Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure your data in Azure SQL Database and SQL Data Warehouse

Published byOpal Barker Modified over 6 years ago

Similar presentations

Presentation on theme: "Secure your data in Azure SQL Database and SQL Data Warehouse"— Presentation transcript:

1 Secure your data in Azure SQL Database and SQL Data Warehouse
6/11/2018 6:08 PM Secure your data in Azure SQL Database and SQL Data Warehouse Rebecca Zhang Program Manager, Microsoft Kevin Arand Sr. Principal Data Architect, Paycor Jakub Szymaszek Program Manager, Microsoft BRK3241 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Agenda Overview Case Study – Paycor What’s Next in SQL Security
6/11/2018 6:08 PM Agenda Overview Case Study – Paycor What’s Next in SQL Security TDE with Bring Your Own Key Universal Auth with MFA VNET Service Endpoints Always Encrypted using Secure Enclaves © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 SQL Security in layers Discovery & Assessment Activity Monitoring
Vulnerability scanning : Vulnerability Assessment (Preview) NEW Activity Monitoring Tracking activities : Auditing Detecting threats : Advanced Threat Detection Centralized dashboard : ASC Integration & OMS Integration Access Control Server access : SQL Firewall Database access : SQL & Azure Active Directory Universal Auth Application access : Row-Level Security and Dynamic Data Masking Data Protection Encryption in motion : Transport Layer Security Encryption at rest : Transparent Data Encryption (Preview of BYOK support) Encryption in use : Always Encrypted (Early Access Preview of secure enclaves) Compliance: FedRAMP, HIPPA, PCI, EU Model Clauses, GDPR, UK G-Cloud, ISO, (government), (medical), (payment), (personal), (public sector)

