Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Your Data With SQL 2016 (An overview of Always Encrypted)

Published byDwight Pierce Modified over 7 years ago

Similar presentations

Presentation on theme: "Securing Your Data With SQL 2016 (An overview of Always Encrypted)"— Presentation transcript:

1 Securing Your Data With SQL 2016 (An overview of Always Encrypted)
Md. Sultan-E-Alam Khan, PMP®, SMC™, OCP, MCSD | Head of Application, Lanka Bangla SQLSaturday #533 - Bangladesh 2016

2 Topics of Discussion Securing Your Database
History of Database Encryption Always Encryption Performance Benchmarking Limitations References SQLSaturday #533 – Bangladesh 2016

3 Securing Your Database

4 Protecting your legal assets from the illegal access
Security Protecting your legal assets from the illegal access SQLSaturday #533 – Bangladesh 2016

5 Security SQLSaturday #533 – Bangladesh 2016

6 Security SQLSaturday #533 – Bangladesh 2016

7 Security SQLSaturday #533 – Bangladesh 2016

8 Security In 2015, 60 percent of all attacks were carried out by insiders, either ones with malicious intent (44.5%) or those who served as inadvertent actors (15.5%). In other words, they were instigated by people you’d be likely to trust. And they can result in substantial financial and reputational losses. -- IBM 2016 Cyber Security Intelligence Report SQLSaturday #533 – Bangladesh 2016

9 Security As a DBA have you feel yourself insecure because of your super power? Any mess happen you are the first guy to say goodbye. SQLSaturday #533 – Bangladesh 2016

10 Security Have you ever get those messages at your cell phone providing attractive offers that you never thought for !!! SQLSaturday #533 – Bangladesh 2016

11 Security Are you getting tired to find a good DBA either for competency or for money. SQLSaturday #533 – Bangladesh 2016

12 Have you started thinking to move to Azure at near future?
Security Have you started thinking to move to Azure at near future? SQLSaturday #533 – Bangladesh 2016

13 Why Encrypting the Database
Protecting sensitive data e.g. Credit Card Number, National ID, Mobile Number Running database and/or application in the cloud Delegation of DBA role Prevent high-privileged users from having access to sensitive data Separation of role between who own data and who manage data Regulatory Compliance and Audits SQLSaturday #533 – Bangladesh 2016

14 History of Database Encryption

15 History of Database Encryption
SQL Server Version Type of Encryption 2000 & Before No native tools Data at Rest could be encrypted by third party tools or by encrypting the entire drive 2005 Call level encryption 2008, 2012, 2014 TDE (Transparent Data Encryptions) Certificate base transport encryption 2016 Always Encryption SQLSaturday #533 – Bangladesh 2016

16 Always Encryption

17 Solution to the issues with earlier encryption
A transparent end to end solution for sensitive columns All encryption and decryption is handled transparently by the driver library on the client Allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to SQL Server Data is never in plain text while being stored or accessed while on SQL Server (including while in memory) SQLSaturday #533 – Bangladesh 2016

18 1. Generate CEKs and Master Key
Column Encryption Key (CEK) Column Master Key (CMK) 2. Encrypt CEK Encrypted CEK CMK Store: Certificate Store HSM Azure Key Vault 3. Store Master Key Securely CMK Security Officer 4. Upload Encrypted CEK to DB Encrypted CEK Database SQLSaturday #533 – Bangladesh 2016

19 Type of Keys Column Master Keys (CMK)
To encrypt column encryption keys Encrypted values of the keys along with their location are stored on system catalog view SQL Server does not contain the keys needed to decrypt data Must be stored in a trusted key store Column Master Keys must be deployed on each client machine that needs access to the unencrypted data SQLSaturday #533 – Bangladesh 2016

20 Type of Keys (Cont.) Column Encryption Keys (CEK)
To encrypt sensitive data stored in database column A single key can encrypt all values in a column/ table Encrypted values of the keys are stored on system catalog view Store this key in a secured/ trusted location for backup Each CEK can have 2 encrypted values from 2 CMKs to allow master key rotation SQLSaturday #533 – Bangladesh 2016

21 Type of Encryption Deterministic
Generate same encrypted value for a given text Allows grouping, filtering and joining Better chance of data decryption by unauthorized user by examining the pattern especially when applied to a smaller set of data SQLSaturday #533 – Bangladesh 2016

22 Type of Encryption (Cont.)
Randomized Encrypting data in a less predictable manner More secure because different set of data is generated for same plain text Prevents equality searches, grouping, indexing and joining SQLSaturday #533 – Bangladesh 2016

23 Type of Encryption (Cont.)
Deterministic vs. Randomized Column that are part of indices (either clustered or non clustered) can’t be encrypted with randomized option Column referenced by unique constraint can be encrypted with deterministic option Primary Key columns can use only deterministic option SQLSaturday #533 – Bangladesh 2016

