Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016.

Published byAlexis Russell Modified over 8 years ago

Similar presentations

Presentation on theme: "Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016."— Presentation transcript:

1 Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016

2 Housekeeping Mobile Phones please set to “stun” during sessions Evaluations complete online to be in the draw for fantastic prizes Wifi Details SSID: eduroam Login: ext-sqlsat Password: sqlsaturd4y SESSIONSEVENT http://www.sqlsaturday.com/464/ sessions/sessionevaluation.aspx http://www.sqlsaturday.com/464/ eventeval.aspx

3 Connect with the Community Event staff, volunteers and speakers are here to help and answer questions. Scan the QR code on the speaker badges to connect and network with them. speaker @SQLDropbear I attack SQL challenges by dropping onto them from above.

4 ENCRYPTION

5 Encryption Summary

6 TRANSPARENT DATA ENCRYPTION

7 What is TDE  TDE Encrypts data at rest  This occurs at the file level  Data within the database is stored in plain text

8 Jane Doe Name 198-33-0987 SSN USA Country Jim Gray200-45-7569USA John Smith374-29-0782USA dbo.Patients Jane Doe Name 2467-3874-8234-2245 CardNumber Jim Gray2467-8739-2834-7342 John Smith3845-9384-8892-8234 dbo.Payment Database LevelTable LevelFile Level

9  In SQL Server 2016 CTP2, the storage for memory-optimized tables will be encrypted as part of enabling TDE on the database  Simply follow the same steps as you would for a disk-based database Windows Operating System Level Data Protection SQL Server Instance Level User Database Level Database Encryption Key Service Master Key DPAPI encrypts the Service Master Key Master Database Level Database Encryption Key Service Master Key Encrypts the Database master Key for the master Database Database Master Key of the master Database creates a certificate in the master database The certificate encrypts the database Encryption Key in the user database The entire user database is secured by the Datbase Encryption Key (DEK) of the user database by using transparent database encryption Created at a time of SQL Server setup Statement: CREAT MASTER KEY… Statement: CREATE CERTIFICATE… Statement: CREATE DATABASE ENCRYPTION KEY… Statement: ALTER DATABSE… SET ENCRYPTION

10 Considerations  Key management Backup History  Always On  You will need the same encryption key across all db’s in the group  TempDB  The TempDB will be encrypted if any database on the instance is encrypted.

11 Demo

12  Demo will include  SQL Server 2016 -Creating encryption hierarchy -Encrypt Database  SQL Server Azure  Show how to turn on TDE

13 CELL LEVEL ENCRYPTION

14 What is Cell Level Encryption  A symmetric key is used to encrypt the data as it is inserted, and to decrypt as it is read.  The end result is that the data is stored encrypted.  The database engine encrypts/decrypts.

15 Considerations  Key management Backup History  Import/Export  The encrypt/decrypt is part of the T-SQL statement

16 Jane Doe Name 198-33-0987 SSN USA Country Jim Gray200-45-7569USA John Smith374-29-0782USA dbo.Patients Jane Doe Name 2467-3874-8234-2245 CardNumber Jim Gray2467-8739-2834-7342 John Smith3845-9384-8892-8234 dbo.Payment Database LevelTable LevelFile Level

17 dbo.Patients Jane Doe Name 243-24-9812 SSN USA Country Jim Gray198-33-0987USA John Smith123-82-1095USA dbo.Patients Jane Doe Name 1x7fg655se2e SSN USA Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA Country Result Set Jim Gray Name Jane Doe Name 1x7fg655se2e SSN USA Country Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA dbo.Patients SQL Server ciphertext Query Trusted Apps SELECT Name FROM Patients WHERE SSN=@SSN Result Set Jim Gray Name SELECT Name FROM Patients WHERE SSN=@SSN @SSN=0x7ff654ae6d Client side @SSN=0x7ff654ae6d

18 Demo

19  Demo will include  Show how to create encryption keys  Show plain text column  Show encrypted column  Show how the application will need to be changed.

20 ALWAYS ENCRYPTED

21 What is Always Encrypted  A way to encrypt your data with minimal change the application.  Data is encrypted in transit and at rest.

