Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Server 2016 Hands-ON Labs: Exploring NEW Security Features

Published byLisa Stevenson Modified over 7 years ago

Similar presentations

Presentation on theme: "SQL Server 2016 Hands-ON Labs: Exploring NEW Security Features"— Presentation transcript:

1 SQL Server 2016 Hands-ON Labs: Exploring NEW Security Features
Timothy P. McAliley CISA, CISM, CISSP, ITIL V3, MCSA, MCSE, MCT, PMP Microsoft Account Technology Strategist

2 A bit about me……. 17 years in IT, mostly in IT Operations, Information Assurance Microsoft for about 4 years, 1 in Sale Engineer Role, 3 in Premier Field Engineer Role Previously worked for Symantec, Fanatics.com, ASM Research (DoD Consulting Firm) Florida State Alum, Wife – Stephanie, two daughters – Riley (13) and Harper (3)

3 Ok….so why are we doing this?
Knowledge transfer Learning though “doing” Resource awareness: Over 30 SQL Server Labs Free, web-based, repeatable Downloadable lab books Nothing to install Don’t want to do the labs tonight? No worries – just observe, ask questions, etc. You can do the labs anytime

4 Logistics - Wifi/Wireless Access – refer to the information sheet
URL – Labs – SQL Server 2016 – Always Encrypted SQL Server 2016 – Row-Level Security / Dynamic Data Masking SQL Server 2016 – Organizational Security and Auditing

5 Server & Tools Business
12/28/2017 Summary: Always Encrypted Protect data at rest and in motion, on-premises and in the cloud Capability ADO.Net client library provides transparent client-side encryption, while SQL Server executes T-SQL queries on encrypted data Benefits Sensitive data remains encrypted and queryable at all times on-premises and in the cloud Unauthorized users never have access to data or keys No application changes Data remains encrypted during query TCE-enabled ADO .NET library Apps SQL Server Encrypted query No app changes Master key Source: Source: When it comes to mission critical security we are introducing a unique encryption technology that protects data at rest and in motion and can be full queried while encrypted. The new ADO .NET library provide transparent client-side ecryption, while SQL Server executes T-SQL queries on encrypted data. The master keys stay with the application and not with SQL Server. This can work on-premises or SQL Server in Azure VM. So think about the hybrid scenarios where you wanted to take advantage of Azure cloud computing, but for certain data could not take advantage of cloud scale due to data security requirements. This technology ensures your data is always encrypted. Best of all no application changes are required. Columnar key Security © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 The need for row-level security
Protect data privacy by ensuring the right access across rows Customer 1 Customer 2 Customer 3 Fine-grained access control over specific rows in a database table Help prevent unauthorized access when multiple users share the same tables, or to implement connection filtering in multitenant applications Administer via SQL Server Management Studio or SQL Server Data Tools Enforcement logic inside the database and schema is bound to the table SQL Database Row-Level Security (RLS) simplifies the design and coding of security in your application. RLS enables you to implement restrictions on data row access. For example ensuring that workers can access only those data rows that are pertinent to their department, or restricting a customer's data access to only the data relevant to their company. The access restriction logic is located in the database tier rather than away from the data in another application tier. The database system applies the access restrictions every time that data access is attempted from any tier. This makes your security system more reliable and robust by reducing the surface area of your security system. Implement RLS by using the CREATE SECURITY POLICY Transact-SQL statement, and predicates created as inline table valued functions. Limitations during the preview: RLS is incompatible with database export using Data Tier Application Framework (DACFx). You must drop all RLS policies before exporting. Security policies cannot target views. Certain query patterns using OR logic can trigger un-optimized table scans, decreasing query performance. No syntax highlighting in SQL Server tools. Security

