#SQLSAT454 SQL Server 2016 New Security Features Gianluca

Slides:



Advertisements
Similar presentations
MAKING BUSINESS INTELLIGENT DBA Delta Force SQL Server 2012 features for the DBA.
Advertisements

Database Administration and Security Transparencies 1.
Overview and Roadmap for Microsoft SQL Server Security
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
15 Copyright © 2006, Oracle. All rights reserved. Database Security.
Jeremy Boyd Director – Mindscape MSDN Regional Director
ORACLE DATABASE SECURITY
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
SEC835 Practical aspects of security implementation Part 1.
SQL Server 2016 : New Features
IMS 4212: Database Security 1 Dr. Lawrence West, Management Dept., University of Central Florida Data & Database Administration Security.
Mission critical features in SQL 2016 David Lyth Pat Martin Premier Field Engineers, Microsoft New Zealand.
Cloud first Speed Agility Proven Feedback All of this results in a better on-premises SQL Server SQL Server 2016.
Mirek Sztajno SQL Server Security PM
Kristina Rumpff Securing Data on your Terms DAT33 1.
SQLintersection Session: Tuesday, 12:00-1:00pm NEW SECURITY FEATURES IN SQL SERVER 2016 & AZURE SQL DB Aaron Bertrand
SQL Server 2016 New Innovations. Microsoft Data Platform Relational Beyond Relational On-premises Cloud Comprehensiv e Connected Choice SQL Server Azure.
SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.
SQL Server Evolution New innovations Jen Underwood Sr. Program Manager of Business Intelligence & Analytics Microsoft George Walters Sr. Technical Solutions.
Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1/15/2016Security Investments in SQL Server 2016 and Azure SQL.
Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.
Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016.
Azure SQL Database Lori Clark SQL Saturday 10/17/2015.
Secure SQL Database with TDE Thomas Chan SQL Saturday Raleigh.
Warwick Rudd | Principal Consultant – consulting.com.au #456 | Auckland 2015 Mission Critical SQL Server.
End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software.
SQL Server 2016 Mohit K. Gupta | Microsoft SQL Server PFE.
SQL 2016 – WHAT’S NEW? David Cobb Daveslog.com.
SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.
Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 18/06/2016David Postlethwaite.
Session Name Pelin ATICI SQL Premier Field Engineer.
SQL Organizational Security & Compliance George Walters Senior Technology Solutions Professional Data Platform
ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.
Customer pulse Why Stretch? How Stretch works? Core Stretch scenarios Demo QA.
HDC: SQL Server 2016 New Features & Demos. Phil Brammer
Data Security with Power BI, SSAS, SQL Server 2016 and Active Directory June 10, 2017.
Securing Your Data With SQL 2016 (An overview of Always Encrypted)
State of Azure SQL Database
SharePoint 2010 Performance and Capacity Planning Best Practices
Recommended Practices & Fundamentals
Benchmarking like a PRO
SQL Server 2016 Security and Privacy Features
Hiding Data from Prying eyes: Using SQL Server 2016 Always Encrypted
Row-Level Security and Dynamic Data Masking overview
Enterprise Row Level Security: SQL Server 2016 and Azure SQL DB
Securing Data with SQL Server 2016
Securing SQL Server 2016 Databases
SQL Server Data Collector From Every Angle
Who am I Hector Villafuerte
UFC #1433 In-Memory tables 2014 vs 2016
Encryption in SQL Server
Uncover data protection in the world of Panama Papers
Digital Forensics 2 Lecture 2A: Obfuscation and Synchronization of
Always Encrypted, Data Masking, Row Level Security
SQL Server 2016 Security Features
Auditing in SQL Server 2008 DBA-364-M
Security enhancements in SQL Server 2016
Encrypting Data within SQL Server
Migrating a Disk-based Table to a Memory-optimized one in SQL Server
Encryption Not just for the NSA anymore
Beginners 101 Guide To Always Encrypted
Overview of Security Investments
Security Enhancements in SQL Server 2016
Row Level Security in SQL Azure and in On Premise
Understanding Azure SQL DB Service Tiers
End to End Security and Encryption in SQL Server
What’s new with SQL Server
SQL Server 2016 Security Features
Presentation transcript:

