Securing SQL Server 2016 Databases Gianluca Hotz @glhotz www.ugiss.org

Sponsors

Organizers

Gianluca Hotz | @glhotz Fondatore e Mentor SolidQ 20 anni con SQL Server (dalla 4.21 nel 1996) Modellazione basi di dati, dimensionamento e amministrazione, sviluppo, ottimizzazione Interessi Modello relazionale, architettura DBMS, alta disponibilità e Disaster Recovery Microsoft MVP SQL Server dal 1998 Fondatore e presidente UGISS User Group Italiano SQL Server (PASS Chapter)

Agenda Introduction Always Encrypted Row-level Security Data Masking

Securing SQL Server 2016 Databases Introduction

Security Layering Data Encryption Data Access Access Control Proactive monitoring Transport Layer Security (in transit) Transparent Data Encryption (at rest) Cell-Level Encryption (at rest) Always Encrypted (at rest and in transit) Data Encryption Dynamic Data Masking Row-Level Security Data Access Encrypted Authentication SQL Firewall* Access Control Auditing Threat Detection* Proactive monitoring https://docs.microsoft.com/en-us/azure/sql-database/sql-database-security-overview https://docs.microsoft.com/en-us/azure/sql-database/sql-database-protect-data https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspx

Always Encrypted Securing SQL Server 2016 Databases https://msdn.microsoft.com/en-us/library/mt163865.aspx Always Encrypted

Encryption Before 2016 Transparent Data Encryption (TDE) Data, log and backup files Data decrypted when loaded in memory* Fully transparent to applications Cell-Level Encryption (CLE) Column level granularity Partial protection in memory Not transparent to applications Both Server-Side Encryption Protect data at rest (e.g. theft of drives or backup sets) High privilege users can gain access to data Both server-side, protects from stolen files but not attack in memory AES-NI support is new in SQL Server 2016, before an alternative could be to use Bitlocker with AES-NI support Partial protection in memory by CLE is provided because ENCRYPTBYKEY/DECRYPTBYKEY still needs to be used High privilege users can be local admin or admin at the hosting site https://blogs.msdn.microsoft.com/sqlsecurity/2016/10/05/feature-spotlight-transparent-data-encryption-tde

Always Encrypted Overview

Always Encrypted Keys Column Encryption Key (CEK) Used to encrypt data Stored in encrypted form as metadata on server Bound to specific column(s) Column Master Key (CMK) Used to encrypt CEKs Stored in a external key store Windows Certificate Store, Azure Key Vault, HSM, Custom Must be available to applications Custom example: can store the key in Amazon and build a custom store provider

CMK Encryption Deterministic Randomized Allows equality/grouping/join operations Allows indexing Weaker e.g. small value domains like Sex or Flags Requires _BIN2 collation! Randomized No operations allowed No indexing Strongest Custom example: can store the key in Amazon and build a custom store provider

Always Encrypted Configuration SQL Server Management Studio End-to-End Wizard Specific dialogs Rotation scenarios supported Only part of the configuration in T-SQL Unencrypted CMK available only externally PowerShell

Always Encrypted Client Configuration Connection String Column Encryption Setting=Enabled Single Command SqlCommand.ColumnEncryptionSetting* Disabled, Enabled, ResultSetOnly, UseConnectionSetting ResultsSetOnly decrypts only the result set without calling the stored procedure to get encrypted keys metadata (useful when you’re using parameters on columns that are not encrypted)

Always Encrypted Parameters Parametrized statements requires round-trip Call to sys.sp_describe_parameter_encryption Returns columns keys metadata and encrypted key .NET Framework 4.6.2 avoid round-tripping by implementing a cache on the application-tier In general No ad-hoc queries with literal predicates No operations involving cyphertexts and plaintexts Nothing that requires unencrypted data on server

Always Encrypted Demo

Row Level Security Securing SQL Server 2016 Databases https://msdn.microsoft.com/en-us/library/dn765131.aspx Row Level Security

