Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016
Housekeeping Mobile Phones please set to “stun” during sessions Evaluations complete online to be in the draw for fantastic prizes Wifi Details SSID: eduroam Login: ext-sqlsat Password: sqlsaturd4y SESSIONSEVENT sessions/sessionevaluation.aspx eventeval.aspx
Connect with the Community Event staff, volunteers and speakers are here to help and answer questions. Scan the QR code on the speaker badges to connect and network with them. I attack SQL challenges by dropping onto them from above.
ENCRYPTION
Encryption Summary
TRANSPARENT DATA ENCRYPTION
What is TDE TDE Encrypts data at rest This occurs at the file level Data within the database is stored in plain text
Jane Doe Name SSN USA Country Jim Gray USA John Smith USA dbo.Patients Jane Doe Name CardNumber Jim Gray John Smith dbo.Payment Database LevelTable LevelFile Level
In SQL Server 2016 CTP2, the storage for memory-optimized tables will be encrypted as part of enabling TDE on the database Simply follow the same steps as you would for a disk-based database Windows Operating System Level Data Protection SQL Server Instance Level User Database Level Database Encryption Key Service Master Key DPAPI encrypts the Service Master Key Master Database Level Database Encryption Key Service Master Key Encrypts the Database master Key for the master Database Database Master Key of the master Database creates a certificate in the master database The certificate encrypts the database Encryption Key in the user database The entire user database is secured by the Datbase Encryption Key (DEK) of the user database by using transparent database encryption Created at a time of SQL Server setup Statement: CREAT MASTER KEY… Statement: CREATE CERTIFICATE… Statement: CREATE DATABASE ENCRYPTION KEY… Statement: ALTER DATABSE… SET ENCRYPTION
Considerations Key management Backup History Always On You will need the same encryption key across all db’s in the group TempDB The TempDB will be encrypted if any database on the instance is encrypted.
Demo
Demo will include SQL Server Creating encryption hierarchy -Encrypt Database SQL Server Azure Show how to turn on TDE
CELL LEVEL ENCRYPTION
What is Cell Level Encryption A symmetric key is used to encrypt the data as it is inserted, and to decrypt as it is read. The end result is that the data is stored encrypted. The database engine encrypts/decrypts.
Considerations Key management Backup History Import/Export The encrypt/decrypt is part of the T-SQL statement
Jane Doe Name SSN USA Country Jim Gray USA John Smith USA dbo.Patients Jane Doe Name CardNumber Jim Gray John Smith dbo.Payment Database LevelTable LevelFile Level
dbo.Patients Jane Doe Name SSN USA Country Jim Gray USA John Smith USA dbo.Patients Jane Doe Name 1x7fg655se2e SSN USA Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA Country Result Set Jim Gray Name Jane Doe Name 1x7fg655se2e SSN USA Country Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA dbo.Patients SQL Server ciphertext Query Trusted Apps SELECT Name FROM Patients WHERE Result Set Jim Gray Name SELECT Name FROM Patients Client
Demo
Demo will include Show how to create encryption keys Show plain text column Show encrypted column Show how the application will need to be changed.
ALWAYS ENCRYPTED
What is Always Encrypted A way to encrypt your data with minimal change the application. Data is encrypted in transit and at rest.
Jane Doe Name SSN USA Country Jim Gray USA John Smith USA dbo.Patients Jane Doe Name CardNumber Jim Gray John Smith dbo.Payment Database LevelTable LevelFile Level
dbo.Patients Jane Doe Name SSN USA Country Jim Gray USA John Smith USA dbo.Patients Jane Doe Name 1x7fg655se2e SSN USA Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA Country Result Set Jim Gray Name Jane Doe Name 1x7fg655se2e SSN USA Country Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA dbo.Patients SQL Server ciphertext Query Help protect data at rest and in motion, on-premises & cloud Trusted Apps SELECT Name FROM Patients Result Set Jim Gray Name SELECT Name FROM Patients Column Encryption Key Enhanced ADO.NET Library Column Master Key Client side
Types of Encryption for Always Encrypted Randomized encryption Encrypt(' ') = 0x17cfd50a Repeat: Encrypt(' ') = 0x9b1fcf32 Allows for transparent retrieval of encrypted data but NO operations More secure Deterministic encryption Encrypt(' ') = 0x85a55d3f Repeat: Encrypt(' ') = 0x85a55d3f Allows for transparent retrieval of encrypted data AND equality comparison E.g. in WHERE clauses and joins, distinct, group by Two types of encryption available Randomized encryption uses a method that encrypts data in a less predictable manner Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value
Security Officer 1. Generate CEKs and Master Key 2. Encrypt CEK 3. Store Master Key Securely 4. Upload Encrypted CEK to DB CMK Store: Certificate Store HSM Azure Key Vault … Encrypted CEK Column Encryption Key (CEK) Column Master Key (CMK) Key Provisioning CMK Database Encrypted CEK
EXEC sp_execute_sql N'SELECT * FROM Customers WHERE = Enhanced ADO.NET Plaintex t CEK Cache exec = = N'SELECT * FROM Customers WHERE SSN Result set (ciphertext) Result set (plaintext) using (SqlCommand cmd = new SqlCommand( "SELECT Name FROM Customers WHERE SSN conn)) { cmd.Parameters.Add(new SqlParameter( SqlDbType.VarChar, 11).Value = " "); SqlDataReader reader = cmd.ExecuteReader(); Client - TrustedSQL Server - Untrusted Encryption metadata CMK Store Example
Considerations Key management The keys need to be backed up Always on replica’s need the same keys Client The application client needs access to the key! Insert data into encrypted columns by passing the values in SqlParameter objects.SqlParameter
Demo
Demo will include Application connecting to data in plain text Encrypt the column Change the connection string Application connecting to data and getting result without changing app.