#SQLSAT454 SQL Server 2016 New Security Features Gianluca

#SQLSAT454 Sponsors

#SQLSAT454 Gianluca Sartori  Independent SQL Server consultant  SQL Server MVP, MCTS, MCITP, MCT  Works with SQL Server since version 7  Scuderia Ferrari  Blog: spaghettidba.comspaghettidba.com  Twitter:

#SQLSAT454 Agenda  Security Boundaries  Always Encrypted  Row Level Security  Dynamic Data Masking

#SQLSAT454 Why New Security Features?  SQL Server has plenty security features  TDE  Protects database files and backups at rest  Cell-Level Encryption  Encrypts single values in database tables  SSL  Protects data on the network

#SQLSAT454 Security Boundaries – Open Apps SSMS Database Developer DBA Manager User Software Vendor Unauthorized Users

#SQLSAT454 Security Boundaries – Non Sensitive Apps SSMS Database Developer DBA Manager User Software Vendor Unauthorized Users Copy

#SQLSAT454 Security Boundaries – Sensitive Apps SSMS Database Developer DBA Manager User Software Vendor Unauthorized Users Copy

#SQLSAT454 ALWAYS ENCRYPTED

#SQLSAT454 Always Encrypted – Key Features Prevents Data Disclosure End-to-end encryption of individual columns in a table with keys that are never given to the database system. Queries on Encrypted Data Support for equality comparison, incl. join, group by and distinct operators. Application Transparency Minimal application changes via server and client library enhancements.

#SQLSAT454 Always Encrypted  Sensitive data is encrypted at column level  Data is protected from high-privileged users  DBAs  System Admins  Hackers  Data is stored securely outside security boundaries  The database never sees unencrypted data  Cloud providers  Third-parties

#SQLSAT454 Always Encrypted – How it works App SELECT Name FROM Patients Column Encryption Key Jane Doe Name 1x7fg655se2 e SSN USA Country Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA dbo.Patients Result Set Jim Gray Name Query Application - TrustedSQL Server - Untrusted SELECT Name FROM Patients Enhanced ADO.NET Library SQL Server Native Client.NET 4.6 Column Master Key

#SQLSAT454 Encryption Types  Deterministic Encryption Same plaintext value  Same encrypted value Supports indexing, equality comparison, JOINs, DISTINCT  Randomized Encryption Same plaintext value  Different encrypted value Supports retrieval of encrypted data No SQL operations supported

#SQLSAT454 DEMO Working with Always Encrypted

#SQLSAT454 TDE vs Always Encrypted Always EncryptedTDE Column levelDatabase level Client encryptionServer encryption Server doesn’t know encryption keys Server knows encryption keys Data in memory is encryptedData in memory is in plaintext Data travels the network encrypted Data travels the network in plaintext

#SQLSAT454 Custom encryption vs Always Encrypted Always EncryptedCustom Encryption Slight application changesNeeds obtrusive changes Disallows saving plaintext data Plaintext data can be saved by accident Allows indexing of cyphertext * * depending on encryption algorithm

#SQLSAT454 Always Encrypted - Limitations  Deterministic encryption needs _BIN2 collation  Not all datatypes supported  Partial support for triggers  Unsupported features:  Full-text search  Replication  Change Data Capture  In-Memory OLTP  Stretch Database

#SQLSAT454 What changes for Applications?  ConnectionString must include new key: Column Encryption Setting=enabled;  Ad-hoc queries not supported SELECT SomeColumn FROM SomeTable WHERE EncrypedColumn = 'SomeValue';  Needs correctly parameterized queries SELECT SomeColumn FROM SomeTable WHERE EncrypedColumn

#SQLSAT454 Always Encrypted for Existing Data  Existing columns must be encrypted client side  Easiest way: Import / Export wizard Ad-hoc wizard In SSMS 2016?