22 Jane Doe Name 198-33-0987 SSN USA Country Jim Gray200-45-7569USA John Smith374-29-0782USA dbo.Patients Jane Doe Name 2467-3874-8234-2245 CardNumber Jim Gray2467-8739-2834-7342 John Smith3845-9384-8892-8234 dbo.Payment Database LevelTable LevelFile Level

23 dbo.Patients Jane Doe Name 243-24-9812 SSN USA Country Jim Gray198-33-0987USA John Smith123-82-1095USA dbo.Patients Jane Doe Name 1x7fg655se2e SSN USA Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA Country Result Set Jim Gray Name Jane Doe Name 1x7fg655se2e SSN USA Country Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA dbo.Patients SQL Server ciphertext Query Help protect data at rest and in motion, on-premises & cloud Trusted Apps SELECT Name FROM Patients WHERE SSN=@SSN @SSN='198-33-0987' Result Set Jim Gray Name SELECT Name FROM Patients WHERE SSN=@SSN @SSN=0x7ff654ae6d Column Encryption Key Enhanced ADO.NET Library Column Master Key Client side

24 Types of Encryption for Always Encrypted  Randomized encryption  Encrypt('123-45-6789') = 0x17cfd50a  Repeat: Encrypt('123-45-6789') = 0x9b1fcf32  Allows for transparent retrieval of encrypted data but NO operations  More secure  Deterministic encryption  Encrypt('123-45-6789') = 0x85a55d3f  Repeat: Encrypt('123-45-6789') = 0x85a55d3f  Allows for transparent retrieval of encrypted data AND equality comparison  E.g. in WHERE clauses and joins, distinct, group by  Two types of encryption available  Randomized encryption uses a method that encrypts data in a less predictable manner  Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value

25 Security Officer 1. Generate CEKs and Master Key 2. Encrypt CEK 3. Store Master Key Securely 4. Upload Encrypted CEK to DB CMK Store: Certificate Store HSM Azure Key Vault … Encrypted CEK Column Encryption Key (CEK) Column Master Key (CMK) Key Provisioning CMK Database Encrypted CEK

26 EXEC sp_execute_sql N'SELECT * FROM Customers WHERE SSN = @SSN', @params = N'@SSN VARCHAR(11)', @SSN=0x7ff654ae6d Enhanced ADO.NET Plaintex t CEK Cache exec sp_describe_parameter_encryption @params = N'@SSN VARCHAR(11)', @tsql = N'SELECT * FROM Customers WHERE SSN = @SSN' Result set (ciphertext) Result set (plaintext) using (SqlCommand cmd = new SqlCommand( "SELECT Name FROM Customers WHERE SSN = @SSN“, conn)) { cmd.Parameters.Add(new SqlParameter( "@SSN", SqlDbType.VarChar, 11).Value = "111-22-3333"); SqlDataReader reader = cmd.ExecuteReader(); Client - TrustedSQL Server - Untrusted Encryption metadata CMK Store Example

27 Considerations Key management  The keys need to be backed up  Always on replica’s need the same keys Client  The application client needs access to the key!  Insert data into encrypted columns by passing the values in SqlParameter objects.SqlParameter

28 Demo

29  Demo will include  Application connecting to data in plain text  Encrypt the column  Change the connection string  Application connecting to data and getting result without changing app.

30 ROW LEVEL SECURITY

31 Fine-grained access control Keeping multi-tenant databases secure by limiting access by other users who share the same tables. Application transparency RLS works transparently at query time, no app changes needed. Compatible with RLS in other leading products. Centralized security logic Enforcement logic resides inside database and is schema- bound to the table it protects providing greater security. Reduced application maintenance and complexity. Store data intended for many consumers in a single database/table while at the same time restricting row-level read & write access based on users’ execution context. Benefits of row-level security

32 CREATE SECURITY POLICY mySecurityPolicy ADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients RLS Concepts  Predicate function  User-defined inline table-valued function (iTVF) implementing security logic  Can be arbitrarily complicated, containing joins with other tables  Security predicate  Applies a predicate function to a particular table (SEMIJOIN APPLY)  Two types: filter predicates and blocking predicates  Security policy  Collection of security predicates for managing security across multiple tables

33 CREATE FUNCTION dbo.fn_securitypredicate(@wing int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) Fine-grained access control over rows in a table based on one or more pre-defined filtering criteria, e.g., user’s role or clearance level in organization. Concepts: Predicate function Security policy Example

34 Two App user (e.g., nurse) selects from Patients table Three Security Policy transparently rewrites query to apply filter predicate Database Policy Manager CREATE FUNCTION dbo.fn_securitypredicate(@wing int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) Filter Predicate: INNER JOIN… Security Policy Applicatio n Patients One Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients table Nurse SELECT * FROM Patients SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing); SELECT Patients.* FROM Patients, StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing; RLS in Three Steps

