK
3. Store master key securely
4. Upload encrypted CEK to DB
CMK store:
Certificate store
HSM
Azure Key Vault
…
Encrypted
CEK
Column
encryption key
(CEK)
Column
master key
(CMK)
Key Provisioning
CMK
Database
Encrypted CEK
Security
Always Encrypted T-SQL Example
CREATE COLUMN MASTER KEY MyCMKWITH ( KEY_STORE_PROVIDER_NAME = ‘MSSQL_CERTIFICATE_STORE’,KEY_PATH = ‘Current User / Personal / f2260f28909d21c642a3d8e0b45a830e79a12420’ );
CREATE COLUMN ENCRYPTION KEY MyCEKWITH VALUES ( COLUMN_MASTER_KEY = MyCMK, ALGORITHM = ‘RSA_OAEP’,ENCRYPTED_VALUE = ‘0x017000_64003);
CREATE TABLE Customers (Customers nvarchar(60) COLLATE Latin1_General_BIN2 ENCRYPTEDWITH (COLUMN_ENCRYPTED_KEY = MyCEK,ENCRYPTION_TYPE = RANDOMIZED, ALGORITHM = ‘AEAD_AES_256_CBC_HMAC_SHA_256’),
SSN varchar(11) COLLATE Latin1_General_BIN2 ENCRYPTEDWITH (COLUMN_ENCRYPTED_KEY = MyCEK,ENCRYPTION_TYPE = DETERMINISTIC, ALGORITHM = ‘AEAD_AES_256_CBC_HMAC_SHA_256’), Age int NULL );
© SQLintersection. All rights reserved.http://www.SQLintersection.com
Leveraging Always Encrypted
Encrypting Data In Place and In Motion
Demonstration
Always Encrypted with Secure Enclaves
Enhanced Client Driver
plaintext ciphertext
secure enclave
plaintext
Protects sensitive data in use while enabling rich computations and in-place encryption
Processing sensitive data inside SQL Enclave
SQL Server Engine delegates operations on encrypted data to the an enclave, where the data can be safely decrypted and processed
Rich Computations
Initially, supports pattern matching (LIKE) and range queries (<, >, etc.).More operations to be supported later: sorting, type conversions, intrinsic functions, and more
In-place Encryption
SQL Enclave can perform initial data encryption and key rotation, without moving the data out of the database
Advanced Threat Detection• SQL injection
• Unusual database access patterns
• Potential risks / vulnerabilities
“SQL Injection is a code injectiontechnique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).”
– Wikipedia - Example Trend
Advanced Threat DetectionDetects Suspicious Database Activities
✓ Just turn it ON
✓ Detects potential vulnerabilities and SQL injection attacks
✓ Detects unusual behavior activities
✓ Actionable alerts which recommend how to investigate & remediate
Azure SQL DatabaseApps
Audit Log Threat Detection (1) Turn on Threat Detection
(3) Real-time actionable alerts
*It costs $15/server/month , first 60 days for free.
(2) Possible threat to
access / breach data
© SQLintersection. All rights reserved.http://www.SQLintersection.com
Azure Advanced Threat Detection
SQL Server Injection Attacks
Alerts and Monitoring
Demonstration
SQL Server Management Studio
• New Features in SSMS 17.4+
• Azure SQL DB and Azure SQL DB Managed Instance
• Azure Security Center
SQL Server Vulnerability Assessment (17.4+)A One-Stop-Shop to Track and Improve your SQL Security State
Azure SQL Database
Vulnerability Assessment
Identifies , tracks , resolves SQL security vulnerabilities
▪ Just run a scan
▪ Discover sensitive data that is not protected
▪ Identify and remediate security misconfigurations
▪ Coherent report that helps meet compliance requirements
▪ SQL Server 2017 andAzure SQL Database
SQL Server On-Prem
Azure SQL Database
SQL Data Discovery and Classification (17.5+)▪ New tool built into SQL Server
Management Studio (SSMS)
▪ For discovering, classifying, labeling and reporting the sensitive data (Financial, healthcare, PII, etc.)