7 Dynamic data masking Prevent the abuse of sensitive data by hiding it from users Table.CreditCardNo Configuration made easy in the new Azure portal Policy-driven at the table and column level, for a defined set of users Data masking applied in real-time to query results based on policy Multiple masking functions available (e.g. full, partial) for various sensitive data categories (credit card numbers, SSN, etc.) Real-time data masking; partial masking SQL Database SQL Server 2016 Source: Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. It’s a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed. Dynamic data masking is easy to use with existing applications, since masking rules are applied in the query results, and there is no need to modify existing queries. For example, a call center support person may identify callers by several digits of their social security number or credit card number, but those data items should not be fully exposed to the support person. A developer can define a masking rule to be applied to each query result that masks all but the last four digits of any social security number or credit card number in the result set. For another example, by using the appropriate data mask to protect personally identifiable information (PII) data, a developer can query production environments for troubleshooting purposes without violating compliance regulations. Dynamic data masking limits the exposure of sensitive data and prevents accidental viewing by engineers that access directly databases for troubleshooting purposes or non-privileged application users. Dynamic data masking doesn’t aim to prevent privileged database users from connecting directly to the database and running exhaustive queries that expose pieces of the sensitive data. Dynamic data masking is complimentary to other SQL Server security features (auditing, encryption, row level security…) and it is highly recommended to enable them in addition in order to protect better the sensitive data in the database. Since data is masked just before being returned to the user, changing the data type to an unmasked type will return unmasked data. Dynamic data masking is available in SQL Server However, to enable dynamic data masking, you must use trace flags 209 and 219. For SQL Database, see Get started with SQL Database Dynamic Data Masking (Azure Preview portal). Security

8 SQL Server 2016 – Organizational Security and Auditing
Audit resilience. Ensures that audit logs are not lost in failover during temporary file and network issues. User-defined audit. Creates events that allow applications to write custom information to the audit log. Audit filtering. Improves filtering to simplify audit reporting.

9 Server & Tools Business
12/28/2017 Microsoft positioned as a leader in the Gartner Magic Quadrant for Operational Database Management Systems* { } Microsoft is placed furthest in vision and ability to execute within the leaders’ quadrant *Gartner “Magic Quadrant for Operational Database Management Systems,” by Donald Feinberg , Merv Adrian , Nick Heudecker, Adam Ronthal, October 2015 This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 12/28/2017 SQL Server is an ecosystem of products and services, both on-premises and in the cloud Operational Database Management Systems Data Warehouse and Database Management Systems Business Intelligence and Analytics Platforms x86 Server Virtualization Cloud Infrastructure as a Service Enterprise Application Platform as a Service Public Cloud Storage Services Magic Quadrant leader in Operational Database Management Systems (paywall) Magic Quadrant leader in Data Warehouse Database Management Systems (paywall) Magic Quadrant leader in Business Intelligence and Analytics Platforms (paywall) Magic Quadrant for x86 Server Virtualization Magic Quadrant for Cloud Infrastructure as a Service Magic Quadrant for Enterprise Application Platform as a Service Gartner Magic Quadrant for Public Cloud Storage © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 SQL Server 2016 Upgrade Paths
SQL Server 2016 supports upgrade from the following versions of SQL Server: SQL Server 2008 SP3 or later SQL Server 2008 R2 SP2 or later SQL Server 2012 SP1 or later SQL Server 2014 or later

12 SQL Server 2016 Editions

13 SQL Server 2016 Licensing

14 System Center Marketing
12/28/2017 2016 Overview Agenda Mission-critical performance Hyperscale cloud Deeper insights across data With SQL Server vNext we are continuing to invest in three major areas. We are going to continue pushing the envelope on mission critical performance; with SQL Server 2014 we began to pull away from the Tier 1 competitors with innovative in-memory technology built-in. Next release we will further our lead with new innovations across many mission critical components. When it comes to providing insights on data, we are making significant investments for both on-premises and complimentary services via Azure to help you gain deeper insights across your data. Finally we are adding new hybrid capabilities that will compliment your on-premises investments and give you the ability to take advantage of our hyperscale cloud. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Mission-critical performance
Security Availability Scalability Operational analytics Insights on operational data; works with in-memory OLTP and disk-based OLTP In-memory OLTP enhancements Greater T-SQL surface area, terabytes of memory supported, and greater number of parallel CPUs Query data store Monitor and optimize query plans Native JSON Expanded support for JSON data Temporal database support Query data as points in time Always encrypted Sensitive data remains encrypted at all times with ability to query Row-level security Apply fine-grained access control to table rows Dynamic data masking Real-time obfuscation of data to prevent unauthorized access Other enhancements Audit success/failure of database operations TDE support for storage of In- Memory OLTP tables Enhanced auditing for OLTP with ability to track history of record changes Enhanced AlwaysOn Three synchronous replicas for automatic failover across domains Round-robin load balancing of replicas Automatic failover based on database health DTC for transactional integrity across database instances with AlwaysOn Support for SSIS with AlwaysOn Enhanced database caching Cache data with automatic, multiple TempDB files per instance in multicore environments Performance Enhanced in-memory performance with up to 30x faster transactions, more than 100x faster queries than disk-based relational databases and real-time operational analytics. Security Upgrades Always Encrypted technology helps protect your data at rest and in motion, on-premises and in the cloud, with master keys sitting with the application, without any application changes. High Availability Even higher availability and performance than SQL Server 2014 of your AlwaysOn secondaries with the ability to have up to 3 synchronous replicas, DTC support, and round-robin load balancing of the secondaries. Scalability Enhanced database caching across multiple cores and support for Windows Server 2016 that efficiently scale compute, networking, and storage in both physical and virtual environments.

