Hiding Data from Prying eyes: Using SQL Server 2016 Always Encrypted By Mel Lusk

About mel lusk SQL DBA Manager at GCR, Inc. since 2014 Working in IT for 20 years Started with SQL Server 7.0 Certifications/Education Microsoft MCSA, MCDBA, MCITP, MCP, MCTS Oracle 11g, MySQL 5.0 ITIL, ATMAE/NAIT B.S., Southeastern Louisiana University, 2001

Why encrypt? Security Regulatory Compliance PII (Personally Identifiable Information)

Hiding PII About PII NIST Special Publication 800-122 Credit Card Numbers Social Security Numbers Names, Address, Biometrics, etc. “People with the proper authority can view my data, but how do I keep the DBA from viewing it?”

SQL Server 2016 Can Make it Happen! Today we’ll learn how…

Encryption? Network Encryption Transparent Data Encryption Mutliprotocol/SSL Encryption Dates back to SQL Server 7.0 Only hides data being transferred between client/server Transparent Data Encryption Started with SQL Server 2008 Encrypts “Data-At-Rest” MDF/LDF Files Backups

Symmetric/Asymmetric Key Encryption Available since SQL Server 2005 Encrypt entire database, rows, or columns BUT…. You have to code for it: OPEN SYMMETRIC KEY [MySSLCertificate] DECRYPTION BY CERTIFICATE [MySSLCertificate] SELECT FirstName, LastName, convert( NVARCHAR(100), decryptbykey( SSN )) as 'Social Security Number' FROM [dbo].[People]

Homegrown & Third-Party Solutions Performance Encryption/Decryption performed by the SQL Server Engine Does not stop DBA .NET Encryption System.Security.Cryptography Homegrown & Third-Party Solutions

SQL Server 2016 Dynamic Data Masking AlwaysEncrypted New with SQL Server 2016 Useful for App Development 123-45-6789 = XXX-XX-6789 Nice for displaying data….But still insecure The DBA or other privileged users can still see the data AlwaysEncrypted

Always encrypted Transparent to the application Performance Works with existing T-SQL* Performance Encryption/Decryption performed by client/middle-tier

Always Encrypted Security Data can only be viewed with a certificate

Requirements SQL Server 2016 .NET 4.6 or Higher Certificate Store Enterprise/Developer Editions only Azure .NET 4.6 or Higher Must use ADO.NET Certificate Store Used to store the Master Key String data must use binary2 collation Latin1_General_BIN2

Not supported Replication Distributed Queries (Linked Servers) Transactional or Merge Distributed Queries (Linked Servers) Certain Datatypes XML, timestamp/rowversion, image, ntext, text, sql_variant, hierachyid, geography, geometry, alias, user-defined FOR XML, FOR JSON, Check Constraints Change Data Capture/Change Tracking SQL Server Data Tools (SSIS) A few others…. https://msdn.microsoft.com/en-us/library/mt163865.aspx

Types Randomized Deterministic Same data values will have different encrypted values (225) 555-1234 = 0x0003456 (225) 555-1234 = 0x00078910 More secure Can’t allow comparisons (no JOINS) No Indexes Deterministic Same data values will have same encrypted values Less secure Allows comparisons (JOINS)

Demo

Questions?

Thank you! LinkedIn https://www.linkedin.com/in/mel-lusk-2356888

Thanks for Attending SQL Saturday Baton Rouge 2016! Speaker evaluations: Use the small square cards at the front of the classroom, give directly to speaker Speaker: Please give out 1 book ticket Book Ticket Winner: Bring your ticket to the user group booth in the main atrium to redeem (supplies limited)