▪ Helping meet data privacy standards and regulatory compliance requirements, such as GDPR
▪ Controlling access to and hardening the security of databases/columns containing highly sensitive data
▪ Data Discovery & Classification is supported for SQL Server 2008 and later
sys.sensitivity_classifications
SQL Data Discovery and Classification
ADD SENSITIVITY CLASSIFICATION TOdbo.sales.price, dbo.sales.discountWITH (LABEL='Highly Confidential', INFORMATION_TYPE='Financial')
© SQLintersection. All rights reserved.http://www.SQLintersection.com
SQL Server Management Studio Improvements (17.5+)
SQL Server Vulnerability Assessment
SQL Data Discovery and Classification
Demonstration
What’s the Best Bet? (Cover your bases)
▪ TLS/SSL - uses encryption to protect the transfer of application data
▪ Use TDE to protect data at rest and tempdb
▪ Use Row Level Security and DDM to limit and protect data specifics
▪ Always Encrypted (with enclaves) to protect data in motion
If you cannot use Always Encrypted, leverage DDM
▪ Audit sensitive columns – If you care enough to DDM/Encrypt..
Consider 3rd party solutions for auditing large environments with alerting
▪ Use static data masking on any non-production purposed copy of your data being aware of the data risk levels
▪ Use vulnerability assessments to regularly implement a security health check
Implement regular independent audits
Addressing Recent Security Vulnerabilities and Risks• Spectre and Meltdown
Ransomware
WannaCry
Spectre
Meltdown
Threats on the Rise
To take advantage of available protections, follow these steps to get the latest updates for both software and hardware:
1. Make sure your antivirus software is up to date
Keep your device up to date by turning on automatic updates
3. Check that you’ve installed the latest Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatic, but you should still confirm
4. Install any firmware updates from your device manufacturer
Microsoft Guidance with Spectre and Meltdown
Note: Customers who only install the latest security updates will not be fully protected. You will need to update both your hardware and your software to fix this vulnerability.
Note: Firmware updates should be available on your device manufacturer's website
<IMPORTANT> Protect SQL Server from attacks on Spectre and Meltdown side-channel vulnerabilitieshttps://support.microsoft.com/en-us/help/4073225/guidance-protect-sql-server-against-spectre-meltdown
Microsoft Guidance with Spectre and Meltdown
Note: Customers who only install the latest security updates will not be fully protected. You will need to update both your hardware and your software to fix this vulnerability.
© SQLintersection. All rights reserved.http://www.SQLintersection.com
▪ SQL Server Security Features Overview Transparent Data Encryption
Row Level Security
Static and Dynamic Data Masking
Always Encrypted / Always Encrypted with Enclaves
Advanced Threat Detection
▪ SQL Server Management Studio Improvements
▪ Ransomware
▪ Spectre / Meltdown
Security Overview
© SQLintersection. All rights reserved.http://www.SQLintersection.com
References▪ Spectre Attacks: Exploiting Speculative Execution
https://spectreattack.com/spectre.pdf
▪ Meltdownhttps://meltdownattack.com/meltdown.pdf
▪ Protect SQL Server from attacks on Spectre and Meltdown side-channel vulnerabilitieshttps://support.microsoft.com/en-us/help/4073225/guidance-protect-sql-server-against-spectre-meltdown
▪ PowerShell Script to patch Meltdown/Spectre Exploits for Windows Serverhttps://gallery.technet.microsoft.com/scriptcenter/Meltdown-Spectre-Script-3cd11f26
▪ Cloud Cybersecurity in Healthcare: Thoughts on Spectre & Meltdown https://enterprise.microsoft.com/en-us/articles/industries/health/cloud-cybersecurity-in-healthcare-thoughts-on-spectre-meltdown/
▪ SQL Whitepaper guiding customers (SQL and GDPR Guide)https://aka.ms/gdprsqlwhitepaper
▪ SQL Server Security Bloghttp://blogs.msdn.microsoft.com/sqlsecurity/
▪ SQL Server Security | Microsoft Docshttps://www.microsoft.com/GDPR/https://www.gdprbenchmark.com/
Don’t forget to complete an online evaluation!
SQL Server 2017 and Azure SQL DB: Security Smackdown
Your evaluation helps organizers build better conferences and helps speakers improve their sessions.
Questions?
Thank you!
Save the DateWeek of November 18, 2019
We’re back in Vegas baby!
www.SQLintersection.com