Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1/15/2016Security Investments in SQL Server 2016 and Azure SQL.

Slides:



Advertisements
Similar presentations
Module 12: Auditing SQL Server Environments
Advertisements

Module 17 Tracing Access to SQL Server 2008 R2. Module Overview Capturing Activity using SQL Server Profiler Improving Performance with the Database Engine.
SQL Server Accelerator for Business Intelligence (SSABI)
Technical BI Project Lifecycle
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Overview and Roadmap for Microsoft SQL Server Security
یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.
ORACLE DATABASE SECURITY
Connect with life Praveen Srvatsa Director | AsthraSoft Consulting Microsoft Regional Director, Bangalore Microsoft MVP, ASP.NET.
DYNAMICS CRM AS AN xRM DEVELOPMENT PLATFORM Jim Novak Solution Architect Celedon Partners, LLC
Session 5: Working with MySQL iNET Academy Open Source Web Development.
1 Intro to Info Tech Database Management Systems Copyright 2003 by Janson Industries This presentation can be viewed on line at:
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
CSIS 4310 – Advanced Databases Virtual Private Databases.
Database Publishing Jon Whitener Web Communications Specialist University of Detroit Mercy Jon Whitener Web Communications Specialist University of Detroit.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
Robin Mullinix Systems Analyst GeorgiaFIRST Financials PeopleSoft Query: The Next Step.
DAT 360: DTS in SQL Server 2000 Best Practices Euan Garden Group Manager, SQL Server Microsoft Corporation.
Master Data Management & Microsoft Master Data Services Presented By: Jeff Prom Data Architect MCTS - Business Intelligence (2008), Admin (2008), Developer.
SQL School is strongly committed to provide COMPLETE PRACTICAL REALTIME Trainings on SQL Server Technologies – Dev, SQL DBA, MSBI (SSIS, SSAS, SSRS) and.
Mirek Sztajno SQL Server Security PM
Kristina Rumpff Securing Data on your Terms DAT33 1.
Module 10: Implementing Administrative Templates and Audit Policy.
Chapter 6 Virtual Private Databases
Matt Lavery & Joanna Podgoetsky Being a DBA is cool again with SQL 2016 DAT335 A.
McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved Chapter 7 Storing Organizational Information - Databases.
SQLintersection Session: Tuesday, 12:00-1:00pm NEW SECURITY FEATURES IN SQL SERVER 2016 & AZURE SQL DB Aaron Bertrand
SQL Server 2016 New Innovations. Microsoft Data Platform Relational Beyond Relational On-premises Cloud Comprehensiv e Connected Choice SQL Server Azure.
6/13/2015 Visit the Sponsor tables to enter their end of day raffles. Turn in your completed Event Evaluation form at the end of the day in the Registration.
#SQLSAT454 SQL Server 2016 New Security Features Gianluca
Introduction to R and Data Science Tools in the Microsoft Stack Jamey Johnston.
Advanced Analysis Services Security Chris Webb Crossjoin Consulting Limited.
SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.
Mastering Master Data Services Presented By: Jeff Prom BI Data Architect Bridgepoint Education MCTS - Business Intelligence, Admin, Developer.
Session Name Pelin ATICI SQL Premier Field Engineer.
Introduction to R and Data Science Tools in the Microsoft Stack Jamey Johnston.
SECURING SQL AZURE DATABASE? Boris Hristov SQLSaturday #413 Copenhagen.
19 Copyright © 2008, Oracle. All rights reserved. Security.
HDC: SQL Server 2016 New Features & Demos. Phil Brammer
Review DirectQuery in SSAS 2016, best practices and use cases
Introduction to R and Data Science Tools in the Microsoft Stack
Recommended Practices & Fundamentals
Enterprise Row Level Security: SQL Server 2016 and Azure SQL DB
From MDS to SSRS - a short walkthrough
Overview of Security Investments
6/16/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
6/19/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
What’s New in SQL Server 2016 Master Data Services
T-SQL: Simple Changes That Go a Long Way
Power BI Security Best Practices
Auditing in SQL Server 2008 DBA-364-M
Chapter 8 Working with Databases and MySQL
Overview of Security Investments
Welcome! Power BI User Group (PUG)
Database.
Security Enhancements in SQL Server 2016
TechEd /24/2018 6:19 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.
TechEd /4/2018 3:19 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Implementing Row Level Security (RLS)
TechEd /11/ :54 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered.
Enterprise RLS in SQL Server in Power BI
Analytics in the Cloud using Microsoft Azure
From MDS to SSRS - a short walkthrough
SQL Server 2016 Security Features
Chapter 3 Database Management
Module 8: Implementing Group Policy
SQL Server Assessment Results
Visual Data Flows – Azure Data Factory v2
Presentation transcript:

Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database 1 |

Agenda  Who am I?  What’s new in security for SQL Database V12 and SQL Server 2016  SQL Threat Detection (SQL Database V12)  Dynamic Data Masking  Always Encrypted  Azure Active Directory Authentication (SQL Database V12)  Row-level Security  Questions 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database2 |

Jamey Johnston  Data Scientist for an O&G Company  20+ years DBA Experience  TAMU MS in Analytics (2016)   Professional Photographer   1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database3 |

SQL Database Threat Detection  Detect anomalous database activities indicating a potential security threat to the database  Configurable threat detection policy via Azure portal  Multiple database threat detectors  Identify and alert upon anomalous database activities  Audit log viewer in Azure portal and Excel template 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database4 |

SQL Database Threat Detection 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database5 |

SQL Threat Detection: Learn More  Getting started with SQL Database Threat Detection   Channel 9 Videos:  1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database6 |

Dynamic Data Masking 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database7 |  Limit sensitive data exposure by obfuscating it to non-privileged users  Limit exposure of sensitive data to app users  Avoid exposure of sensitive data to Engineers (e.g., Troubleshooting) IT, BI users

Dynamic Data Masking: Learn More  Getting Started (Azure SQL DB)   MSDN (SQL Server)   Blogs  improvements.aspx improvements.aspx  data-masking/ data-masking/  Channel 9 Videos:   1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database8 |

Always Encrypted 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database9 |

Always Encrypted – How It Works 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database10 |

Always Encrypted: Learn More  Books Online   SQL Security Blog (keyword Always Encrypted)   Channel 9 Videos  Always-Encrypted Always-Encrypted  with-Always-Encrypted-with-SSMS with-Always-Encrypted-with-SSMS 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database11 |

Azure Active Directory Authentication 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database12 |

Azure AD Authentication: Learn More  MSDN  aad-authentication/ aad-authentication/  SQL Security Blog (keyword Azure AD auth)   Channel 9 Videos:  Directory-Authentication-for-SQL-Database-V12 Directory-Authentication-for-SQL-Database-V12 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database13 |

Row Level Security  RLS allows for controlled access to rows in tables based on attributes of the user executing the query  2 Methods or RLS in SQL Server:  Filter Based (2005+)  SQL Server Security Label Toolkit   Use views on tables with “labels” to limit access  Problem is you have to change the application code and add views (i.e. upgrades are a pain, unsupported applications)  Predicate Based (2016 and Azure)  Uses functions and policies to apply predicates to the SQL  No application code changes and base database schema left intact (i.e. upgrades not impacted very much by RLS) 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database14 |

Row Level Security: Basic Steps 1.Define Table(s) for RLS 2.Create a new Schema, RLS, for Security Objects 3.Create Table Value Function to define “how” to enforce security on Table 4.Create a Security Policy on the table using the TVF 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database15 |

