Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.

Published byKenneth Lindsey Modified over 8 years ago

Similar presentations

Presentation on theme: "SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST."— Presentation transcript:

1 SQL SATURDAY #444 – Kansas City, MO

2 A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST TECHNOLOGIES, LLC DAVE@DBBEST.COM

3 DISCLAIMER… PLEASE NOTE We’re talking about a pre-release technology and features today. All information is up to date as of CTP2.4, however Microsoft may change anything up to and after RTM

4 DATABASE ENCRYPTION… A BRIEF OVERVIEW SQL Server 2000 and before – No native tools for encryption Data at rest encryption could be done with 3 rd party tools, or by encrypting the entire drive (TrueCrypt,etc) Cell Level Encryption – Introduced with SQL Server 2005 Transparent Data Encryption (TDE) Introduced with SQL Server 2008 Certificate based transport encryption Always Encrypted – introduced with SQL Server 2016

5 SQL ENCRYPTION NOW AND THEN

6 WHAT IS ALWAYS ENCRYPTED? From MSDN: “Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (e.g. U.S. social security numbers), stored in SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to SQL Server. As a result, Always Encrypted provides a separation between those who own the data (and can view it) and those who manage the data (but should have no access).”

7 WHAT IS ALWAYS ENCRYPTED? From MSDN: “Always Encrypted makes encryption transparent to applications. An Always Encrypted-enabled driver installed on the client computer achieves this by automatically encrypting and decrypting sensitive data in the SQL Server client application. The driver encrypts the data in sensitive columns before passing the data to SQL Server, and automatically rewrites queries so that the semantics to the application are preserved. Similarly, the driver transparently decrypts data, stored in encrypted database columns, contained in query results.”

8 WHAT IS ALWAYS ENCRYPTED? Always Encrypted provides transparent, end-to-end encryption for you sensitive columns All encryption and decryption is handled transparently by the driver library on the client 2 different encryption types depending on your requirements (random and deterministic) Deterministic type can be used for WHERE equality comparisons, as well as DISTINCT, JOIN, and GROUP BY

9 WHAT IS ALWAYS ENCRYPTED? Data is never in plain text while being stored or accessed while on SQL Server (including while in memory) Only clients with the proper Column Master Key will have access to decrypt the data Can be combined with TDE for a full encryption solution Provides gap coverage for regulatory compliance wince data is encrypted in flight, and DBAs have no access Supported in SQL Server 2016 and Azure SQL Database (soon)

10 ENCRYPTION TYPES Always Encrypted supports two types of encryption: randomized encryption and deterministic encryption. Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value. Using deterministic encryption allows grouping, filtering by equality, and joining tables based on encrypted values, but can also allow unauthorized users to guess information about encrypted values by examining patterns in the encrypted column. This weakness is increased when there is a small set of possible encrypted values, such as True/False. Deterministic encryption must use a column collation with a binary2 sort order for character columns. Randomized encryption uses a method that encrypts data in a less predictable manner. Randomized encryption is more secure, but prevents equality searches, grouping, indexing, and joining on encrypted columns. Choose randomized for data that will just be returned, and deterministic for data that will be searched

11 KEYS Always Encrypted uses keys of two types: Column Encryption Keys and Column Master Keys Column master keys are protecting keys used to encrypt column encryption keys. Column master keys must be stored in a trusted key store. Information about column master keys, including their location, is stored in the database in system catalog views. Column encryption keys are used to encrypt sensitive data stored in database columns. All values in a column can be encrypted using a single column encryption key. Encrypted values of column encryption keys are stored in the database in system catalog views. You should store column encryption keys in a secure/trusted location for backup. Each CEK can have 2 encrypted values from 2 CMKs to allow master key rotation Column Master Keys must be deployed on each client machine that needs access to the unencrypted data. SQL Server does not contain the keys needed to decrypt data

12 HOW IT WORKS A Column Master Key (CMK) is created from a certificate on a client machine Column Encryption Keys (CEK) are then created from the CMK Create a new column specifying encryption type and CEK ENCRYPTED WITH (ENCRYPTION_TYPE = DETERMINISTIC, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256', COLUMN_ENCRYPTION_KEY = CEK1 ) Add new “ Column Encryption Setting=Enabled; ” option to connection string Driver interrogates SQL Server to see if requested columns are encrypted, and uses CMK to decrypt data returned from SQL Server using standard.NET encryption libraries Data remains encrypted in flight until being decrypted by client

13 KEY PROVISIONING OVERVIEW Security Officer Column Encryption Key (CEK) Column Master Key (CMK) Encrypted CEK CMK 1. Generate CEKs and Master Key 2. Encrypt CEK 3. Store Master Key Securely 4. Upload Encrypted CEK to DB CMK Store: Certificate Store HSM Azure Key Vault … Database Encrypted CEK

14 HOW IT WORKS (FROM MSDN) SQL Server or SQL Database ADO.NET Name Wayne Jefferson Name 0x19ca706fbd9a Result Set Client NameSSNCountry 0x19ca706fbd9a0x7ff654ae6dUSA dbo.Customers ciphertext "SELECT Name FROM Customers WHERE SSN = @SSN", 0x7ff654ae6d ciphertext "SELECT Name FROM Customers WHERE SSN = @SSN", "111-22-3333" Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server trust boundary

15 TYPES OF ENCRYPTION IN V1 RELEASE

16 WHY WOULD I USE IT? To provide additional security for sensitive data (PHI, PII, etc.) in flight from SQL Server directly to client Running database and/or application in the cloud Prevent high-privileged users from having access to sensitive data Regulatory Compliance and audits

