SQL Organizational Security & Compliance George Walters Senior Technology Solutions Professional Data on twitter

SQL Server 2016: Everything built-in The above graphics were published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Consistent experience from on-premises to cloud MicrosoftTableauOracle $120 $480 $2,230 Self - service BI per user In-memory across all workloads built-in TPC-H 10TB non-clustered results as of 04/06/15, 5/04/15, 4/15/14 and 11/25/13, respectively. at massive scale SQL ServerOracleMySQLSAP HANA Oracle is #5 #2 SQL Server #1 SQL Server #3 SQL Server National Institute of Standards and Technology Comprehensive Vulnerability Database update 10/2015 2

Progress on SQL Engine security … A Journey through time 3

Powerful Encryption Technologies Advanced Security Infrastructure Data Protection Extends to Azure SQL Database User-Defined Server Roles Default Schema for Groups Contained Database Authentication Azure Active Directory SQL Server Audit Audit Resilience User-Defined Audit Audit Filtering Third-Party Verified (Common Criteria) Compliance in the Cloud

DATA PROTECTION KNOWN FOR THE LOWEST VULNERABILITIES ACROSS MAJOR DBMS VENDORS

USE master; GO CREATE MASTER KEY ENCRYPTION BY PASSWORD = ' '; Go CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate'; go USE AdventureWorks2012; GO CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128 ENCRYPTION BY SERVER CERTIFICATE MyServerCert; GO ALTER DATABASE AdventureWorks2012 SET ENCRYPTION ON; GO

Enforce enterprise-wide password policies & authentication Roles and proxy accounts Security enhanced metadata access Execution context SQL Server authentication Azure Active Directory Server-side firewall

Automatic software updates Policy-Based Management SQL Server Audit infrastructure Custom auditing with DDL triggers

PerformanceSecurityAvailabilityScalability Operational analytics Insights on operational data; Works with in-memory OLTP and disk-based OLTP In-memory OLTP enhancements Greater T-SQL surface area, terabytes of memory supported, and greater number of parallel CPUs Query data store Monitor and optimize query plans Native JSON Expanded support for JSON data Temporal database support Query data as points in time Always encrypted Sensitive data remains encrypted at all times with ability to query Row-level security Apply fine-grained access control to table rows Dynamic data masking Real-time obfuscation of data to prevent unauthorized access Other enhancements Audit success/failure of database operations TDE support for storage of in- memory OLTP tables Enhanced auditing for OLTP with ability to track history of record changes Enhanced AlwaysOn Three synchronous replicas for auto failover across domains Round robin load balancing of replicas Automatic failover based on database health DTC for transactional integrity across database instances with AlwaysOn Support for SSIS with AlwaysOn Enhanced database caching Cache data with automatic, multiple TempDB files per instance in multi- core environments Mission-critical performance

Always Encrypted SQL Server 2016 Azure SQL Database

Prevents Data Disclosure Client-side encryption of sensitive data using keys that are never given to the database system. Queries on Encrypted Data Support for equality comparison, incl. join, group by and distinct operators. Application Transparency Minimal application changes via server and client library enhancements. Allows customers to securely store sensitive data outside of their trust boundary. Data remains protected from high-privileged, yet unauthorized users. Benefits of Always Encrypted

dbo.Patients Jane Doe Name SSN USA Country Jim Gray USA John Smith USA dbo.Patients Jane Doe Name 1x7fg655se2e SSN USA Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA Country Result Set Jim Gray Name Jane Doe Name 1x7fg655se2e SSN USA Country Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA dbo.Patients SQL Server Query Trusted Apps SELECT Name FROM Patients Result Set Jim Gray Name SELECT Name FROM Patients Column Encryption Key Enhanced ADO.NET Library Column Master Key Client side Always Encrypted Help protect data at rest and in motion, on-premises & cloud ciphertext

Randomized encryption Encrypt(' ') = 0x17cfd50a Repeat: Encrypt(' ') = 0x9b1fcf32 Allows for transparent retrieval of encrypted data but NO operations More secure Deterministic encryption Encrypt(' ') = 0x85a55d3f Repeat: Encrypt(' ') = 0x85a55d3f Allows for transparent retrieval of encrypted data AND equality comparison E.g. in WHERE clauses and joins, distinct, group by Two types of encryption available Randomized encryption uses a method that encrypts data in a less predictable manner Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value Types of Encryption for Always Encrypted