16 Hyperscale cloud Hybrid solutions Simplicity Consistency
Stretch Database Stretch operational tables in a secure manner into Azure for cost-effective historic data availability. Works with Always Encrypted and row-level security Power BI with on-premises data New interactive query with Analysis Services. Customer data stays behind your firewall Enhanced backup to Azure Faster restore times and 50% reduction in storage. Supports larger DBs with block blobs and custom backup schedule with local staging Easy migration of on-premises SQL Server Simple point-and-click migration to Azure Suite of advisors for upgrading to SQL Server 2016 SQL Server 2016 Upgrade Advisor in the adoption of new SQL Server features Simplified Add Azure Replica Wizard Automatic listener configuration for AlwaysOn in Azure VMs Common development, management, and identity tools Including Active Directory, Visual Studio, Hyper- V, and System Center Consistent experience from SQL Server on-premises to Microsoft Azure IaaS and PaaS Breakthrough hybrid scenarios Stretch Database technology keeps more of your customers’ historical data at your fingertips by transparently stretching your warm and cold OLTP data to Microsoft Azure on-demand, without application changes. Simplicity New tools that make SQL Server migration to Microsoft Azure and hybrid scenarios even easier. Consistency Consistent experience from on-premises to Microsoft Azure IaaS and PaaS.

17 Deeper insights across data
Access any data Scale and manage Powerful insights Advanced analytics PolyBase Insights from data across SQL Server and Hadoop with the simplicity of T-SQL Enhanced SSIS Designer support for previous SSIS versions SSIS Improvements for Azure services Enterprise-grade Analysis Services Enhanced performance and scalability for Analysis Services Single SSDT in Visual Studio 2015 Build richer analytics solutions as part of your development projects in Visual Studio Enhanced MDS Excel add-in 15x faster; more granular security roles; archival options for transaction logs; and reuse entities across models Mobile BI Business insights for your on- premises data through rich visualization on mobile devices with native apps for Windows, iOS, and Android Enhanced Reporting Services New modern reports with rich visualizations R integration Bringing predictive analytic capabilities to your relational database Expand your “R” script library with Microsoft Azure Marketplace Access Any Data Query relational and non-relational data with the simplicity of T-SQL with PolyBase. Manage document data with native JSON support. Scale and Manage Enhanced performance, scalability and usability across SQL Server Enterprise Information Management tools and Analysis Services. Enhanced MDS. For domain based attribute, optionally, user can select a parent attribute whose value will constrain the allowed values for this attribute. For example 1. Model has State, City, Account entity. 2. Account has a City DBA to City entity and State DBA to State entity. 3. City has a State DBA to State entity and a derived hierarchy from State to City. 4. A constraint can be added on Account.City attribute which parent is Account.State. So the City attribute dropdown list is constrained by State value. Powerful Insights on any device Business insights through rich visualizations on mobile devices. Native apps for Windows, iOS and Android. New modern reports for all browsers. Advanced Analytics at massive scale Built-in advanced analytics provide the scalability and performance benefits of running your “R” algorithms directly in SQL Server. Expand your analytics library with Microsoft Azure Marketplace.