35  -- The following syntax creates a security policy with a filter predicate for the Customer table, and leaves the security policy disabled  CREATE SECURITY POLICY [FederatedSecurityPolicy]  ADD FILTER PREDICATE [rls].[fn_securitypredicate]([CustomerId])  ON [dbo].[Customer];  -- Create a new schema and predicate function, which will use the application user ID stored in CONTEXT_INFO to filter rows.  CREATE FUNCTION rls.fn_securitypredicate (@AppUserId int)  RETURNS TABLE  WITH SCHEMABINDING  AS  RETURN (  SELECT 1 AS fn_securitypredicate_result  WHERE  DATABASE_PRINCIPAL_ID() = DATABASE_PRINCIPAL_ID('dbo') -- application context  AND CONTEXT_INFO() = CONVERT(VARBINARY(128), @AppUserId);  GO  Creates a security policy for row level security.  The following examples demonstrate the use of the CREATE SECURITY POLICY syntax.  For an example of a complete security policy scenario, see Row Level Security. Row Level Security Create Security Policy

36 Demo

37 DYNAMIC DATA MASKING

38 Configuration made easy in the new Azure portal Policy-driven at the table and column level, for a defined set of users Data masking applied in real-time to query results based on policy Multiple masking functions available (e.g. full, partial) for various sensitive data categories (e.g. Credit Card Numbers, SSN, etc.) SQL Database SQL Server 2016 CTP2 Table.CreditCardNo 4465-6571-7868-5796 4468-7746-3848-1978 4484-5434-6858-6550 Real-time data masking; partial masking Prevent the abuse of sensitive data by hiding it from users Dynamic Data Masking

39 Masking Types DefaultFull masking according to the data types of the designated field: i.e. String will result in “XXXX” EmailMasking will expose the first letter of an email address and will end in “.com” i.e. aXXX@XXXX.comaXXX@XXXX.com Custom StringWill expose the first and last letter and adds a custom padding string in the middle. i.e KXXXa RandomFor use only on numeric. Will replace the original value within a specified range.

40 Demo

41 Questions? Please make sure you visit our fantastic sponsors:

42 How did we do? Please complete an online Evaluation to be included the draw for a fantastic prize! There is a prize for each session timeslot and for the overall event survey – so the more feedback you provide the more chances you have. Session Surveys http://www.sqlsaturday.com/464/ sessions/sessionevaluation.aspx Post-Event Survey http://www.sqlsaturday.com/464/ eventeval.aspx

Download ppt "Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016."

Similar presentations

Overview and Roadmap for Microsoft SQL Server Security

Overview and Roadmap for Microsoft SQL Server Security
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
15 Copyright © 2006, Oracle. All rights reserved. Database Security.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Functions Lesson 10. Skills Matrix Function A function is a piece of code or routine that accepts parameters and stored as an object in SQL Server. The.

Functions Lesson 10. Skills Matrix Function A function is a piece of code or routine that accepts parameters and stored as an object in SQL Server. The.
Native Support for Web Services  Native Web services access  Enables cross platform interoperability  Reduces middle-tier dependency (no IIS)  Simplifies.

Native Support for Web Services  Native Web services access  Enables cross platform interoperability  Reduces middle-tier dependency (no IIS)  Simplifies.
IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, 2011 9/14/20151.

IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, /14/20151.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
CSIS 4310 – Advanced Databases Virtual Private Databases.

CSIS 4310 – Advanced Databases Virtual Private Databases.
SEC835 Practical aspects of security implementation Part 1.

SEC835 Practical aspects of security implementation Part 1.
Module 9 Designing and Implementing Stored Procedures.

Module 9 Designing and Implementing Stored Procedures.
NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.

NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.
Database, SQL, and ADO.NET- Part 1 Session 11 Mata kuliah: M0874 – Programming II Tahun: 2010.

Database, SQL, and ADO.NET- Part 1 Session 11 Mata kuliah: M0874 – Programming II Tahun: 2010.
Database Systems Design, Implementation, and Management Coronel | Morris 11e ©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or.

Database Systems Design, Implementation, and Management Coronel | Morris 11e ©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or.
Mission critical features in SQL 2016 David Lyth Pat Martin Premier Field Engineers, Microsoft New Zealand.

Mission critical features in SQL 2016 David Lyth Pat Martin Premier Field Engineers, Microsoft New Zealand.
Cloud first Speed Agility Proven Feedback All of this results in a better on-premises SQL Server SQL Server 2016.

Cloud first Speed Agility Proven Feedback All of this results in a better on-premises SQL Server SQL Server 2016.
Kristina Rumpff Securing Data on your Terms DAT33 1.

Kristina Rumpff Securing Data on your Terms DAT33 1.
Chapter 6 Virtual Private Databases

Chapter 6 Virtual Private Databases
Matt Lavery & Joanna Podgoetsky Being a DBA is cool again with SQL 2016 DAT335 A.

Matt Lavery & Joanna Podgoetsky Being a DBA is cool again with SQL 2016 DAT335 A.

Similar presentations

Ads by Google