Security Officer 1. Generate CEKs and Master Key 2. Encrypt CEK 3. Store Master Key Securely 4. Upload Encrypted CEK to DB CMK Store: Certificate Store HSM Azure Key Vault … Encrypted CEK Column Encryption Key (CEK) Column Master Key (CMK) Key Provisioning CMK Database Encrypted CEK

EXEC sp_execute_sql N'SELECT * FROM Customers WHERE = Enhanced ADO.NET Plaintext CEK Cache exec = = N'SELECT * FROM Customers WHERE SSN Result set (ciphertext) Result set (plaintext) using (SqlCommand cmd = new SqlCommand( "SELECT Name FROM Customers WHERE SSN conn)) { cmd.Parameters.Add(new SqlParameter( SqlDbType.VarChar, 11).Value = " "); SqlDataReader reader = cmd.ExecuteReader(); Client - TrustedSQL Server - Untrusted Encryption metadata CMK Store Example

Select columns to be encrypted Analyze schema and application queries to detect conflicts (build time) Set up the keys: master & CEK Static schema analysis tool (SSDT only) UI for selecting columns (no automated data classification) Key setup tool to automate selecting CMK, generating and encrypting CEK and uploading key metadata to the database Setup (SSMS or SSDT) User Experience: SSMS or SSDT (Visual Studio)

Existing App – Setup User Experience: SSMS or SSDT (Visual Studio) UI for selecting columns (no automated data classification) Select candidate columns to be encrypted Analyze schema and application queries to detect conflicts and identify optimal encryption settings Set up the keys Encrypt selected columns while migrating the database to a target server (e.g. in Azure SQL Database Key Setup tool to streamline selecting CMK, generating and encrypting CEK and uploading key metadata to the database Encryption tool creating new (encrypted) columns, copying data from old (plain text) columns, swapping columns and re- creating dependencies Select desired encryption settings for selected columns UI for configuring encryption settings on selected columns (accepting/editing recommendations from the analysis tool) Schema/workload analysis tool analyzing the schema and profiler logs

Data remains encrypted during query Summary: Always encrypted Protect data at rest and in motion, on-premises & cloud Apps TCE-enabled ADO.NET library SQL Server Encrypted query Columnar key No app changes Master key

Row-Level Security SQL Server 2016 Azure SQL Database

Fine-grained access control over specific rows in a database table Help prevent unauthorized access when multiple users share the same tables, or to implement connection filtering in multitenant applications Administer via SQL Server Management Studio or SQL Server Data Tools Enforcement logic inside the database and schema bound to the table. Protect data privacy by ensuring the right access across rows SQL Database Customer 1 Customer 2 Customer 3 Row-level security

Fine-grained access control Keeping multi-tenant databases secure by limiting access by other users who share the same tables. Application transparency RLS works transparently at query time, no app changes needed. Compatible with RLS in other leading products. Centralized security logic Enforcement logic resides inside database and is schema-bound to the table it protects providing greater security. Reduced application maintenance and complexity. Store data intended for many consumers in a single database/table while at the same time restricting row-level read & write access based on users’ execution context. Benefits of row-level security

CREATE SECURITY POLICY mySecurityPolicy ADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients Predicate function User-defined inline table-valued function (iTVF) implementing security logic Can be arbitrarily complicated, containing joins with other tables Security predicate Applies a predicate function to a particular table (SEMIJOIN APPLY) Two types: filter predicates and blocking predicates Security policy Collection of security predicates for managing security across multiple tables Row Level Security Concepts

CREATE FUNCTION int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) Fine-grained access control over rows in a table based on one or more pre-defined filtering criteria, e.g., user’s role or clearance level in organization. Concepts: Predicate function Security policy Example

Two App user (e.g., nurse) selects from Patients table Three Security Policy transparently rewrites query to apply filter predicate Database Policy Manager CREATE FUNCTION int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) Filter Predicate: INNER JOIN… Security Policy Application Patients One Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients table Nurse SELECT * FROM Patients SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing); SELECT Patients.* FROM Patients, StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing; RLS in Three Steps