18 Always Encrypted

19 The need for Always Encrypted
12/28/2017 The need for Always Encrypted Prevents data disclosure Client-side encryption of sensitive data using keys that are never given to the database system Queries on encrypted data Support for equality comparison, including join, group by, and distinct operators Application transparency Minimal application changes via server and client library enhancements Allows customers to securely store sensitive data outside of their trust boundary. Data remains protected from high-privileged, yet unauthorized users. Security © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 SQL Server or SQL Database
How it works Help protect data at rest and in motion, on-premises and in the cloud Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server SQL Server or SQL Database trust boundary Client "SELECT Name FROM Customers WHERE SSN " " "SELECT Name FROM Customers WHERE SSN 0x7ff654ae6d ciphertext ADO .NET Result Set Result Set Name Wayne Jefferson Name 0x19ca706fbd9a dbo.Customers Name SSN Country 0x19ca706fbd9a 0x7ff654ae6d USA ciphertext Security

21 Types of encryption for Always Encrypted
Randomized encryption Encrypt(' ') = 0x17cfd50a Repeat: Encrypt(' ') = 0x9b1fcf32 Allows for transparent retrieval of encrypted data but NO operations More secure Deterministic encryption Encrypt(' ') = 0x85a55d3f Repeat: Encrypt(' ') = 0x85a55d3f Allows for transparent retrieval of encrypted data AND equality comparison E.g. in WHERE clauses and joins, distinct, group by Two types of encryption available Randomized encryption uses a method that encrypts data in a less predictable manner Deterministic encryption uses a method which always generates the same encrypted value for any given plaintext value Source: Selecting Deterministic or Randomized Encryption Always Encrypted supports two types of encryption: randomized encryption and deterministic encryption. Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value. Using deterministic encryption allows grouping, filtering by equality, and joining tables based on encrypted values, but can also allow unauthorized users to guess information about encrypted values by examining patterns in the encrypted column. This weakness is increased when there is a small set of possible encrypted values, such as True/False, or North/South/East/West region. Deterministic encryption must use a column collation with a binary2 sort order for character columns. Randomized encryption uses a method that encrypts data in a less predictable manner. Randomized encryption is more secure, but prevents equality searches, grouping, indexing, and joining on encrypted columns. Use deterministic encryption for columns that will be used as search or grouping parameters, for example a government ID number. Use randomized encryption, for data such as confidential investigation comments, which are not grouped with other records, or used to join tables, and which are lthe row which contains the encrypted column of interest. Security

22 Server & Tools Business
12/28/2017 Summary: Always Encrypted Protect data at rest and in motion, on-premises and in the cloud Capability ADO.Net client library provides transparent client-side encryption, while SQL Server executes T-SQL queries on encrypted data Benefits Sensitive data remains encrypted and queryable at all times on-premises and in the cloud Unauthorized users never have access to data or keys No application changes Data remains encrypted during query TCE-enabled ADO .NET library Apps SQL Server Encrypted query No app changes Master key Source: Source: When it comes to mission critical security we are introducing a unique encryption technology that protects data at rest and in motion and can be full queried while encrypted. The new ADO .NET library provide transparent client-side ecryption, while SQL Server executes T-SQL queries on encrypted data. The master keys stay with the application and not with SQL Server. This can work on-premises or SQL Server in Azure VM. So think about the hybrid scenarios where you wanted to take advantage of Azure cloud computing, but for certain data could not take advantage of cloud scale due to data security requirements. This technology ensures your data is always encrypted. Best of all no application changes are required. Columnar key Security © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 Row-level security SQL Server 2016 SQL Database