ROW LEVEL SECURITY
Fine-grained access control Keeping multi-tenant databases secure by limiting access by other users who share the same tables. Application transparency RLS works transparently at query time, no app changes needed. Compatible with RLS in other leading products. Centralized security logic Enforcement logic resides inside database and is schema- bound to the table it protects providing greater security. Reduced application maintenance and complexity. Store data intended for many consumers in a single database/table while at the same time restricting row-level read & write access based on users’ execution context. Benefits of row-level security
CREATE SECURITY POLICY mySecurityPolicy ADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients RLS Concepts Predicate function User-defined inline table-valued function (iTVF) implementing security logic Can be arbitrarily complicated, containing joins with other tables Security predicate Applies a predicate function to a particular table (SEMIJOIN APPLY) Two types: filter predicates and blocking predicates Security policy Collection of security predicates for managing security across multiple tables
CREATE FUNCTION int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) Fine-grained access control over rows in a table based on one or more pre-defined filtering criteria, e.g., user’s role or clearance level in organization. Concepts: Predicate function Security policy Example
Two App user (e.g., nurse) selects from Patients table Three Security Policy transparently rewrites query to apply filter predicate Database Policy Manager CREATE FUNCTION int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) Filter Predicate: INNER JOIN… Security Policy Applicatio n Patients One Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients table Nurse SELECT * FROM Patients SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing); SELECT Patients.* FROM Patients, StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing; RLS in Three Steps
-- The following syntax creates a security policy with a filter predicate for the Customer table, and leaves the security policy disabled CREATE SECURITY POLICY [FederatedSecurityPolicy] ADD FILTER PREDICATE [rls].[fn_securitypredicate]([CustomerId]) ON [dbo].[Customer]; -- Create a new schema and predicate function, which will use the application user ID stored in CONTEXT_INFO to filter rows. CREATE FUNCTION rls.fn_securitypredicate int) RETURNS TABLE WITH SCHEMABINDING AS RETURN ( SELECT 1 AS fn_securitypredicate_result WHERE DATABASE_PRINCIPAL_ID() = DATABASE_PRINCIPAL_ID('dbo') -- application context AND CONTEXT_INFO() = GO Creates a security policy for row level security. The following examples demonstrate the use of the CREATE SECURITY POLICY syntax. For an example of a complete security policy scenario, see Row Level Security. Row Level Security Create Security Policy
Demo
DYNAMIC DATA MASKING
Configuration made easy in the new Azure portal Policy-driven at the table and column level, for a defined set of users Data masking applied in real-time to query results based on policy Multiple masking functions available (e.g. full, partial) for various sensitive data categories (e.g. Credit Card Numbers, SSN, etc.) SQL Database SQL Server 2016 CTP2 Table.CreditCardNo Real-time data masking; partial masking Prevent the abuse of sensitive data by hiding it from users Dynamic Data Masking
Masking Types DefaultFull masking according to the data types of the designated field: i.e. String will result in “XXXX” Masking will expose the first letter of an address and will end in “.com” i.e. Custom StringWill expose the first and last letter and adds a custom padding string in the middle. i.e KXXXa RandomFor use only on numeric. Will replace the original value within a specified range.
Demo
Questions? Please make sure you visit our fantastic sponsors:
How did we do? Please complete an online Evaluation to be included the draw for a fantastic prize! There is a prize for each session timeslot and for the overall event survey – so the more feedback you provide the more chances you have. Session Surveys sessions/sessionevaluation.aspx Post-Event Survey eventeval.aspx