24 SQL Server or SQL Database
Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server SQL Server or SQL Database trust boundary Client "SELECT EmpName,EmpSalary FROM Customers WHERE EmpNID “NID_Sultan_1" "SELECT EmpName,EmpSalary FROM Employee WHERE EmpNID 0x7ff654ae6d Cipher text ADO .NET Result Set Result Set Name Sultan EmpSalary $100,000 EmpSalary 0x7ddfddae6 dbo.Employee Column Encryption Setting = enabled EmpName EmpNID EmpSalary Sultan 0x7ff654ae6d 0x7ddfddae6 Cipher text SQLSaturday #533 – Bangladesh 2016

25 Key Rotation Ensure Compliance Requirement Ensure Better Security
Rotating of CMK Provision a new CMK Encrypt CEK with new CMK (Rotate CMK) Configure Client Cleaning Up & Archiving (Clean CMK) SQLSaturday #533 – Bangladesh 2016

26 Performance Benchmarking

27 SQLSaturday #533 – Bangladesh 2016

28 SQLSaturday #533 – Bangladesh 2016

29 SQLSaturday #533 – Bangladesh 2016

30 Limitations

31 Data Type XML timestamp/ rowversion image ntext/ text sql_variant
geography/ geometry User defined type Non Binary2 Collation string data type Alias Sparse column set SQLSaturday #533 – Bangladesh 2016

32 Column Partitioning columns
Columns with default constraints/ check constraints Referencing column can’t be encrypted with randomized option (for deterministic option the CEK must be the same) Columns that are keys of fulltext indices Columns referenced by computed columns when the expression does unsupported operations Columns referenced by statistics Table variable columns SQLSaturday #533 – Bangladesh 2016

33 Clause FOR XML FOR JSON PATH SQLSaturday #533 – Bangladesh 2016

34 Transactional or Merge Replication
Features Transactional or Merge Replication Distributed Queries (linked servers) SQLSaturday #533 – Bangladesh 2016

35 References

36 Always Encrypted (Database Engine)
Always Encrypted (Client Development) Column Master Key Rotation and Cleanup with Always Encrypted Import/Export Windows Cert SQLSaturday #533 – Bangladesh 2016

37 Thank You & Happy Encrypting !!!
Md. Sultan-E-Alam Khan, PMP®, SMC™, OCP, MCSD | Head of Application, Lanka Bangla SQLSaturday #533 – Bangladesh 2016

Download ppt "Securing Your Data With SQL 2016 (An overview of Always Encrypted)"

Similar presentations

Toolbox Mirror -Overview Effective Distributed Learning.

Toolbox Mirror -Overview Effective Distributed Learning.
Overview and Roadmap for Microsoft SQL Server Security

Overview and Roadmap for Microsoft SQL Server Security
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Manage & Configure SQL Database on the Cloud Haishi Bai Technical Evangelist Microsoft.

Manage & Configure SQL Database on the Cloud Haishi Bai Technical Evangelist Microsoft.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Cao Tiến Đức. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference.

Cao Tiến Đức. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
SEC835 Practical aspects of security implementation Part 1.

SEC835 Practical aspects of security implementation Part 1.
1 SQL Server 2000 Administration Kashef Mughal MSB.

1 SQL Server 2000 Administration Kashef Mughal MSB.
Additional Security Tools Lesson 15. Skills Matrix.

Additional Security Tools Lesson 15. Skills Matrix.
Module 7 Planning and Deploying Messaging Compliance.

Module 7 Planning and Deploying Messaging Compliance.
SQL School is strongly committed to provide COMPLETE PRACTICAL REALTIME Trainings on SQL Server Technologies – Dev, SQL DBA, MSBI (SSIS, SSAS, SSRS) and.

SQL School is strongly committed to provide COMPLETE PRACTICAL REALTIME Trainings on SQL Server Technologies – Dev, SQL DBA, MSBI (SSIS, SSAS, SSRS) and.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Martin Cairney Hybrid data platform – making the most of Azure plus your on- prem kit DAT341 B.

Martin Cairney Hybrid data platform – making the most of Azure plus your on- prem kit DAT341 B.
Kristina Rumpff Securing Data on your Terms DAT33 1.

Kristina Rumpff Securing Data on your Terms DAT33 1.
C Copyright © 2007, Oracle. All rights reserved. Security New Features.

C Copyright © 2007, Oracle. All rights reserved. Security New Features.
#SQLSAT454 SQL Server 2016 New Security Features Gianluca

#SQLSAT454 SQL Server 2016 New Security Features Gianluca
SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.

SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.
Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 19/09/2015David Postlethwaite.

Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 19/09/2015David Postlethwaite.
Secure SQL Database with TDE Thomas Chan SQL Saturday 445 - Raleigh.

Secure SQL Database with TDE Thomas Chan SQL Saturday Raleigh.

Similar presentations

Ads by Google