24 The need for row-level security
Protect data privacy by ensuring the right access across rows Customer 1 Customer 2 Customer 3 Fine-grained access control over specific rows in a database table Help prevent unauthorized access when multiple users share the same tables, or to implement connection filtering in multitenant applications Administer via SQL Server Management Studio or SQL Server Data Tools Enforcement logic inside the database and schema is bound to the table SQL Database Row-Level Security (RLS) simplifies the design and coding of security in your application. RLS enables you to implement restrictions on data row access. For example ensuring that workers can access only those data rows that are pertinent to their department, or restricting a customer's data access to only the data relevant to their company. The access restriction logic is located in the database tier rather than away from the data in another application tier. The database system applies the access restrictions every time that data access is attempted from any tier. This makes your security system more reliable and robust by reducing the surface area of your security system. Implement RLS by using the CREATE SECURITY POLICY Transact-SQL statement, and predicates created as inline table valued functions. Limitations during the preview: RLS is incompatible with database export using Data Tier Application Framework (DACFx). You must drop all RLS policies before exporting. Security policies cannot target views. Certain query patterns using OR logic can trigger un-optimized table scans, decreasing query performance. No syntax highlighting in SQL Server tools. Security

25 Benefits of row-level security (RLS)
12/28/2017 Benefits of row-level security (RLS) Fine-grained access control Keeping multitenant databases secure by limiting access by other users who share the same tables Application transparency RLS works transparently at query time, no app changes needed Compatible with RLS in other leading products Centralized security logic Enforcement logic resides inside database and is schema-bound to the table it protects providing greater security. Reduced application maintenance and complexity Source: Row level security introduces predicate based access control. It features a flexible, centralized, predicate-based evaluation that can take into consideration metadata (such as labels) or any other criteria the administrator determines as appropriate. The predicate is used as a criterion to determine whether or not the user has the appropriate access to the data based on user attributes. Label based access control can be implemented by using predicate based access control. For more information, see Row-Level Security. Store data intended for many consumers in a single database/table while at the same time restricting row-level read and write access based on users’ execution context. Security © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 RLS concepts Predicate function Security predicate Security policy
Performance? Inline functions get optimized to provide comparable performance to views, as if the logic were directly embedded in the original query statement Predicate function User-defined inline table-valued function (iTVF) implementing security logic Can be arbitrarily complicated, containing joins with other tables Security predicate Binds a predicate function to a particular table, applying it for all queries Two types: filter predicates and blocking predicates (coming soon) Security policy Collection of security predicates for managing security across multiple tables Source: Row-Level Security enables customers to control access to rows in a database table based on the characteristics of the user executing a query (e.g., group membership or execution context). Row-level filtering of data selected from a table is enacted through a security predicate filter defined as an inline table valued function. The function is then invoked and enforced by a security policy. The policy can restrict the rows that may be viewed (a filter predicate), but does not restrict the rows that can be inserted or updated from a table (a blocking predicate). There is no indication to the application that rows have been filtered from the result set; if all rows are filtered, then a null set will be returned. Filter predicates are applied while reading data from the base table, and it affects all get operations: SELECT, DELETE (i.e. user cannot delete rows that are filtered), and UPDATE (i.e. user cannot update rows that are filtered, although it is possible to update rows in such way that they will be subsequently filtered). Blocking predicates are not available in this version of RLS, but equivalent functionality (i.e. user cannot INSERT or UPDATE rows such that they will subsequently be filtered) can be implemented using check constraints or triggers. Filter predicates and security policies have the following behavior: Define a security policy that filters the rows of a table. The application is unaware that any rows have been filtered for SELECT, UPDATE, and DELETE operations, including situations where all the rows have been filtered out. The application can INSERT any rows, regardless of whether or not they will be filtered during any other operation. Define a predicate function that joins with another table and/or invokes a function. The join/function is accessible from the query and works as expected without any additional permission checks. Issue a query against a table that has a security predicate defined but disabled. Any rows that would have been filtered or restricted are not affected. The dbo user, a member of the db_owner role, or the table owner queries against a table that has a security policy defined and enabled. Rows are filtered/restricted as defined by the security policy. Attempts to alter the schema of a table bound by a security policy will result in an error. However, columns not referenced by the filter predicate can be altered. Attempts to add a predicate on a table that already has one defined (regardless of whether it is enabled or disabled) results in an error. Attempts to modify a function used as a predicate on a table within a security policy results in an error. Defining multiple active security policies that contain non-overlapping predicates, succeeds. CREATE SECURITY POLICY mySecurityPolicy ADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients Security