-- The following syntax creates a security policy with a filter predicate for the Customer table, and leaves the security policy disabled CREATE SECURITY POLICY [FederatedSecurityPolicy] ADD FILTER PREDICATE [rls].[fn_securitypredicate]([CustomerId]) ON [dbo].[Customer]; -- Create a new schema and predicate function, which will use the application user ID stored in CONTEXT_INFO to filter rows. CREATE FUNCTION rls.fn_securitypredicate int) RETURNS TABLE WITH SCHEMABINDING AS RETURN ( SELECT 1 AS fn_securitypredicate_result WHERE DATABASE_PRINCIPAL_ID() = DATABASE_PRINCIPAL_ID('dbo') -- application context AND CONTEXT_INFO() = GO Creates a security policy for row level security. The following examples demonstrate the use of the CREATE SECURITY POLICY syntax. For an example of a complete security policy scenario, see Row Level Security.Row Level Security Create Security Policy

Dynamic Data Masking SQL Server 2016 Azure SQL Database

Configuration made easy in the new Azure portal Policy-driven at the table and column level, for a defined set of users Data masking applied in real-time to query results based on policy Multiple masking functions available (e.g. full, partial) for various sensitive data categories (e.g. Credit Card Numbers, SSN, etc.) Azure SQL Database SQL Server 2016 CTP2+ Table.CreditCardNo Real-time data masking; partial masking Dynamic Data Masking Prevent the abuse of sensitive data by hiding it from users

Audit success/failure of database operations Enhanced auditing for OLTP with ability to track history of record changes Transparent Data Encryption support for storage of In- memory OLTP Tables Backup encryption now supported with compression Other security enhancements

MSDN Documentation Security Center for SQL Server Database & SQL Database SQL Server Security Blog Additional examples, useful tips and tricks SQL Server Label Security Toolkit Updated version to take advantage of RLS Security resources

PolyBase SQL Server Hadoop T-SQL query Manage structured & unstructured data Simple T-SQL to query Hadoop (HDFS) JSON support Quote: $ Stretch database App Microsoft Azure Query Customer data Product data Order History Stretch to cloud Data is encrypted & queryable Save money & improve customer experience No application changes Learn more! SQLServer2016 Order history NameSSN Date Philip Wengercm61ba906fd2/28/2005 Denny Usherox7ff654ae6d3/18/2005 Alicia Hodgei2y36cg776rg4/10/2005 Alta Levynx290pldo90l4/27/2005 Dionne Hardinypo85ba616rj5/12/2005 Kristy Flowersbns51ra806fd5/22/2005 Sara Wileymci12hh906fj6/07/2005 Whitney Langutb76b916gi6/18/2014 Lorenzo Oldspx61hi9306fj7/1/2014 Sophie Cookol43bi506gd7/12/2014 Aida Durhamtx83hal916fi7/29/2014 NameDOBState Denny Usher11/13/58WA Gina Burch04/29/76WA Real-time operational analytics ETL In-memory ColumnStore In-memory OLTP Real-time business problem detection 2-24 hrs Up to 30x faster transactions with in-memory OLTP Queries from minutes to seconds In-database Advanced Analytics R built-in to SQL Server Mission critical OLTP R built-in to your T-SQL Real-time operational analytics without moving the data Open source R with in-memory & massive scale – multi-threading and massive parallel processing End-to-end mobile BI In-memory built-in Real-time with direct query capabilities Powerful modeling with 250+ built-in analytical functions Mobile reports with online & offline access Modern data visualizations with Reporting Services or Power BI Highest performing data warehouse SMP MPP Petabyte- scale Data marts Azure SQL Data Warehouse MPP SQL Server SQL Server + Analytics Platform System Data marts Petabyte- scale SMP Scale to MPP on-premises & in the cloud Simple T-SQL to manage structured and unstructured data ½ the cost of Oracle Exadata SQL Server in Azure VM Always Encrypted App SELECT Name FROM Patients SQL Server Column Master Key Query Column Encryption Key Enhanced ADO.NET Library Denny Usher Name SSN USA Country Result Set Philip Wegner Name 1x7fg655se2e SSN USA Country Denny Usher0x7ff654ae6dUSA Alicia Hodge0y8fj754ea2cUSA dbo.Patients Denny Usher Name 0x7ff654ae6d SSN USA Country Result Set SELECT Name FROM Patients Protect data at rest and in motion Without impacting database performance Trusted On-premises Cloud

Thank Resources: