Overview and Roadmap for Microsoft SQL Server Security BRK2570 Overview and Roadmap for Microsoft SQL Server Security Joachim Hammer & Jakub Szymaszek Security Team Database Systems Group
Enhancements to Crypto Enhancements to SQL Audit Security Investments Always Encrypted Enhancements to Crypto TDE for SQL DB, TDE Perf CLE for SQL DB Encryption Secure App Development Auditing Row-level Security Enhancements to SQL Audit Dynamic Data Masking
Always Encrypted SQL Server 2016 SQL Database
Customer Benefit Prevents Data Disclosure Queries on Encrypted Data 4/16/2017 Customer Benefit Prevents Data Disclosure Client-side encryption of sensitive data using keys that are never given to the database system. Queries on Encrypted Data Support for equality comparison, incl. join, group by and distinct operators. Application Transparency Minimal application changes via server and client library enhancements. Allows customers to securely store sensitive data outside of their trust boundary. Data remains protected from high-privileged, yet unauthorized users. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
SQL Server or SQL Database How it Works Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server SQL Server or SQL Database trust boundary Client "SELECT Name FROM Customers WHERE SSN = @SSN", "111-22-3333" "SELECT Name FROM Customers WHERE SSN = @SSN", 0x7ff654ae6d ciphertext ADO .NET Result Set Result Set Name Wayne Jefferson Name 0x19ca706fbd9a dbo.Customers Name SSN Country 0x19ca706fbd9a 0x7ff654ae6d USA ciphertext
Types of Encryption in v1 Randomized encryption Encrypt('123-45-6789') = 0x17cfd50a Repeat: Encrypt('123-45-6789') = 0x9b1fcf32 Allows for transparent retrieval of encrypted data but NO operations More secure Deterministic encryption Encrypt('123-45-6789') = 0x85a55d3f Repeat: Encrypt('123-45-6789') = 0x85a55d3f Allows for transparent retrieval of encrypted data AND equality comparison E.g. in WHERE clauses and joins, distinct, group by
Key Provisioning 1. Generate CEKs and Master Key 2. Encrypt CEK Column Encryption Key (CEK) Column Master Key (CMK) 2. Encrypt CEK Encrypted CEK CMK Store: Certificate Store HSM Azure Key Vault … CMK 3. Store Master Key Securely Security Officer 4. Upload Encrypted CEK to DB Encrypted CEK Database
Demo Always Encrypted
Row-Level Security SQL Server 2016 SQL Database
Customer Benefit Fine-grained Access Control Application Transparency 4/16/2017 Customer Benefit Fine-grained Access Control Keeping multi-tenant databases secure by limiting access by other users who share the same tables. Application Transparency RLS works transparently at query time, no app changes needed. Compatible with RLS in other leading products. Centralized Security Logic Enforcement logic resides inside database and is schema-bound to the table it protects providing greater security. Reduced application maintenance and complexity. Store data intended for many consumers in a single database/table while at the same time restricting row-level read & write access based on users’ execution context. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
RLS Concepts Predicate function Security predicate Security policy User-defined inline table-valued function (iTVF) implementing security logic Can be arbitrarily complicated, containing joins with other tables Security predicate Applies a predicate function to a particular table (SEMIJOIN APPLY) Two types: filter predicates and blocking predicates Security policy Collection of security predicates for managing security across multiple tables CREATE SECURITY POLICY mySecurityPolicy ADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients
Demo RLS
Transparent Data Encryption New for Azure SQL Database v12
SQL DB Management Service How It Works On by choice Protects database and all of its backups, transaction logs and tempdb “2-click” User Experience Alternatively: 2 T-SQL statements Azure SQL DB manages your keys (aka service managed TDE) Improved Encryption Performance Using INTEL’s AES-NI Hardware Acceleration Available on v12 servers, all SQL DB’s editions Customer A Customer B Customer B Customer A SQL DB Management Service
Demo TDE
Dynamic Data Masking SQL Server 2016 SQL Database
Dynamic Data Masking Regulatory Compliance Sensitive Data Protection 4/16/2017 Dynamic Data Masking Regulatory Compliance A strong demand for applications to meet privacy standards recommended by regulating authorities. Sensitive Data Protection Protects against unauthorized access to sensitive data in the application. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Demo Dynamic Data Masking Microsoft Ignite 2015 4/16/2017 4:27 PM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Power BI Content Packs for SQL DB Audit soon available for SQL Database Microsoft Ignite 2015 4/16/2017 4:27 PM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Resources MSDN Documentation https://msdn.microsoft.com/en-us/library/dn765131.aspx Security Center for SQL Server Database & SQL Database https://msdn.microsoft.com/en-us/bb510589.aspx SQL Server Security Blog Additional examples, useful tips and tricks http://blogs.msdn.com/b/sqlsecurity/ SQL Server Label Security Toolkit Updated version to take advantage of RLS coming later in CY15 http://sqlserverlst.codeplex.com/
Please evaluate this session 4/16/2017 4:27 PM Please evaluate this session Your feedback is important to us! Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/16/2017 4:27 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.