Encryption in SQL Server Michał Sadowski @SadowskiMichal Encryption in SQL Server
SQLSat Kyiv Team Yevhen Nedashkivskyi Alesya Zhuk Eugene Polonichko Oksana Borysenko Mykola Pobyivovk Oksana Tkach
Our Awesome Sponsors
Session will begin very soon :) Please complete the evaluation form from your pocket after the session. Your feedback will help us to improve future conferences and speakers will appreciate your feedback! Enjoy the conference!
Few words about me Based in Kraków, Poland Leader of Data Community (former Polish SQL Server User Group) Kraków chapter SQL Server Database Administrator in international corporation Microsoft Certified Professional since 2005, Microsoft Certified Solution Expert: Data Platform Interests: Disaster Recovery High availability
Agenda Introduction Data protection Access control Demo after each section Summary
Introduction Security concerns are not with the highest priority in early phase of company growth Database administrators (and also developers) are not interested in security… … till the first security incident related to data leak But then it can be too late Getting know all built-in features can significantly make our life easier (and secure our workplace) Starting from May 2018 EU introduces General Data Protection Regulation (http://www.eugdpr.org/key-changes.html)
Examples of data leak incidents Wonga (04.2017) –270k accounts Snapchat (04.2017) – 1,7M accounts Lynda.com (12.2016) – 55k accounts, possible 9,5M ClixSense (09.2016) – 6,6M accounts Yahoo (09.2016) – 500M accounts Dropbox (08.2016) – 68M accounts AshleyMadison (07.2015) – 37M accounts MySpace (05.2016) – 427M accounts HackingTeam (07.2015) – 400 GB documents JPMorganChase (10.2014) – 76M accounts Adobe (10.2013) – 38M accounts More information: http://www.informationisbeautiful.net/visualizations/worlds- biggest-data-breaches-hacks/
Data Protection Encryption in transit: Encryption at rest: Transport Layer Security (SSL/TLS) Encryption at rest: Backup encryption Transparent Data Encryption Cell level encryption Encryption in use (client side): Always Encrypted
Transport Layer Security / SSL Data sent through network is not encrypted in any manner Using well-known tools (e.g. Wireshark) you can eavesdrop transferred data Possible issues with certificate permissions Alternatively, IPSec can be used to encrypt traffic
DEMO #1 Transport Layer Security / SSL
Backup Encryption Available in SQL Server starting with version 2008 R2 Data is secured by database key and certificate To restore encrypted backup you need to have valid certificate used for encryption Encrypted backup secures data leakage from the backups outside of company Eliminates risk of introduction of changes to production system after restore of modified backup Alternatively, Encrypting File System or BitLocker can be used
DEMO #2 Backup Encryption
Transparent Data Encryption Encryption of single database tempdb is also encrypted Available in SQL Server 2008+ Caution: Bug in SQL Server 2016 DMV Backup compression It is not as secure as it looks: http://simonmcauliffe.com/technology/tde/
DEMO #3 Transparent Data Encryption
Cell level encryption Allows encrypting a column in a table with sensitive data like credit card numbers, SSN, etc. It is using symmetric key and certificate Administrator can see data in encrypted columns Data is encrypted on database level – sending through network in unencrypted form Available starting from SQL Server 2008
DEMO #4 Cell Level Encryption
Always Encrypted Designed to protect sensitive data such as credit card numbers, SSN, etc. Data is encrypted at the client application (requires .NET 4.6.2), before sending to database server Can be used in following scenarios: Third party company is hosting/managing our servers Client application is hosted on-premises, data stored in the cloud Both client application and database are in the cloud Introduced in SQL Server 2016
DEMO #5 ALways Encrypted
Control Access Database access: Application access: SQL Server authentication: Active Directory Granular permissions Application access: Row-Level Security Static Data Masking Dynamic Data Masking
Row-Level Security Control access at the row level based on query characteristics Two types of predicates: Filtering for SELECT, UPDATE and DELETE Blocking for write operations (AFTER INSERT, AFTER UPDATE, BEFORE UPDATE, BEFORE DELETE) Filtering does not protect against executing the query!
DEMO #6 Row-Level Security
Dynamic Data Masking Masking potentially sensitive data against users without required privileges Masking is applied on the results of the query Dynamic Data Masking is complimentary to other security features – should be used with e.g. Row-Level Security Sensitive for specially crafted attacks: SELECT ID, Name, Salary FROM Employees WHERE Salary > 99999 and Salary < 100001;
DEMO #7 Dynamic Data Masking
Summary SQL Server delivers many encryption features In highly complex environments, pay attention to all elements of data chain (e.g. SSL between servers, not only client facing) Blindly applied features gives false impression of security Using encryption pay attention to Disaster Recovery documentation (and of course test it!)
Resources: SSL: https://support.microsoft.com/en-us/help/316898 TDE: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-tde Breaking TDE: http://simonmcauliffe.com/technology/tde/ Always Encrypted: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine RLS: https://docs.microsoft.com/en-us/sql/relational-databases/security/row-level-security DDM: https://docs.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking
Questions?: michal.sadowski@hotmail.com @SadowskiMichal
Thank you!
Our Awesome Sponsors