End to End Security and Encryption in SQL Server

Slides:



Advertisements
Similar presentations
Overview and Roadmap for Microsoft SQL Server Security
Advertisements

Gavin Payne Transparent Data Encryption The Hows, Whys and Whens.
An Encryption Primer Steve Jones Editor in Chief SQLServerCentral.
How to Take Advantage of Contained Databases in SQL Server 2012 Steve Jones SQLServerCentral Red Gate Software.
ORACLE DATABASE SECURITY
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.
SEC835 Practical aspects of security implementation Part 1.
Kristina Rumpff Securing Data on your Terms DAT33 1.
SQLintersection Session: Tuesday, 12:00-1:00pm NEW SECURITY FEATURES IN SQL SERVER 2016 & AZURE SQL DB Aaron Bertrand
#SQLSAT454 SQL Server 2016 New Security Features Gianluca
SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.
The Encryption Primer Steve Jones Editor SQLServerCentral.
Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1/15/2016Security Investments in SQL Server 2016 and Azure SQL.
The Spy who loathed me An Introduction to SQL Security.
March 7, 2013 SQL Encryption and You By Todd Kleinhans
Over 18 yrs experience with SQL Server
Secure SQL Database with TDE Thomas Chan SQL Saturday Raleigh.
End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software.
SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.
SQL Server Encryption Ben Miller Blog:
The Spy who loathed me An Introduction to SQL Security.
Session Name Pelin ATICI SQL Premier Field Engineer.
Data Security with Power BI, SSAS, SQL Server 2016 and Active Directory June 10, 2017.
Azure SQL Database Updates
Securing Your Data With SQL 2016 (An overview of Always Encrypted)
Bringing DevOps to the Database
Bringing DevOps to the Database
Recommended Practices & Fundamentals
SQL Server 2016 Security and Privacy Features
Why are you still taking backups?
On-premise database. Files in the cloud.
Hiding Data from Prying eyes: Using SQL Server 2016 Always Encrypted
Enterprise Row Level Security: SQL Server 2016 and Azure SQL DB
Securing Data with SQL Server 2016
Securing SQL Server 2016 Databases
Overview of Security Investments
Bringing DevOps to the Database
Who am I Hector Villafuerte
Planning an Effective Upgrade from SQL Server 2008
Encryption in SQL Server
Power BI Security Best Practices
Always Encrypted, Data Masking, Row Level Security
SQL Server 2016 Security Features
Always Encrypted in the Real World
Security enhancements in SQL Server 2016
Bringing DevOps to the Database
6 Principles of the GDPR and SQL Provision
Encrypting Data within SQL Server
What is the Azure SQL Datawarehouse?
Encryption Not just for the NSA anymore
Beginners 101 Guide To Always Encrypted
Overview of Security Investments
Migrating your SQL Server Instance
Security Enhancements in SQL Server 2016
Hidden gems of SQL Server 2016
Row Level Security in SQL Azure and in On Premise
Bringing DevOps to the Database
Stretch Database - Historical data storage in SQL Server 2016
Secure/Encrypt SQL Server Database With TDE
SQL Server 2016 Security Features
Erin Dempster SQL Server 2019 Sneak Peek.
Adopting a Compliant Database DevOps Process
The Future of Database Development
Adopting a Compliant Database DevOps Process
Stefano Tempesta Secure Machine Learning with SQL Server Always Encrypted with Secure Enclaves.
The Future of Database Development
The Future of Database Development (with containers)
SQL in the City Summit.
Presentation transcript:

End to End Security and Encryption in SQL Server Steve Jones Editor, SQLServerCentral Evangelist, Redgate Software Protecting data from unauthorized access becomes more important all the time. SQL Server includes a number of features that make data protection and security easier for developers and DBAs with a framework for protecting data. Come learn how Always Encrypted, TDE, Row Level Security, Dynamic Data Masking, and column level encryption can protect your systems. You will learn: About the different encryption and security features in SQL Server Understand the code changes required for encryption mechanisms Gain a basic understanding of RLS and DDM, which do not require code changes to help protect data

Agenda Bio SQL Server Security Enhancements Encryption Overview Always Encrypted Row Level Security (RLS) Column Level Encryption Transparent Data Encryption (TDE) Dynamic Data Masking (DDM) Summary