4 Themes More control over security configurations
6/11/2018 6:08 PM Themes More control over security configurations Easy manageability through Azure Help meet security & privacy compliances © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 6/11/2018 6:08 PM Case Study © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Kevin Arand Senior Principal Data Architect Paycor
6/11/2018 6:08 PM Kevin Arand Senior Principal Data Architect Paycor © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 SaaS Human Capital Management Provider
6/11/2018 6:08 PM SaaS Human Capital Management Provider 32k+ Customers All 50 States Private, Managed Data Centers Large Azure Footprint SQL Server 2014 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Cloud Adoption: Primary Business Driver
6/11/2018 6:08 PM Cloud Adoption: Primary Business Driver Cyclical Workloads Need for Elasticity (Data, Compute) (2) Primary Workloads Scheduled vs. Unscheduled Calculations Azure SQL Database Elastic Pools Weekly Payrolls Azure SQL Database Bi-Weekly Payrolls Azure SQL Data Warehouse Monthly Payrolls © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Cloud Adoption: Primary Architectural Concerns
6/11/2018 6:08 PM Cloud Adoption: Primary Architectural Concerns Protection of Sensitive/Confidential Information At-rest protection for OLTP data Protection of database backups Policies, procedures for support (Microsoft) Customizable, transparent controls Maintaining least-privilege principle Data Classification Tier I PII Financial Data Security Authorization Data Tier II Client Data Physically Masked PII Tier III [Everything Else] *Tier Designation Impacts Physical Placement of Data Dedicated Azure Elastic Pool Dedicated Active Directory Security Groups © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 6/11/2018 6:08 PM User Personas © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Four Primary Personas: Ensuring Least Privilege
6/11/2018 6:08 PM Four Primary Personas: Ensuring Least Privilege Infrastructure Admin “I need the ability to provision new Azure SQL instances, databases.” Support Personnel “I need access to Azure data and databases so that I can respond to customer support inquiries.” Infra Admin Subscription Access Only [db_datareader], Limited CRUD, No PII Support Service Acct Database Admin “I need access to Azure data and databases so that I can perform support and administrative tasks." SaaS Service Account “I need access to Azure data and databases so that I can the consume the data necessary to power my application.” DBA [db_owner] Access Read-Only Perimeter (Server) Access CRUD Privileges, Access to PII © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Leveraging Azure Capabilities
6/11/2018 6:08 PM Leveraging Azure Capabilities Azure Active Directory MFA Firewall IP White-List TDE Dynamic Data Masking Custom Portal Role Auditing Reliable Authentication Access From Approved Locations Controlled Access to PII Auditability Protection of Data At Rest Clear Separation of Concerns © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Putting It All Together
6/11/2018 6:08 PM Putting It All Together Restricting Connectivity Strict Authentication All Databases Encrypted via TDE Databases Segregated by Tier Light-Weight Additional Security Layer Azure SQL Database Instance-Level Firewall Restricts Access to IP Whitelist Azure Active Directory Integration Ensure Paycor Controls Account Provisioning Secure Site-to-Site Connectivity On-Premise Connectivity Restricted by AD Security Group Security Groups Provisioned Per Elastic Pool Multiple Paycor Data Centers Require Access to Azure Assets © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 Cost-Benefit Analysis
6/11/2018 6:08 PM Cost-Benefit Analysis © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 On Premise vs. Azure: Implementing TDE
Microsoft 2016 6/11/2018 6:08 PM On Premise vs. Azure: Implementing TDE Key Variables Number of environments, databases Key rotation requirements Azure Implementation Azure Portal Powershell Key Management Challenges Provisioning Rotation Backup/Restore DR Total Effort to Implement: Hours *Implementation on SQL Server 2014 **Effort Encompasses Multiple Environments Key Decision: Where is time best spent? © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16 On Premise vs. Azure: Implementing Data Masking
Microsoft 2016 6/11/2018 6:08 PM On Premise vs. Azure: Implementing Data Masking Implementation DDM Requires a custom solution or SQL Server 2016 Azure Implementation Powershell Rest API Azure Portal Implementation Challenges Deployment challenges “Trusting” engineers Auditability Est. Effort to Implement: 40 Hours *Implementation on SQL Server 2014 **Effort encompasses multiple environments Key Decision: Where is time best spent? © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Kevin’s Wish List 6/11/2018 6:08 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Features Paycor Would Benefit From
6/11/2018 6:08 PM Features Paycor Would Benefit From Improved experience in SQL Server Management Studio for user provisioning Additional built-in roles (Azure SQL Database) for low-level administration Support for real-time replication of Azure AD from on-premise Virtual Network integration for Azure SQL Database/DW Expanded roles (Azure portal) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 What’s Next in SQL Security
6/11/2018 6:08 PM What’s Next in SQL Security TDE with Bring Your Own Key Universal Authentication with MFA VNET Service Endpoints Always Encrypted using Secure Enclaves © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 TDE with Bring Your Own Key support
6/11/2018 6:08 PM Preview testserver TDE with Bring Your Own Key support Control who has access to keys used for encryption-at-rest and when Simplify key management via Azure Key Vault and centralize application secrets, passwords, and encryption keys on one platform. Leverage Key Vault’s scalability, security, and redundancy with built-in hardware security modules (HSMs) and redundant provisioning of vaults across datacenters worldwide. Strengthen trust in the cloud by having control over resources who have access to TDE keys. Help meet compliance requirements by separating data and key management. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Demo TDE with Bring Your Own Key support Preview
6/11/2018 6:08 PM Demo TDE with Bring Your Own Key support Preview © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Universal Auth with Multi-factor authentication
6/11/2018 6:08 PM Generally Available Universal Auth with Multi-factor authentication Additional level of authentication to help secure access to sensitive data Help meet compliance and company policies requiring MFA Supports guest users (hotmail.com, outlook.com, gmail.com) and users imported from other AAD domains Support for SSMS 17.2, SQLPackage.exe, DacFx API, CLI, C# programming interface Roadmap for H / H1 2018 SSDT support for UA with MFA VS integration SQLCMD and BCP support for UA with MFA Support for MSA and non-MSA accounts ( i.e. yahoo.com, contoso.com) Goal: MFA support for all SQL tools and services © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 6/11/2018 6:08 PM Demo Universal Authentication with Multi-Factor Authentication Generally Available © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 VNET Service Endpoints
6/11/2018 6:08 PM Preview VNET Service Endpoints Restrict access to the database from VMs in a given VNET/subnet Separation of roles between networking and database admin teams Keep data on the Azure network Simplify management of Virtual IPs and Firewall rules (ie. no “Allow all Azure Services”) Roadmap Remove SQL Database from the public IP Removing outbound to SQL Database IP on Network Security Groups Configure VPN/ Express Route Private Peering Ability to assign private IPs to SQL databases © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 Demo VNET Service Endpoints Preview
6/11/2018 6:08 PM Demo VNET Service Endpoints Preview © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 Always Encrypted using Secure Enclaves
6/11/2018 6:08 PM Early Access Preview Always Encrypted using Secure Enclaves Confidential computing brings secure enclaves to Azure Trusted execution environments protecting data in use First cloud to offer Intel Software Guard Extensions (SGX) enclaves Enhancing Always Encrypted with enclaves Rich computations on encrypted data In-place encryption and key management Enhanced Client Driver plaintext ciphertext secure enclave plaintext Sign up for Early Access Preview at: © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Demo: Always Encrypted
6/11/2018 6:08 PM Demo: Always Encrypted Early Access Technology Preview © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 SQL Security Future Goals
6/11/2018 6:08 PM SQL Security Future Goals Security By Default Easy to use & Intelligent Security Scalable Security Policies Consistent Security Across Entire SQL Family Trusted Cloud General Access Anon PII © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Related SQL Security sessions
6/11/2018 6:08 PM Related SQL Security sessions BRK3087 Azure SQL Database: The world's first intelligent cloud database service Help meet security & privacy compliances Tues 4-5:15 PM BRK3130 -  Prepare for the GDPR and data privacy compliance with Microsoft SQL technology Wed 4-5:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 6/11/2018 6:08 PM Q&A © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Please evaluate this session
Tech Ready 15 6/11/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 6/11/2018 6:08 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Secure your data in Azure SQL Database and SQL Data Warehouse"

