Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploring the SQL Security Landscape SQL Vulnerability Assessment

Published byVincent Phillips Modified over 6 years ago

Similar presentations

Presentation on theme: "Exploring the SQL Security Landscape SQL Vulnerability Assessment"— Presentation transcript:

1 Exploring the SQL Security Landscape SQL Vulnerability Assessment
Brent Flesher Exploring the SQL Security Landscape SQL Vulnerability Assessment

2 SQL Summit Annual International Conference November 6 -9 | Seattle, WA
2 Days of Pre-Cons 200+ sessions over 3 days Over 5,000 SQL Professionals Evening Networking Activities

3 Please Support Our Sponsors

4 Let’s Not Distract Others
Please silent your phone We can chat later Please don’t snore But feel free to interrupt with questions or comments. I think my wife wrote bottom one. My record for napping is 1 . Lets see if we can beat that. Lean back, relax, feel your eyelids grow heavy…

5 What’s in this Presentation?
Vulnerability Assessment New tool in SSMS 17.4 SQL Data Discovery and Classification New tool in SSMS 17.5 Data Masking Row Level Security SSMS is now a separate product from SQL server, which means new features can be released separately from the database engine. We will have a quick look at the Vulnerability Assessment and SQL Discovery and Classification. If time allows we can dip into Data Masking and Row Level Security.

6 What this presentation is not.
Not an encyclopedic definition of all security features Not prescriptive

7 What is Security? Security, in (IT), is the defense of digital information and IT assets against internal and external, malicious and accidental threats. Right Data Right Time Right Audience What are “digital information and IT assets”? Data or info that has explicit or potential value? The value comes from being able to deliver the right data at the right time to the right audience. Note that the audience could be a human user, could be a process, could be an algorithm Is this a good working definition of security?

8 Right Data Data modification is done according to rules.
Who can create records, how, with what controls What are the controls around creation, change, and removal of data Permissions applied to Data Modification Language (DML) Applications to implement logic DML is used to make changes, we grant and deny specific statements to specific users to

9 Logic: Application vs Data
Where is the “right” place for security logic? Are DDL constraints like Referential Integrity, Triggers, Datatypes, Unique Constraints and Check Constraints a type of security? Atomicity, Consistency, Isolation, Durability

10 Right Time Data is available when needed
Availability includes performance Control Data Definition and Administrative functions to preserve availability

11 Right Audience Who can use what data In what context Auditing
Change tracking Access tracking

12 SQL Vulnerability Assessment
What is it? Service in  SQL Server Management Studio (SSMS) v17.4 or later Where Can I use it? Supported targets are SQL 2012 and later Database or Server level? Either. Point at a system database to trigger the server level Automation ? The VA service runs a scan directly on your database. Basically it just runs a series of queries against a checklist. The service employs a knowledge base of rules that flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft’s recommended best practices, and focus on the security issues that present the biggest risks to your database and its valuable data. These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards. Re Automation: haven’t found if it is exposed with Powershell yet.

13 Vulnerability Assessment features
What is it? a scan directly on your database Meet compliance requirements that require database scan reports. Meet data privacy standards. Monitor a dynamic database environment where changes are difficult to track. The VA service runs a scan directly on your database. The service employs a knowledge base of rules that flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft’s recommended best practices, and focus on the security issues that present the biggest risks to your database and its valuable data. These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.

14 Vulnerability Assessment features
What is it? a scan directly on your database Meet compliance requirements that require database scan reports. Meet data privacy standards. Monitor a dynamic database environment where changes are difficult to track. The VA service runs a scan directly on your database. The service employs a knowledge base of rules that flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft’s recommended best practices, and focus on the security issues that present the biggest risks to your database and its valuable data. These rules also represent many of the requirements from various regulatory bodies to meet their compliance standards.

15 SQL Vulnerability Assessment
The scan is lightweight and safe. It takes a few seconds to run, and is entirely read-only. It does not make any changes to your database. Produces a report in json in specified directory.