Steve Jones 26 years SQL Server data experience DBA, developer, manager, writer, speaker in a variety of companies and industries Founder, SQLServerCentral And current editor, with the goal of helping you learn to be a better data professional every day Steve Jones Evangelist, Redgate Software Editor, SQLServerCentral 10 years Microsoft Data Platform MVP steve I am honored to be recognized by Microsoft for the last decade as an MVP /in/way0utwest @way0utwest www.voiceofthedba.com

SQL Server 2017 Security Enhancements CLR Strict Security implemented by default

SQL Server 2016 Security Enhancements Default endpoint encryption changed (RC4 -> AES) Dynamic Data Masking Always Encrypted Row Level Security Credentials can be added at the database level TDE supports Intel AES-NI

Azure SQL Server Security Enhancements TDE Enabled by default TDE Customer Managed Keys Available Threat Detection available Vulnerability Assessment available

What is encryption? encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). - Wikipedia From Wikipedia

Encryption works with Functions and Keys plaintext The quick brown fox jumped over the lazy dog. ciphertext 0x00059E2EC7419F590E79D7F1B774BFE601000000DB80B8AC1B295E367FEAC63C4BD7B8F8FACD0151B57DF97FF2BBA1ED9626B0316043C62387BB8E5D4A17B33C48A554F2A9B28626BB250A153FEEF2BFEBCF92ECF6C421D47C84BF93074E54EF85C85B1C Encryption Function We use functions and keys, here’s an example. Describe The function’s complexity determines the resources required to perform encryption, and usually, the security of the encryption process. 0x0ae783b218d18 encryption key

Banks use a two stage protection. They use a very strong outer lock Banks use a two stage protection. They use a very strong outer lock., the bank vault door.

https://safedepositboxinsurance https://safedepositboxinsurance.com/wp-content/themes/sdbic/images/solution-callout.jpg

X.509 Certificate Symmetric Key The quick brown fox jumped over the lazy dog.

Always Encrypted

Client Server CMK ADO.NET Have AE Query 228ba8e Select name, cc From Cust Where cc = '12345' CEK CustID Name CC Email 1 Steve 7de8a76 sjones 2 Andy de527e7a awarren trusted untrusted

Client Server Symmetric Key CMK ADO.NET Return Encrypted CEK 228ba8e Select name, cc From Cust Where cc = '12345' CEK 228ba8e CustID Name CC Email 1 Steve 7de8a76 sjones 2 Andy de527e7a awarren Symmetric Key trusted untrusted

Client Server Symmetric Key CMK ADO.NET Select name, cc From Cust Where cc = '7de8a76' Name CC Steve 7de8a76 228ba8e Select name, cc From Cust Where cc = '12345' CEK CustID Name CC Email 1 Steve 7de8a76 sjones 2 Andy de527e7a awarren Name CC Steve 5555 4444 trusted untrusted Symmetric Key

Demo Always Encrypted

Always Encrypted Limitations Strings require _BIN2 collation Limited datatypes Only equality comparisons (no <, >, like) No statistics on encrypted columns Max two Column Master Keys can be used No Defaults on encrypted columns No replication More

Row-Level Security

Row Level Security (RLS) Allow rows of data to be screened based on user characteristics Independent of other SQL Server security. Available in SQL Server 2016+ and Azure SQL Database The screening is done with a security predicate that examines the “user chracteristics” and returns a 1 for visible rows A security policy links a predicate to a particular table Filter predicates apply to reads Block predicates apply to writes

OrderHeader table OrderID OrderAmount SalespersonID 1001 5000.00 1 1002 1250.25 2 1003 922.13 1004 125.00 1005 4200.99 3 1006 1652.89 User Bob (SalespersonID 1) User sally (SalespersonID 2)

OrderHeader table OrderID OrderAmount SalespersonID 1001 5000.00 1 1002 1250.25 2 1003 922.13 1004 125.00 1005 4200.99 3 1006 1652.89 User Bob (SalespersonID 1) User sally (SalespersonID 2) Issue query Select * from OrderHeader Results OrderID OrderAmount SalespersonID 1001 5000.00 1 1004 125.00

OrderHeader table OrderID OrderAmount SalespersonID 1001 5000.00 1 1002 1250.25 2 1003 922.13 1004 125.00 1005 4200.99 3 1006 1652.89 User Bob (SalespersonID 1 User sally (SalespersonID 2 Issue query Issue query Select * from OrderHeader Select * from OrderHeader Results Results OrderID OrderAmount SalespersonID 1002 1250.25 2 1003 922.13 1006 1652.89 OrderID OrderAmount SalespersonID 1001 5000.00 1 1004 125.00

Demo Row Level Security

Row Level Security Limitations No Filestream No Polybase Data Leakage – From stats , CDC, queries More

Column Level Encryption

Column Level Encryption This is available in SQL Server 2005+ Uses symmetric or asymmetric keys to protect data Encryption is really by field, not column. Encryption operations occur in SQL Server Temporary keys may be used

Demo Column Level Encryption

Column Level Encryption – Limitations Quite a few algorithms are old Data is not necessarily protected from the DBA (can be. A little) Requires CPU resources on the server. Encrypted data does not compress. (compress, then encrypt) Symmetric keys are deterministic Requires code changes

Transparent Data Encryption Protects data at rest Encrypts data and log files (mdf, ndf, ldf) In SQL Server 2016 support for Intel AES-NI almost eliminates CPU impact Backup files encrypted Tempdb encrypted Enterprise Edition only.

Demo Transparent Data Encryption

Transparent Data Encryption Limitations Replication data is not encrypted Filestream data is not encrypted BPE files are not encrypted More Overhead (usually < 5%, workload dependent)

Dynamic Data Masking (DDM) Image: https://blogs.technet.microsoft.com/dataplatforminsider/2016/01/25/use-dynamic-data-masking-to-obfuscate-your-sensitive-data/

Dynamic Data Masking (DDM) No changes to data or storage DDM defines how data appears when queried. Does not require changes to application code This is a NOT ENCRYPTION This is an application programming convenience feature NOT SECURITY Image: https://blogs.technet.microsoft.com/dataplatforminsider/2016/01/25/use-dynamic-data-masking-to-obfuscate-your-sensitive-data/

Demo Dynamic Data Masking

Dynamic Data Masking - Limitations Does not work with Always Encrypted columns UNMASK is by database, not by table or column This is an all or nothing feature - data is masked for all rows, no exceptions The query plan, statistics, etc. do not mask data Attacks against the data are possible with adhoc queries Image: https://blogs.technet.microsoft.com/dataplatforminsider/2016/01/25/use-dynamic-data-masking-to-obfuscate-your-sensitive-data/

Summary SQL Server 2016+ includes a variety of encryption (and data protection) functions for server and client TDE protects data at rest Always Encrypted is for cases where the client is trusted, but not the server RLS is independent of other security mechanisms, but not perfect DDM is a security convenience feature Column Level encryption protects the data on the server.

The End Thank you for coming Questions? Ask at www.sqlservercentral.com/forums www.voiceofthedba.com sjones@sqlservercentral.com @way0utwest /in/way0utwest

References DDM Dynamic Data Masking (BOL) - https://msdn.microsoft.com/en-us/library/mt130841.aspx?f=255&MSPPError=-2147217396 https://blogs.technet.microsoft.com/dataplatforminsider/2016/01/25/use-dynamic-data-masking-to-obfuscate-your-sensitive-data/ A Very Quick Post on SQL Server 2016 Dynamic Data Masking - https://www.simple-talk.com/blogs/2015/06/10/a-very-quick-post-on-sql-server-2016-dynamic-data-masking/

References Column Level Encryption Row Level Security Always Encrypted DecryptbyKey - https://msdn.microsoft.com/en-us/library/ms181860.aspx Row Level Security MSDN - https://msdn.microsoft.com/library/dn765131.aspx Channel 9 - https://channel9.msdn.com/Shows/Data-Exposed/SQL-Server-2016-Row-Level-Security Always Encrypted BOL - https://msdn.microsoft.com/en-us/library/mt163865.aspx Channel 9 - https://channel9.msdn.com/Shows/Data-Exposed/Getting-Started-with-Always-Encrypted-with-SSMS?ocid=relatedentry

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.