#SQLSAT454 Performance Impact

#SQLSAT454 Space Usage Impact

#SQLSAT454 Q&A Questions?

#SQLSAT454 DYNAMIC DATA MASKING

#SQLSAT454 Dynamic Data Masking – Key Features Limits Sensitive Data Exposure Sensitive data is masked. Administrators designate how much of the sensitive data to reveal. Useful for Compliance Helps adhering to privacy standards imposed by regulation authorities. Application Transparency No application changes. Existing queries keep working.

#SQLSAT454 Dynamic Data Masking Database Non-Privileged User Privileged User Unmasked Data DATA Jane Doe Name SSN Salary Jim Gray John Smith dbo.Employees SSN Masked Data XXX-XX-XXXX SSN

#SQLSAT454 Dynamic Data Masking  Obfuscates data using 3 masking functions  Default:depends on data type  aXXX.XXXX.com  Partial:prefixXXXXXXsuffix  Data is stored unmasked  Masking happens on resultset formation  GRANT UNMASK to disclose data  Works in Azure SQL Database (preview)

#SQLSAT454 Dynamic Data Masking - Limitations  Not all datatypes supported  Not intended as a complete protection feature for sensitive data  Ad-Hoc queries disclose data. Ex: WHERE Salary > 2000  INSERT…SELECT does not preserve masking  Some quirks  Not suitable for handing out copies of the database to software vendors or third-parties

#SQLSAT454 DEMO Working with Dynamic Data Masking

#SQLSAT454 Q&A Questions?

#SQLSAT454 ROW-LEVEL SECURITY

#SQLSAT454 Row Level Security – Key Features Fine-grained access control In multi-tenant databases, limits access by other users who share the same tables. Centralized Security Logic Predicate-based access control logic resides inside the database and is schema-bound to the tables it protects. Application Transparency No application changes. Existing queries keep working.

#SQLSAT454 Row-Level Security LATAM Salesperson EMEA Salesperson Evil Inc. Name EMEA Area Budget Wealthy Corp.LATAM2.350 Greedy Corp.APAC1.500 dbo.Customer Manager APAC Salesperson

#SQLSAT454 Row-Level Security - Concepts  Predicate function User-defined inline iTVF implementing access control logic. Can be arbitrarily complicated  Security predicate Applies a predicate function to a particular table (APPLY) Two types: filter predicates and blocking predicates  Security policy Collection of security predicates Manages security across multiple tables

#SQLSAT454 Row-Level Security – How it works EMEA Salesperson Evil Inc. Name EMEA Area Budget Wealthy Corp.LATAM2.350 Greedy Corp.APAC1.500 dbo.Customer DBA Security Policy SELECT * FROM Customer SELECT * FROM Customer APPLY itvf_securityPredicate()

#SQLSAT454 DEMO Working with Row-Level Security

#SQLSAT454 Row-Level Security - Limitations  SCHEMABINDING: all tables in the predicate function must reside in the database  Performance impact: queries are rewritten  When authenticating the application, CONTEXT_INFO() can be used to filter on real user  Not really secure if users can run ad-hoc queries  Don’t lock out the DBA!

#SQLSAT454 Q&A Questions?

#SQLSAT454 Resources Always Encrypted on MSDN Getting Started With Always Encrypted Performance impact of Always Encrypted Dynamic Data Masking on MSDN Using Dynamic Data Masking Row-Level Security on MSDN Introduction to Row-Level Security Row-Level Security Limitations

#SQLSAT454 Evaluations  Don’t forget to compile evaluations form here 

#SQLSAT454 THANKS! #sqlsat454

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.