16 SQL Vulnerability Assessment
Sample report

17 SQL Vulnerability Assessment
Drill into issues and resolve OR make part of the baseline.

18 SQL Vulnerability Assessment
Detailed description of issue, impact, the query that supports the assessment and recommendations (if available)

19 SQL Vulnerability Assessment
Demo Time! Open Assessment on desktop. Run scan on CRud1_Demo Location for SCANs: C:\storage\_CRUD_AlwaysEncrypted Presentation\scans Default location: C:\Users\flesherb.z\Documents\SQL Server Management Studio\Vulnerability Assessment Reports

20 SQL Vulnerability Assessment
Can we Automate it? Release of Powershell cmdlets for automation of scans both for Azure SQL DB and for SQL Server “Coming soon” (as of May 2, 2018) Can we Customize the assessment? Not yet, but on the roadmap. What is in the Assessment? List not published yet. Where is the baseline information save? Will that be added to the database being assessed or is it added in the profile of the user running SSMS?  The baseline is saved together with the scan results in the file system. A network file share can be used to share the scan results and baselines between different machines running SSMS. 3 days ago @brentf  We currently don't have a published list, though the full set of rules with all of the details can be found in the scan results themselves. In addition, the Azure SQL Database feature is about to expose an 'export' capability, which generates an Excel file with all the results and all the rule details. @brentf  For the Azure SQL DB VA capability, we are about to add a 'recurring scan' feature which will enable automatically running scans periodically and sending a results report. In addition we will soon release Powershell cmdlets for automation of scans both for Azure SQL DB and for SQL Server. This is coming soon.

21 SQL Vulnerability Assessment
VA Sensitive data columns should be classified SQL Data Discovery & Classification This is the clever Segue to the Data Classification part of the presentation. In the “Data Protection” Category one of the Security Checks is that Sensitive Data should be classified. Once classified then we can decide what to do with it. DDM, RLS, Always Encrypted are some suggestions.

22 SQL Vulnerability Assessment
SQL Data Discovery & Classification Dynamic Data Masking limits sensitive data exposure by dynamically masking it to non-privileged users when data is returned from the server to the client DDM Row Level Security restrict access to data rows by creating a security policy based on characteristics of the user executing a query Always Encrypted keeps sensitive data columns encrypted on the server side

23 SQL Data Discovery and Classification
Data Discovery & Classification is supported for SQL Server 2008 and later “Protect the data, not just the database” Discovery & recommendations – The classification engine scans your database and identifies columns containing potentially sensitive data Labeling – Sensitivity classification labels can be persistently tagged on columns Visibility - The database classification state can be viewed in a detailed report

24 SQL Data Discovery and Classification

25 SQL Data Discovery and Classification
Automatic and manual classification Classify Data on ARISQLMONAPP\SQL2016_RTM AEGIS_INSURANCE

26 SQL Data Discovery and Classification
Pretty reports Classify Data on ARISQLMONAPP\SQL2016_RTM AEGIS_INSURANCE

27 SQL Data Discovery and Classification
Demo Time! Classify Data on ARISQLMONAPP\SQL2016_RTM AEGIS_INSURANCE

28 DDM Dynamic Data Masking
Security Feature: prevents data exfiltration by obfuscating data. Credit cards xxxx-xxxxxx-x6815 SIN# XXX-XXX-X12

29 DDM Dynamic Data Masking
Meta data operation. Data remains unchanged, masking is applied when queried. ALTER TABLE HR.Employee   ALTER COLUMN SALARY decimal(12,2) MASKED WITH (FUNCTION = 'default()');

30 DDM Dynamic Data Masking
Default: (varies by data type): binary, varbinary or image: “0“ date and time data types:  “ :00: ” Numeric data types: “0” Strings:  “XXXX” first char plus mask  Random replaces the original value with a random value within the range specified in that function. Custom eg first and last letters and padding ie prefix, [padding value], suffix What types of Data Masking can we do?

31 DDM Dynamic Data Masking
Random masking function Account_Number bigint MASKED WITH (FUNCTION = 'random([start range], [end range])') Mask may accidentally be the correct number. Pick appropriate ranges. ALTER TABLE JuniorHighSchool.Student   ALTER COLUMN Age integer MASKED WITH (FUNCTION = 'random(12, 14')

32 DDM Dynamic Data Masking
Who Db_owner role members always see unmasked data by default All other users see masked data.

33 DDM Dynamic Data Masking
Who Grant/Revoke MASK/UNMASK to users/groups MASK/UNMASK is database level permission eg Social committee needs to know birthdays to plan birthday parties, but granting unmask to the HR database will also show SIN# and Salary….

34 DDM Dynamic Data Masking
Behavior Data remains masked regardless of mechanism to select, even select into another table Select fname, lname, Salary into MyTable from HR.Employee

35 DDM Dynamic Data Masking
Finding masked Columns sys.masked_columns SELECT c.name, tbl.name as table_name, c.is_masked, c.masking_function FROM sys.masked_columns AS c JOIN sys.tables AS tbl   ON c.[object_id] = tbl.[object_id] WHERE is_masked = 1;

36 DDM Dynamic Data Masking
Bypassing masking using inference or brute-force techniques SELECT ID, Name, Salary FROM Employees WHERE Salary > and Salary < ;

37 DDM Dynamic Data Masking
Best Practices and Common Use Cases Creating a mask on a column does not prevent updates to that column Using SELECT INTO or INSERT INTO to copy data from a masked column into another table results in masked data in the target table. Dynamic Data Masking is applied when running SQL Server Import and Export. A database containing masked columns will result in a backup file with masked data (assuming it is exported by a user without UNMASK privileges), and the imported database will contain statically masked data. So although users receive masked data when querying the masked column, the same users can update the data if they have write permissions. A proper access control policy should still be used to limit update permissions

38 DDM Dynamic Data Masking
First Released in SQL 2016 Enterprise and standard SKUs

39 DDM Dynamic Data Masking
USAGE Scenario ACME. Management is worried about Data Exfiltration of their Customer information. Implements Data Masking on Customer Contact Info.

40

41 DDM Dynamic Data Masking
Demo SELECT * FROM [RLS].[dbo].[Customer]

42 DDM Dynamic Data Masking
ACME monthly Sales after Data Masking They may have scrimped on the UAT… Lets have a look at the data and what the users saw

43 Value of UAT

44 DDM Dynamic Data Masking
Questions? Can we mask en-cyrpted data? No, also pointless. Can we use the masked data in a calculation? Eg SUM or AVG of Salary? Salary *10 Can the user bypass masking?

45 RLS Row Level Security Security Feature.
Vertical filtering of tables to control access Eg allow salespeople to only see customers in their sales area.

46 RLS Row Level Security Create a schemabound inline table function that evaluates to a zero value for rows for a user has access to Create Security policy to bind function to table(s) Use filter and Block predicates restrict access to defined rows.

47 RLS Row Level Security CREATE SCHEMA Security; GO
CREATE FUNCTION AS sysname) RETURNS TABLE WITH SCHEMABINDING AS RETURN SELECT 1 AS fn_securitypredicate_result = USER_NAME() OR USER_NAME() = 'Manager';

48 RLS Row Level Security Security Policy CREATE SECURITY POLICY SalesFilter ADD FILTER PREDICATE Security.fn_securitypredicate(SalesRep) ON dbo.Sales WITH (STATE = ON);

49 RLS Row Level Security RLS can be added to existing tables. – minimal downtime Applies to members of db_owner role. Ie dbo will also be filtered. Use branching logic in function to allow dbo unfiltered access (if required).

50 RLS Row Level Security Scenario: Management is concerned that SalesReps will download the company’s customer list and join a competitor. Data masking was implemented but sales declined precipitously when Sales Reps tried cold calling 1-XXX-XXX-XX## and tried talking to “Mr or Mrs Axxxx xxxxN”

51 RLS Row Level Security What about applications that have a single application user? Session context

52 RLS Row Level Security Security Function that uses session_context CREATE SCHEMA Security; GO CREATE FUNCTION int) RETURNS TABLE WITH SCHEMABINDING AS RETURN SELECT 1 AS fn_securitypredicate_result WHERE DATABASE_PRINCIPAL_ID() = DATABASE_PRINCIPAL_ID('AppUser') AND CAST(SESSION_CONTEXT(N'UserId') AS int) For applications that do not use windows integrated security

53 RLS Row Level Security How to destroy performance with RLS The security predicate gets fired with every row. Complicated and expensive access logic in the security predicate function can destroy performance.