Table Value Functions  User defined function that returns a data table  Powerful alternative to View  Expand beyond SELECT and use more powerful T-SQL  RLS uses them to return a 1 for row matches CREATE FUNCTION AS sysname) RETURNS TABLE WITH SCHEMABINDING AS RETURN SELECT 1 AS fn_RLSpredicate_result WHERE USER_NAME() = 'VP_US' = USER_NAME(); GO 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database16 |

Security Policy  Policy that is created to apply the Security Predicate CREATE SECURITY POLICY Well_HeaderFilter ADD FILTER PREDICATE RLS.fn_RLSpredicate(Region) ON dbo.Well_Header ADD BLOCK PREDICATE RLS.fn_RLSpredicate(Region) ON dbo.Well_Header AFTER INSERT GO 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database17 |

Recursive Queries with CTE  Use them to query tables with Hierarchical Data 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database18 |

Why Predicate Based RLS for Business? No application code changes and Base database schema left Intact (i.e. upgrades not impacted very much by RLS) With ISV applications it is not advisable to change the Schema Increased ventures with Internal Partners require row-level granular access to the applications RLS allows for the row-level security and eliminates the need for federated/”broken-out” databases/applications 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database19 |

Demos  Simple RLS Demo  Advanced RLS Demo with Hierarchies 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database20 |

RLS with Parent/Child Hierarchies  Demo will show how an organizational hierarchy and asset hierarchy can be leveraged together to provide RLS on tables using the new predicate based RLS feature in SQL Server 2016 and Azure  Important Concepts:  Organization Unit  Represents a position in the company (not employee)  Security is assigned to the Organization Unit and propagated to the User ID  Hierarchy Based Security  Allows for inheritance of permissions via the Organization and Asset Hierarchy  Do NOT need to assign security to every node in the hierarchy.  Child nodes can inherit from Parent Nodes  Parent/Child Hierarchy  Employee ID / Manager ID - Unary Relationship 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database21 |

Asset Hierarchy 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database22 | Snapshot of the Asset Hierarchy

Organizational Hierarchy 1/15/2016Session Title Here23 | Snapshot of the Org Hierarchy

Hierarchies and RLS 1/15/2016Session Title Here24 | insert into [SEC_ASSET_MAP] values (100010, 'REGION', 'NORTHERN US'); Inherits from CEO Inherits from SVP who Inherits from CEO insert into [SEC_ASSET_MAP] values (100001, 'ALL', 'ALL'); insert into [SEC_ASSET_MAP] values (100028, 'ASSET_GROUP', 'PRB'); Inherits from Manger Security Record for Every Employee is NOT Required!

RLS with HierarchyID Datatype  Demonstrates how the HierarchyID Datatype can be used for RLS  SEC_ORG_USER_BASE_HID  Same as SEC_ORG_USER_BASE but includes HierarchyID column to demonstrate RLS with HierarchyID data types  1/15/2016Session Title Here25 |

Parent/Child vs HierarchyID Data Type  Parent/Child  Most familiar and most likely to be supported by ISV  Easier to implement security across multiple hierarchies (Org and Asset)  More flexible to support access across multiple node levels (i.e. User has access to multiple nodes in the Hierarchy)  HierarchyID Datatype  Does not work easily across multiple hierarchies and with multiple node level access  Very fast when working with one hierarchy  Still researching as it is fast and would like to use! 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database26 |

Demo ERD 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database27 |

Row-level Security: Learn More  Books Online   SQL Security Blog (keyword RLS)   Channel 9 Videos   channel9.msdn.com/Shows/Data-Exposed/Row-Level-Security-in-Azure-SQL- Database Database  Security Security  Code Samples  1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database28 |

Questions? Thank you for attending!   Download Demos  SQL Server Security Blog  1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database29 |

Thank You Sponsors! 1/15/2016Security Investments in SQL Server 2016 and Azure SQL Database30 | Visit the Sponsor tables to enter their end of day raffles. Turn in your completed Event Evaluation form at the end of the day in the Registration area to be entered in additional drawings.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.