27 Example CREATE FUNCTION int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) Fine-grained access control over rows in a table based on one or more pre-defined filtering criteria, such as user’s role or clearance level in organization Concepts: Predicate function Security policy Source: Security

28 Common RLS use cases Traditional RLS workloads Multitenant databases
Custom business logic to determine which rows each user can SELECT, INSERT, UPDATE, and DELETE based on their role, department, and security level Target sectors: Finance, insurance, healthcare, energy, and government Multitenant databases Ensuring tenants can only access their own rows of data in a shared database, with enforcement logic in the database rather than in the app tier For example: multitenant shards with elastic database tools in SQL Database Reporting, analytics, and data warehousing Different users access same database through various reporting tools, and work with different subsets of data based on their identity/role Security

29 Summary: RLS Capability Benefits
Row-level security provides fine-grained access control over rows in a table based on conditions you set up Benefits Store data for many users in the same databases and tables while limiting access by other users who share the same tables Security

30 Dynamic data masking SQL Server 2016 SQL Database

31 Dynamic data masking Prevent the abuse of sensitive data by hiding it from users Table.CreditCardNo Configuration made easy in the new Azure portal Policy-driven at the table and column level, for a defined set of users Data masking applied in real-time to query results based on policy Multiple masking functions available (e.g. full, partial) for various sensitive data categories (credit card numbers, SSN, etc.) Real-time data masking; partial masking SQL Database SQL Server 2016 Source: Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. It’s a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed. Dynamic data masking is easy to use with existing applications, since masking rules are applied in the query results, and there is no need to modify existing queries. For example, a call center support person may identify callers by several digits of their social security number or credit card number, but those data items should not be fully exposed to the support person. A developer can define a masking rule to be applied to each query result that masks all but the last four digits of any social security number or credit card number in the result set. For another example, by using the appropriate data mask to protect personally identifiable information (PII) data, a developer can query production environments for troubleshooting purposes without violating compliance regulations. Dynamic data masking limits the exposure of sensitive data and prevents accidental viewing by engineers that access directly databases for troubleshooting purposes or non-privileged application users. Dynamic data masking doesn’t aim to prevent privileged database users from connecting directly to the database and running exhaustive queries that expose pieces of the sensitive data. Dynamic data masking is complimentary to other SQL Server security features (auditing, encryption, row level security…) and it is highly recommended to enable them in addition in order to protect better the sensitive data in the database. Since data is masked just before being returned to the user, changing the data type to an unmasked type will return unmasked data. Dynamic data masking is available in SQL Server However, to enable dynamic data masking, you must use trace flags 209 and 219. For SQL Database, see Get started with SQL Database Dynamic Data Masking (Azure Preview portal). Security

32 Benefits of dynamic data masking
12/28/2017 Benefits of dynamic data masking Regulatory compliance A strong demand for applications to meet privacy standards recommended by regulating authorities Sensitive data protection Protects against unauthorized access to sensitive data in the application, and against exposure to developers or DBAs who need access to the production database Agility and transparency Data is masked on the fly, with underlying data in the database remaining intact. Transparent to the application and applied according to user privilege Source: Row-level security introduces predicate-based access control. It features a flexible, centralized, predicate-based evaluation that can take into consideration metadata (such as labels) or any other criteria the administrator determines as appropriate. The predicate is used to determine whether or not the user has the appropriate access to the data based on user attributes. Label-based access control can be implemented by using predicate-based access control. For more information, see Row-Level Security. Limit access to sensitive data by defining policies to obfuscate specific database fields, without affecting the integrity of the database. Security © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33 12/28/2017 How it works Table.CreditCardNo Limit sensitive data exposure by obfuscating it to non-privileged users On-the-fly masking of sensitive data in query results On-the-fly obfuscation of data in query results Policy-driven on the table and column Multiple masking functions available for various sensitive data categories Flexibility to define a set of privileged logins for un-masked data access By default, database owner is unmasked See: Dynamic masking Azure DB Configurable service, which limit sensitive data exposure by obfuscation in query results Ability to mask data based on its table and column or alias Ability to select masking functions Ability to define a list of privileged logins that will be able to the data in its CLER format Security © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 Dynamic data masking walkthrough
Microsoft Research 2013 12/28/2017 6:27 AM Dynamic data masking walkthrough 1) Security officer defines dynamic data masking policy in T-SQL over sensitive data in Employee table 2) Application user selects from Employee table 3) Dynamic data masking policy obfuscates the sensitive data in the query results Security Officer ALTER TABLE [Employee] ALTER COLUMN [SocialSecurityNumber] ADD MASKED WITH (FUNCTION = ‘SSN()’) ALTER TABLE [Employee] ALTER COLUMN [ ] ADD MASKED WITH (FUNCTION = ‘ ()’) ALTER TABLE [Employee] ALTER COLUMN [Salary] ADD MASKED WITH (FUNCTION = ‘RANDOM(1,20000)’) GRANT UNMASK to admin1 admin1 login other login SELECT [Name], [SocialSecurityNumber], [ ], [Salary] FROM [Employee] Security © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 Summary: dynamic data masking
Capability Protects against unauthorized disclosure of sensitive data in the application Benefits Enables you to set up policies at the table and column level that provide multiple masking functions Allows certain privileged logins to see the data unmasked Security