Similar presentations

Use relational database as a service

Use relational database as a service
Leverage the O365 Task Ecosystem with Microsoft To-Do and Planner

Leverage the O365 Task Ecosystem with Microsoft To-Do and Planner
Successfully migrate existing databases to Azure SQL Database

Successfully migrate existing databases to Azure SQL Database
Secure Hyperconnectivity with TeamViewer and Windows technologies

Secure Hyperconnectivity with TeamViewer and Windows technologies
Enterprise Security in Practice

Enterprise Security in Practice
From IT Pros to IT Heroes - with Azure DevTest Labs

From IT Pros to IT Heroes - with Azure DevTest Labs
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
The story of an IoT solution

The story of an IoT solution
Creating Enterprise Grade BI Models with Azure Analysis Services

Creating Enterprise Grade BI Models with Azure Analysis Services
5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.

5/31/2018 3:40 PM BRK3113 How Microsoft IT builds Privileged Access Workstation using Windows 10 and Windows Server 2016 Jian (Jane) Yan Sr. Program Manager.
Azure File Sync Setup, configuration and management

Azure File Sync Setup, configuration and management
How To Deliver Apps Faster And Secure Them The Microsoft Way

How To Deliver Apps Faster And Secure Them The Microsoft Way
Cloud Security IS Application-Centric Security

Cloud Security IS Application-Centric Security
Use any Amazon S3 application with Azure Blob Storage

Use any Amazon S3 application with Azure Blob Storage
Azure Information Protection Strategy and Roadmap

Azure Information Protection Strategy and Roadmap
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
SaaS Application Deep Dive

SaaS Application Deep Dive
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

6/19/2018 2:57 AM THR3092 Monitor and investigate actions on your user and data with alerts, insights and reports Binyan Chen Program Manager II, Office.

Similar presentations

Ads by Google