Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security enhancements in SQL Server 2016

Published byAbigayle Austin Modified over 6 years ago

Similar presentations

Presentation on theme: "Security enhancements in SQL Server 2016"— Presentation transcript:

1 Security enhancements in SQL Server 2016
Leonel Abreu – #516 | Reykjavik 2016

2 Thank you to our sponsors!
SQL SATURDAY | #516 | REYKJAVIK 2016

3 Agenda What’s new in SQL Server 2016 What else needs security?
Dynamic Data Masking Row Level Security Always encrypted What else needs security? History tables

4 Dynamic Data Masking Prevent the abuse of sensitive data by hiding it from users Configuration made easy in the new Azure portal Policy-driven at the table and column level, for a defined set of users Data masking applied in real-time to query results based on policy Multiple masking functions available (e.g. full, partial) for various sensitive data categories (e.g. Credit Card Numbers, SSN, etc.) Table.CreditCardNo Real-time data masking; partial masking SQL Database SQL Server 2016 CTP2 Source: Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. It’s a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed. Dynamic data masking is easy to use with existing applications, since masking rules are applied in the query results, and there is no need to modify existing queries. For example, a call center support person may identify callers by several digits of their social security number or credit card number, but those data items should not be fully exposed to the support person. A developer can define a masking rule to be applied to each query result that masks all but the last four digits of any social security number or credit card number in the result set. For another example, by using the appropriate data mask to protect personally identifiable information (PII) data, a developer can query production environments for troubleshooting purposes without violating compliance regulations. Dynamic data masking limits the exposure of sensitive data and prevents accidental viewing by engineers that access directly databases for troubleshooting purposes or non-privileged application users. Dynamic data masking doesn’t aim to prevent privileged database users from connecting directly to the database and running exhaustive queries that expose pieces of the sensitive data. Dynamic data masking is complimentary to other SQL Server security features (auditing, encryption, row level security…) and it is highly recommended to enable them in addition in order to protect better the sensitive data in the database. Since data is masked just before being returned to the user, changing the data type to an unmasked type will return unmasked data. Dynamic data masking is available in SQL Server 2016 Community Technology Preview 2 (CTP2). However, to enable dynamic data masking, you must use trace flags 209 and 219. For Azure SQL Database, see Get started with SQL Database Dynamic Data Masking (Azure Preview portal).

5 Dynamic Data Masking Masking rules Default Custom string Email Random
Image extracted from MSDN, Masking rules from my blog How does it work? DDM is implemented through native functions which cyphers table columns according to the stored data type (number, text, address, etc.), let’s see this short list: Default: makes SQL Server decide how to cypher data. shows the first letter of an address string and its suffix, for example, when a user wants to recover an account with an alternative address receives something like: “ address: Custom: exposes the first and the last letter of a given text, and the padding character can be personalized. Random: useful to cypher numbers, hides the actual value and show random number inside a given range.

6 Demo

7 Row Level Security Allow to control how the users accesses data
The same query return different rows Simplifies application development No additional coding required Database side security logic Reduces application complexity

8 How does it work?

9 Demo

10 Always Encrypted Prevents Disclosure Queries on Encrypted Data
Client-side encryption of sensitive data using keys that are never given to the database system. Queries on Encrypted Data Support for equality comparison, incl. join, group by and distinct operators. Application Transparency Minimal application changes via server and client library enhancements. Prevents data disclosure According to msdn: Allows customers to securely store sensitive data outside of their trust boundary. Data remains protected from high- privileged, yet unauthorized users. Source: us/library/mt163865(v=sql.130).aspx

11 Always Encrypted Help protect data at rest and in motion, on-premises & cloud Trusted Apps SELECT Name FROM Patients WHERE @SSN=' ' SQL Server SELECT Name FROM Patients WHERE @SSN=0x7ff654ae6d Client side Enhanced ADO.NET Library dbo.Patients Jane Doe Name SSN USA Country Jim Gray John Smith Query Result Set Jim Gray Name Jane Doe 1x7fg655se2e SSN USA Country 0x7ff654ae6d John Smith 0y8fj754ea2c dbo.Patients Column Master Key Column Encryption Key Result Set Jim Gray Name ciphertext dbo.Patients Jane Doe Name 1x7fg655se2e SSN USA Jim Gray 0x7ff654ae6d John Smith 0y8fj754ea2c Country Source: Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (e.g. U.S. social security numbers), stored in SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to SQL Server. As a result, Always Encrypted provides a separation between those who own the data (and can view it) and those who manage the data (but should have no access). By ensuring on-premises database administrators, cloud database operators, or other high-privileged, but unauthorized users, cannot access the encrypted data, Always Encrypted enables customers to confidently store sensitive data outside of their direct control. This allows organizations to encrypt data at rest and in use for storage in Azure, to enable delegation of on-premises database administration to third parties, or to reduce security clearance requirements for their own DBA staff. Always Encrypted makes encryption transparent to applications. An Always Encrypted-enabled driver installed on the client computer achieves this by automatically encrypting and decrypting sensitive data in the SQL Server client application. The driver encrypts the data in sensitive columns before passing the data to SQL Server, and automatically rewrites queries so that the semantics to the application are preserved. Similarly, the driver transparently decrypts data, stored in encrypted database columns, contained in query results.

