Presentation is loading. Please wait.

Presentation is loading. Please wait.

Encryption in SQL Server

Published byBrooke Hines Modified over 6 years ago

Similar presentations

Presentation on theme: "Encryption in SQL Server"— Presentation transcript:

1 Encryption in SQL Server
Michał Sadowski @SadowskiMichal Encryption in SQL Server

2 SQLSat Kyiv Team Yevhen Nedashkivskyi Alesya Zhuk Eugene Polonichko
Oksana Borysenko Mykola Pobyivovk Oksana Tkach

3 Our Awesome Sponsors

4 Session will begin very soon :)
Please complete the evaluation form from your pocket after the session. Your feedback will help us to improve future conferences and speakers will appreciate your feedback! Enjoy the conference!

5 Few words about me Based in Kraków, Poland
Leader of Data Community (former Polish SQL Server User Group) Kraków chapter SQL Server Database Administrator in international corporation Microsoft Certified Professional since 2005, Microsoft Certified Solution Expert: Data Platform Interests: Disaster Recovery High availability

6 Agenda Introduction Data protection Access control Demo after each section Summary

7 Introduction Security concerns are not with the highest priority in early phase of company growth Database administrators (and also developers) are not interested in security… … till the first security incident related to data leak But then it can be too late Getting know all built-in features can significantly make our life easier (and secure our workplace) Starting from May 2018 EU introduces General Data Protection Regulation (

8 Examples of data leak incidents
Wonga ( ) –270k accounts Snapchat ( ) – 1,7M accounts Lynda.com ( ) – 55k accounts, possible 9,5M ClixSense ( ) – 6,6M accounts Yahoo ( ) – 500M accounts Dropbox ( ) – 68M accounts AshleyMadison ( ) – 37M accounts MySpace ( ) – 427M accounts HackingTeam ( ) – 400 GB documents JPMorganChase ( ) – 76M accounts Adobe ( ) – 38M accounts More information: biggest-data-breaches-hacks/

9 Data Protection Encryption in transit: Encryption at rest:
Transport Layer Security (SSL/TLS) Encryption at rest: Backup encryption Transparent Data Encryption Cell level encryption Encryption in use (client side): Always Encrypted

10 Transport Layer Security / SSL
Data sent through network is not encrypted in any manner Using well-known tools (e.g. Wireshark) you can eavesdrop transferred data Possible issues with certificate permissions Alternatively, IPSec can be used to encrypt traffic

11 DEMO #1 Transport Layer Security / SSL

12 Backup Encryption Available in SQL Server starting with version 2008 R2 Data is secured by database key and certificate To restore encrypted backup you need to have valid certificate used for encryption Encrypted backup secures data leakage from the backups outside of company Eliminates risk of introduction of changes to production system after restore of modified backup Alternatively, Encrypting File System or BitLocker can be used

13 DEMO #2 Backup Encryption

14 Transparent Data Encryption
Encryption of single database tempdb is also encrypted Available in SQL Server 2008+ Caution: Bug in SQL Server 2016 DMV Backup compression It is not as secure as it looks:

15 DEMO #3 Transparent Data Encryption

16 Cell level encryption Allows encrypting a column in a table with sensitive data like credit card numbers, SSN, etc. It is using symmetric key and certificate Administrator can see data in encrypted columns Data is encrypted on database level – sending through network in unencrypted form Available starting from SQL Server 2008

17 DEMO #4 Cell Level Encryption

18 Always Encrypted Designed to protect sensitive data such as credit card numbers, SSN, etc. Data is encrypted at the client application (requires .NET 4.6.2), before sending to database server Can be used in following scenarios: Third party company is hosting/managing our servers Client application is hosted on-premises, data stored in the cloud Both client application and database are in the cloud Introduced in SQL Server 2016

19 DEMO #5 ALways Encrypted

20 Control Access Database access: Application access:
SQL Server authentication: Active Directory Granular permissions Application access: Row-Level Security Static Data Masking Dynamic Data Masking

21 Row-Level Security Control access at the row level based on query characteristics Two types of predicates: Filtering for SELECT, UPDATE and DELETE Blocking for write operations (AFTER INSERT, AFTER UPDATE, BEFORE UPDATE, BEFORE DELETE) Filtering does not protect against executing the query!

22 DEMO #6 Row-Level Security

23 Dynamic Data Masking Masking potentially sensitive data against users without required privileges Masking is applied on the results of the query Dynamic Data Masking is complimentary to other security features – should be used with e.g. Row-Level Security Sensitive for specially crafted attacks: SELECT ID, Name, Salary FROM Employees WHERE Salary > and Salary < ;

24 DEMO #7 Dynamic Data Masking

25 Summary SQL Server delivers many encryption features In highly complex environments, pay attention to all elements of data chain (e.g. SSL between servers, not only client facing) Blindly applied features gives false impression of security Using encryption pay attention to Disaster Recovery documentation (and of course test it!)

26 Resources: SSL: TDE: Breaking TDE: Always Encrypted: RLS: DDM:

27 Questions?: michal.sadowski@hotmail.com @SadowskiMichal

28 Thank you!

29 Our Awesome Sponsors

Download ppt "Encryption in SQL Server"

Similar presentations

Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Introducing TakeCharge SyncedTool The most secure, agile hosted file-sharing platform for business.

Introducing TakeCharge SyncedTool The most secure, agile hosted file-sharing platform for business.
Oracle Database Security …from the application perspective Martin Nystrom September 2003.

Oracle Database Security …from the application perspective Martin Nystrom September 2003.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
CRM in Education: Raising Standards. Saving Time. Presented by: Daniel Petersen Director of Business Solutions Applied Tech.

CRM in Education: Raising Standards. Saving Time. Presented by: Daniel Petersen Director of Business Solutions Applied Tech.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
#SQLSAT454 SQL Server 2016 New Security Features Gianluca

#SQLSAT454 SQL Server 2016 New Security Features Gianluca
Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1/15/2016Security Investments in SQL Server 2016 and Azure SQL.

Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1/15/2016Security Investments in SQL Server 2016 and Azure SQL.
Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.

Microsoft Advertising 16:9 Template Light Use the slides below to start the design of your presentation. Additional slides layouts (title slides, tile.
Secure SQL Database with TDE Thomas Chan SQL Saturday 445 - Raleigh.

Secure SQL Database with TDE Thomas Chan SQL Saturday Raleigh.
SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.

SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.
Hacking Exposé Using SSL to Protect SQL Connections.

Hacking Exposé Using SSL to Protect SQL Connections.
SQL Server Encryption Ben Miller Blog:

SQL Server Encryption Ben Miller Blog:
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.

Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.

ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.

Similar presentations

Ads by Google