36 The Microsoft data platform  Microsoft Azure { } VISUALIZE + DECIDE
Internal and external Dashboards Reports Ask Mobile Information management Orchestration Extract, transform, load Prediction Relational Non-relational Analytical Apps Streaming VISUALIZE + DECIDE TRANSFORM + ANALYZE COLLECT + MANAGE { } Microsoft Azure

37 12/28/2017 © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.  Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.  MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "SQL Server 2016 Hands-ON Labs: Exploring NEW Security Features"

Similar presentations

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Overview and Roadmap for Microsoft SQL Server Security

Overview and Roadmap for Microsoft SQL Server Security
Understanding Active Directory

Understanding Active Directory
SQL Server 2016 New Innovations. Microsoft Data Platform Relational Beyond Relational On-premises Cloud Comprehensiv e Connected Choice SQL Server Azure.

SQL Server 2016 New Innovations. Microsoft Data Platform Relational Beyond Relational On-premises Cloud Comprehensiv e Connected Choice SQL Server Azure.
SQL Server Evolution New innovations Jen Underwood Sr. Program Manager of Business Intelligence & Analytics Microsoft George Walters Sr. Technical Solutions.

SQL Server Evolution New innovations Jen Underwood Sr. Program Manager of Business Intelligence & Analytics Microsoft George Walters Sr. Technical Solutions.
Warwick Rudd | Principal Consultant – consulting.com.au #456 | Auckland 2015 Mission Critical SQL Server.

Warwick Rudd | Principal Consultant – consulting.com.au #456 | Auckland 2015 Mission Critical SQL Server.
SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.

SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.
Comprehensive Flexible Global Storage and Search Responsive Available Secure Manageable Federation Coordination Consolidation Transformation Synchronization.

Comprehensive Flexible Global Storage and Search Responsive Available Secure Manageable Federation Coordination Consolidation Transformation Synchronization.
HDC: SQL Server 2016 New Features & Demos. Phil Brammer

HDC: SQL Server 2016 New Features & Demos. Phil Brammer
Migrate SQL Server Apps to SQL Azure Cloud DB

Migrate SQL Server Apps to SQL Azure Cloud DB
Data Security with Power BI, SSAS, SQL Server 2016 and Active Directory June 10, 2017.

Data Security with Power BI, SSAS, SQL Server 2016 and Active Directory June 10, 2017.
Use relational database as a service

Use relational database as a service
Data Platform and Analytics Foundational Training

Data Platform and Analytics Foundational Training
Data Platform and Analytics Foundational Training

Data Platform and Analytics Foundational Training
SQL Server 2016 How can Hoster Partners make money with SQL 2016?

SQL Server 2016 How can Hoster Partners make money with SQL 2016?
Business Continuity & Disaster Recovery

Business Continuity & Disaster Recovery
Self-service BI per user

Self-service BI per user
Data Platform and Analytics Foundational Training

Data Platform and Analytics Foundational Training
Row-Level Security and Dynamic Data Masking overview

Row-Level Security and Dynamic Data Masking overview
System Center Marketing

System Center Marketing

Similar presentations

Ads by Google