12 Types of Encryptionm Two types of encryption available
Randomized encryption Encrypt(' ') = 0x17cfd50a Repeat: Encrypt(' ') = 0x9b1fcf32 Allows for transparent retrieval of encrypted data but NO operations More secure Deterministic encryption Encrypt(' ') = 0x85a55d3f Repeat: Encrypt(' ') = 0x85a55d3f Allows for transparent retrieval of encrypted data AND equality comparison E.g. in WHERE clauses and joins, distinct, group by Two types of encryption available Randomized encryption uses a method that encrypts data in a less predictable manner Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value Source: Selecting Deterministic or Randomized Encryption Always Encrypted supports two types of encryption: randomized encryption and deterministic encryption. Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value. Using deterministic encryption allows grouping, filtering by equality, and joining tables based on encrypted values, but can also allow unauthorized users to guess information about encrypted values by examining patterns in the encrypted column. This weakness is increased when there is a small set of possible encrypted values, such as True/False, or North/South/East/West region. Deterministic encryption must use a column collation with a binary2 sort order for character columns. Randomized encryption uses a method that encrypts data in a less predictable manner. Randomized encryption is more secure, but prevents equality searches, grouping, indexing, and joining on encrypted columns. Use deterministic encryption for columns that will be used as search or grouping parameters, for example a government ID number. Use randomized encryption, for data such as confidential investigation comments, which are not grouped with other records, or used to join tables, and which are lthe row which contains the encrypted column of interest.

13 Key Provisioning 1. Generate CEKs and Master Key 2. Encrypt CEK
Column Encryption Key (CEK) Column Master Key (CMK) 2. Encrypt CEK Encrypted CEK CMK Store: Certificate Store HSM Azure Key Vault CMK 3. Store Master Key Securely Security Officer Source: Creating and registering a custom Column Master Key Store Provider Information the driver receives from SQL Server for query parameters which need to be encrypted, and for query results which need to be decrypted, includes: An encrypted value of a column encryption key, which should be used to encrypt or decrypt a parameter or a result. The name of a key store provider that encapsulates a key store containing the column master key which was used to encrypt the column encryption key. A key path that specifies the location of the column master key in the key store. The name of the algorithm that was used to encrypt the column encryption key. The driver uses the above information to use the key store provider implementation to decrypt the retrieved encrypted value of the column encryption key, which is subsequently used to either encrypt a query parameter or to decrypt a query result. The driver comes with an implementation for one system provider: SqlColumnEncryptionCertificateStoreProvider which can be used to store column master keys in Windows Certificate Store. You can use a custom key store provider by extending the SqlColumnEncryptionKeyStoreProvider class and registering it using the SqlConnection.RegisterColumnEncryptionKeyStoreProviders() method. 4. Upload Encrypted CEK to DB Encrypted CEK Database

14 Demo

15 What else needs security?
Why history? Because is needed to know how exactly was the data in the past time Why temporal? A SQL Server 2016 new feature that doesn’t allow to modify historic values Also audit And several features like disaster recovery

16 How does it work? No changes in programming model , New insights, Query is Query From my blog 1   A SQL Statement that modifies data is executed 2.       According to the statement type there are two possible behaviors 3.       The data stored in the history table can be queried with the following clauses

17 Advantages Security Easy to maintain Can be used
Is not possible to modify the historical data Easy to maintain Additional coding to insert/update/delete data is not required Can be used For new tables For existing tables

18 Demo

19 Q & A

20 Security resources MSDN Documentation
Security Center for SQL Server Database & SQL Database\ SQL Server Security Blog Additional examples, useful tips and tricks SQL Server Label Security Toolkit

21 Your feedback is important
Your feedback is important! Please let us know what you thought of this session SQL SATURDAY | #516 | REYKJAVIK 2016

Download ppt "Security enhancements in SQL Server 2016"

Similar presentations

Database Management System

Database Management System
Overview and Roadmap for Microsoft SQL Server Security

Overview and Roadmap for Microsoft SQL Server Security
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Esri UC 2014 | Demo Theater | Using ArcGIS for Server in the Microsoft Azure Cloud Nikhil Shampur.

Esri UC 2014 | Demo Theater | Using ArcGIS for Server in the Microsoft Azure Cloud Nikhil Shampur.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Learningcomputer.com SQL Server 2008 Configuration Manager.

Learningcomputer.com SQL Server 2008 Configuration Manager.
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Kristina Rumpff Securing Data on your Terms DAT33 1.

Kristina Rumpff Securing Data on your Terms DAT33 1.
#SQLSAT454 SQL Server 2016 New Security Features Gianluca

#SQLSAT454 SQL Server 2016 New Security Features Gianluca
SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.

SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.
SQL Server Evolution New innovations Jen Underwood Sr. Program Manager of Business Intelligence & Analytics Microsoft George Walters Sr. Technical Solutions.

SQL Server Evolution New innovations Jen Underwood Sr. Program Manager of Business Intelligence & Analytics Microsoft George Walters Sr. Technical Solutions.
Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016.

Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016.
End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software.

End to End Always Encrypted in SQL Server 2016 Steve Jones SQLServerCentral Redgate Software.
SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.

SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.
Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 18/06/2016David Postlethwaite.

Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 18/06/2016David Postlethwaite.
Session Name Pelin ATICI SQL Premier Field Engineer.

Session Name Pelin ATICI SQL Premier Field Engineer.
ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.

ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.
SQL IMPLEMENTATION & ADMINISTRATION Indexing & Views.

SQL IMPLEMENTATION & ADMINISTRATION Indexing & Views.

Similar presentations

Ads by Google