Row Level Security Overview Restricts access to a subset of rows Based on Security Predicates Defined as inline Table-Valued Functions Filter predicates restrict rows to read operations SELECT, UPDATE and DELETE Block predicates block write operation AFTER INSERT, AFTER/BEFORE UPDATE, BEFORE DELETE Security Policy Applies Security Predicates to tables

Row-Level Security Database Security Policy Application Patients Uno Policy manager creates in T-SQL a predicate to filter data based on user ID and a security policy that constrains the predicate to the Patients table. Tre Security Policy transparently re-writes the query applying the predicate. Due The user (e.g. the nurse) selects from the Patients table. Nurse Database Policy Manager Filter Predicate: INNER JOIN… Security Policy Application Patients CREATE FUNCTION dbo.fn_securitypredicate(@wing int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) https://msdn.microsoft.com/en-us/library/dn765131.aspx SELECT * FROM Patients SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing); SELECT * FROM Patients SELECT Patients.* FROM Patients, StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;

Row-Level Security & Multi Tenancy Restrict tenant access when shards shares same tables Assuming there’s a column identifying the tenant https://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-tools-multi-tenant-row-level-security Image source: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-elastic-tools-multi-tenant-row-level-security

Row Level Security Demo

Dynamic Data Masking Securing SQL Server 2016 Databases https://msdn.microsoft.com/en-us/library/mt130841.aspx Dynamic Data Masking

Dynamic Data Masking Masking Rule/permission based Table.CreditCardNo 4465-6571-7868-5796 4468-7746-3848-1978 4484-5434-6858-6550 Masking Real-time Different mask type Partial masks Rule/permission based Column level Permissions to unmask Azure configuration in portal SQL Database https://msdn.microsoft.com/en-us/library/mt130841.aspx https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dynamic-data-masking-get-started

Dynamic Data Masking Demo

Dynamic Data Masking Functions Default Type dependent ‘X’, 0, 01.01.1900 00:00:00.0000000 Email aXXX@XXXX.com Random Integer range Custom String Prefix length, [padding char], suffix length

Dynamic Data Masking Permissions CRATE and ALTER table ALTER ANY MASK (w/ ALTER on table) UNMASK Can still update data!

Dynamic Data Masking Gotchas Beware when moving data Export/Import SELECT…INTO INSERT…SELECT…FROM Brute-force techniques Value inference with range predicates Domain table

Azure SQL Database Only Securing SQL Server 2016 Databases Azure SQL Database Only

«SQL Database Auditing» Similar to SQL Server Audit No T-SQL support (portal, PowerShell, REST API) Events destinations Table in “Azure Storage Table” File in “Azure Storage Blob” Analysis Extended Events file (SSMS, PowerShell, C# library) Pre-configure Excel file with Power Query https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing-get-started

SQL Database Threat Detection (preview) Simple per-database option to activate Requires activation of “SQL Database Auditing” Detects potential threats/vulnerabilities “SQL Injection” kind of attacks Unusual accesses (e.g. from unusual places) Alarms Real-time Recommendations on what to investigate/how to mitigate/remediate https://myignite.microsoft.com/videos/2998

Azure Security Center Service to manage security resources in Azure Recommendations also for Azure SQL Database Encryption (e.g. TDE) Audit & Monitor (e.g. Server/Database Auditing) Dynamic Data Masking (e.g. sensible data) https://azure.microsoft.com/en-us/services/security-center Demos in https://myignite.microsoft.com/videos/2998

Resources Documentation SQL Server Security Blog MVA Course http://aka.ms/AlwaysEncrypted SQL Server Security Blog https://blogs.msdn.microsoft.com/sqlsecurity MVA Course https://mva.microsoft.com/en-US/training-courses/16076 GitHub Samples https://github.com/Microsoft/azure-sql-security-sample https://github.com/Microsoft/sql-server-samples

#sqlsat589 Thanks! Q&A