54 RLS Row Level Security First Released in SQL 2016
Enterprise and standard SKUs

55 SQL Vulnerability Assessment Conclusion
Reports Secure!!! So when I called the Vulnerability Assessment the easy button how easy is it? Lets look at the value it delivers: compares a database /server to MS recommended best practices documents exceptions with baselines produces an artifact allows tracking over time Security Plan

56 Vulnerability Scorecard
Pros: Standard MS Best Practices Checklist Pretty reports Track over time Track exceptions as baselines Let

57 Vulnerability Scorecard
Cons: Manual Default scan storage. Security on scan output. SSMS only (no SSOS?) Can’t import standard baselines Customization of Scans Inventory of scans not published Vulnerability Assessment vs Policy Based Management….?

58 Manager, Data Governance Senior Data Warehouse Engineer Work here! Donut Fridays!

59 references What’s new in SSMS 17.5: Data Discovery and Classification

60 references SQL Vulnerability Assessment
SQL Data Discovery and Classification

61 references TDE Vs Backup Encryption

62 Appendix GDPR May 25, 2018 Guide to enhancing privacy and addressing GDPR requirements with the Microsoft SQL platform

Download ppt "Exploring the SQL Security Landscape SQL Vulnerability Assessment"

Similar presentations

Database Management System

Database Management System
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
Working with SQL and PL/SQL/ Session 1 / 1 of 27 SQL Server Architecture.

Working with SQL and PL/SQL/ Session 1 / 1 of 27 SQL Server Architecture.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Database Design for DNN Developers Sebastian Leupold.

Database Design for DNN Developers Sebastian Leupold.
Crystal And Elliott Edward M. Kwang President. Crystal Version Standard - $145 Professional - $350 Developer - $450.

Crystal And Elliott Edward M. Kwang President. Crystal Version Standard - $145 Professional - $350 Developer - $450.
Switch off your Mobiles Phones or Change Profile to Silent Mode.

Switch off your Mobiles Phones or Change Profile to Silent Mode.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Moodle (Course Management Systems). Managing Your class In this Lecture, we’ll cover course management, including understanding and using roles, arranging.

Moodle (Course Management Systems). Managing Your class In this Lecture, we’ll cover course management, including understanding and using roles, arranging.
Module 5 Planning for SQL Server® 2008 R2 Indexing.

Module 5 Planning for SQL Server® 2008 R2 Indexing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Executive Invitation – Oracle Data Finder Service Oracle Corporation.

Executive Invitation – Oracle Data Finder Service Oracle Corporation.
Database Design and Management CPTG 424. 10/23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,

Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
Crystal And Elliott Edward M. Kwang President. Objective A brief demo of Crystal Report to entice you –People spend thousand of dollars to attend Crystal.

Crystal And Elliott Edward M. Kwang President. Objective A brief demo of Crystal Report to entice you –People spend thousand of dollars to attend Crystal.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
SQL SERVER AUDITING. Jean Joseph DBA/Consultant Contact Info: Blog: https://tsqlhelp.wordpress.com/https://tsqlhelp.wordpress.com/

SQL SERVER AUDITING. Jean Joseph DBA/Consultant Contact Info: Blog:
MICROSOFT ACCESS – CHAPTER 5 MICROSOFT ACCESS – CHAPTER 6 MICROSOFT ACCESS – CHAPTER 7 Sravanthi Lakkimsety Mar 14,2016.

MICROSOFT ACCESS – CHAPTER 5 MICROSOFT ACCESS – CHAPTER 6 MICROSOFT ACCESS – CHAPTER 7 Sravanthi Lakkimsety Mar 14,2016.
SQL Triggers, Functions & Stored Procedures Programming Operations.

SQL Triggers, Functions & Stored Procedures Programming Operations.
Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1/15/2016Security Investments in SQL Server 2016 and Azure SQL.

Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1/15/2016Security Investments in SQL Server 2016 and Azure SQL.

Similar presentations

Ads by Google