17 LIMITATIONS NOT available for use on the following: IDENTITY, text/ntext/image, XML/hierarchyid/geography/geometry, alias types/user-defined data types SQL_VARIANT, rowversion (timestamp), Computed columns, Sparse columns and in-memory tables (hekaton) Cannot ALTER a column and make it encrypted; must add new column and add/import data No LIKE or other non-equality operations allowed Queries must be passed with properly typed parameters (sqlcommand, sqlparameter). Ad-Hoc queries against data will raise an exception

18 LIMITATIONS Currently only supported using ADO.NET as part of framework 4.6 ODBC and JDBC may be supported in the future CDC does not work on encrypted columns, but change tracking does. Only tracks changes of encrypted values Replication is not officially supported – however Availability Groups and Mirroring/Log shipping is Temporal tables cannot include encrypted columns Triggers may fail if they reference encrypted columns

19 OTHER THINGS TO CONSIDER Performance - Still pre-release but initial findings show that performance is significantly slower compared to non-encrypted inserts and updates. More on this later Troubleshooting data issues become more complicated Additional management overhead of having to install certificates on all clients

20 PERFORMANCE (COMPLIMENTS OF SQLPERFORMANCE.COM)

21 PERFORMANCE

22

23

24 MORE INFORMATION MSDN - https://msdn.microsoft.com/en-us/library/mt163865.aspxhttps://msdn.microsoft.com/en-us/library/mt163865.aspx Aaron Bertrand - http://blogs.sqlsentry.com/aaronbertrand/t-sql-tuesday-69-always- encrypted-limitations/, http://sqlperformance.com/2015/08/sql-server-2016/perf-impact- always-encryptedhttp://blogs.sqlsentry.com/aaronbertrand/t-sql-tuesday-69-always- encrypted-limitations/http://sqlperformance.com/2015/08/sql-server-2016/perf-impact- always-encrypted Getting started with Always Encryption - http://blogs.msdn.com/b/sqlsecurity/archive/2015/06/25/10619747.aspx http://blogs.msdn.com/b/sqlsecurity/archive/2015/06/25/10619747.aspx 6 things you need to know about Always Encryption - http://www.wintellect.com/devcenter/paulballard/6-things-you-should-know-about-sql- server-2016-always-on-encryption http://www.wintellect.com/devcenter/paulballard/6-things-you-should-know-about-sql- server-2016-always-on-encryption Channel 9 - https://channel9.msdn.com/Shows/Data-Exposed/SQL-Server-2016-Always- Encryptedhttps://channel9.msdn.com/Shows/Data-Exposed/SQL-Server-2016-Always- Encrypted

25 QUESTIONS?

26 THANK YOU!

Download ppt "SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST."

Similar presentations

Yukon – What is New Rajesh Gala. Yukon – What is new.NET Framework Programming Data Types Exception Handling Batches Databases Database Engine Administration.

Yukon – What is New Rajesh Gala. Yukon – What is new.NET Framework Programming Data Types Exception Handling Batches Databases Database Engine Administration.
1. 2 Introduction This presentation describes introduction of data encryption into Oracle databases and how “Transparent Data Encryption” in Oracle 11g.

1. 2 Introduction This presentation describes introduction of data encryption into Oracle databases and how “Transparent Data Encryption” in Oracle 11g.
Administering Microsoft SQL Server 2012 Databases.

Administering Microsoft SQL Server 2012 Databases.
CryptDB: A Practical Encrypted Relational DBMS Raluca Ada Popa, Nickolai Zeldovich, and Hari Balakrishnan MIT CSAIL New England Database Summit 2011.

CryptDB: A Practical Encrypted Relational DBMS Raluca Ada Popa, Nickolai Zeldovich, and Hari Balakrishnan MIT CSAIL New England Database Summit 2011.
Overview and Roadmap for Microsoft SQL Server Security

Overview and Roadmap for Microsoft SQL Server Security
Gavin Payne Transparent Data Encryption The Hows, Whys and Whens.

Gavin Payne Transparent Data Encryption The Hows, Whys and Whens.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Jeremy Boyd Director – Mindscape MSDN Regional Director

Jeremy Boyd Director – Mindscape MSDN Regional Director
1 Database Security & Encryption

1 Database Security & Encryption
Building Ad-Hoc Reports using the SQL Server 2005 Reporting Services (SSRS) Report Builder (SQL307) Adrian Rupp Business Intelligence Solutions Specialist.

Building Ad-Hoc Reports using the SQL Server 2005 Reporting Services (SSRS) Report Builder (SQL307) Adrian Rupp Business Intelligence Solutions Specialist.
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist

Introduction to SQL 2005 Security Nick Ward SQL Server Specialist Nick Ward SQL Server Specialist
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Functions Lesson 10. Skills Matrix Function A function is a piece of code or routine that accepts parameters and stored as an object in SQL Server. The.

Functions Lesson 10. Skills Matrix Function A function is a piece of code or routine that accepts parameters and stored as an object in SQL Server. The.
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May 20121.0First version. Modified from Enterprise edition.NBL.

Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
Cao Tiến Đức. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference.

Cao Tiến Đức. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference.
1 Oracle Database 11g – Flashback Data Archive. 2 Data History and Retention Data retention and change control requirements are growing Regulatory oversight.

1 Oracle Database 11g – Flashback Data Archive. 2 Data History and Retention Data retention and change control requirements are growing Regulatory oversight.
ADO.NET A2 Teacher Up skilling LECTURE 3. What’s to come today? ADO.NET What is ADO.NET? ADO.NET Objects SqlConnection SqlCommand SqlDataReader DataSet.

ADO.NET A2 Teacher Up skilling LECTURE 3. What’s to come today? ADO.NET What is ADO.NET? ADO.NET Objects SqlConnection SqlCommand SqlDataReader DataSet.
Database Management 9. course. Execution of queries.

Database Management 9. course. Execution of queries.

Similar presentations

Ads by Google