Presentation is loading. Please wait.

Presentation is loading. Please wait.

End to End Security and Encryption in SQL Server

Similar presentations


Presentation on theme: "End to End Security and Encryption in SQL Server"— Presentation transcript:

1 End to End Security and Encryption in SQL Server
Steve Jones Editor, SQLServerCentral Evangelist, Redgate Software Protecting data from unauthorized access becomes more important all the time. SQL Server includes a number of features that make data protection and security easier for developers and DBAs with a framework for protecting data. Come learn how Always Encrypted, TDE, Row Level Security, Dynamic Data Masking, and column level encryption can protect your systems. You will learn: About the different encryption and security features in SQL Server Understand the code changes required for encryption mechanisms Gain a basic understanding of RLS and DDM, which do not require code changes to help protect data

2 Agenda Bio SQL Server Security Enhancements Encryption Overview
Always Encrypted Row Level Security (RLS) Column Level Encryption Transparent Data Encryption (TDE) Dynamic Data Masking (DDM) Summary

3 Steve Jones 26 years SQL Server data experience
DBA, developer, manager, writer, speaker in a variety of companies and industries Founder, SQLServerCentral And current editor, with the goal of helping you learn to be a better data professional every day Steve Jones Evangelist, Redgate Software Editor, SQLServerCentral 10 years Microsoft Data Platform MVP steve I am honored to be recognized by Microsoft for the last decade as an MVP /in/way0utwest @way0utwest

4 SQL Server 2017 Security Enhancements
CLR Strict Security implemented by default

5 SQL Server 2016 Security Enhancements
Default endpoint encryption changed (RC4 -> AES) Dynamic Data Masking Always Encrypted Row Level Security Credentials can be added at the database level TDE supports Intel AES-NI

6 Azure SQL Server Security Enhancements
TDE Enabled by default TDE Customer Managed Keys Available Threat Detection available Vulnerability Assessment available

7 What is encryption? encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). - Wikipedia From Wikipedia

8 Encryption works with Functions and Keys
plaintext The quick brown fox jumped over the lazy dog. ciphertext 0x00059E2EC7419F590E79D7F1B774BFE DB80B8AC1B295E367FEAC63C4BD7B8F8FACD0151B57DF97FF2BBA1ED9626B C62387BB8E5D4A17B33C48A554F2A9B28626BB250A153FEEF2BFEBCF92ECF6C421D47C84BF93074E54EF85C85B1C Encryption Function We use functions and keys, here’s an example. Describe The function’s complexity determines the resources required to perform encryption, and usually, the security of the encryption process. 0x0ae783b218d18 encryption key

9 Banks use a two stage protection. They use a very strong outer lock
Banks use a two stage protection. They use a very strong outer lock., the bank vault door.

10 https://safedepositboxinsurance

11 X.509 Certificate Symmetric Key
The quick brown fox jumped over the lazy dog.

12 Always Encrypted

13 Client Server CMK ADO.NET Have AE Query 228ba8e Select name, cc
From Cust Where cc = '12345' CEK CustID Name CC 1 Steve 7de8a76 sjones 2 Andy de527e7a awarren trusted untrusted

14 Client Server Symmetric Key CMK ADO.NET Return Encrypted CEK 228ba8e
Select name, cc From Cust Where cc = '12345' CEK 228ba8e CustID Name CC 1 Steve 7de8a76 sjones 2 Andy de527e7a awarren Symmetric Key trusted untrusted

15 Client Server Symmetric Key CMK ADO.NET Select name, cc From Cust
Where cc = '7de8a76' Name CC Steve 7de8a76 228ba8e Select name, cc From Cust Where cc = '12345' CEK CustID Name CC 1 Steve 7de8a76 sjones 2 Andy de527e7a awarren Name CC Steve trusted untrusted Symmetric Key

16 Demo Always Encrypted

17 Always Encrypted Limitations
Strings require _BIN2 collation Limited datatypes Only equality comparisons (no <, >, like) No statistics on encrypted columns Max two Column Master Keys can be used No Defaults on encrypted columns No replication More

18 Row-Level Security

19 Row Level Security (RLS)
Allow rows of data to be screened based on user characteristics Independent of other SQL Server security. Available in SQL Server and Azure SQL Database The screening is done with a security predicate that examines the “user chracteristics” and returns a 1 for visible rows A security policy links a predicate to a particular table Filter predicates apply to reads Block predicates apply to writes

20 OrderHeader table OrderID OrderAmount SalespersonID 1001 5000.00 1
1002 2 1003 922.13 1004 125.00 1005 3 1006 User Bob (SalespersonID 1) User sally (SalespersonID 2)

21 OrderHeader table OrderID OrderAmount SalespersonID 1001 5000.00 1
1002 2 1003 922.13 1004 125.00 1005 3 1006 User Bob (SalespersonID 1) User sally (SalespersonID 2) Issue query Select * from OrderHeader Results OrderID OrderAmount SalespersonID 1001 1 1004 125.00

22 OrderHeader table OrderID OrderAmount SalespersonID 1001 5000.00 1
1002 2 1003 922.13 1004 125.00 1005 3 1006 User Bob (SalespersonID 1 User sally (SalespersonID 2 Issue query Issue query Select * from OrderHeader Select * from OrderHeader Results Results OrderID OrderAmount SalespersonID 1002 2 1003 922.13 1006 OrderID OrderAmount SalespersonID 1001 1 1004 125.00

23 Demo Row Level Security

24 Row Level Security Limitations
No Filestream No Polybase Data Leakage – From stats , CDC, queries More

25 Column Level Encryption

26 Column Level Encryption
This is available in SQL Server 2005+ Uses symmetric or asymmetric keys to protect data Encryption is really by field, not column. Encryption operations occur in SQL Server Temporary keys may be used

27 Demo Column Level Encryption

28 Column Level Encryption – Limitations
Quite a few algorithms are old Data is not necessarily protected from the DBA (can be. A little) Requires CPU resources on the server. Encrypted data does not compress. (compress, then encrypt) Symmetric keys are deterministic Requires code changes

29 Transparent Data Encryption
Protects data at rest Encrypts data and log files (mdf, ndf, ldf) In SQL Server 2016 support for Intel AES-NI almost eliminates CPU impact Backup files encrypted Tempdb encrypted Enterprise Edition only.

30 Demo Transparent Data Encryption

31 Transparent Data Encryption Limitations
Replication data is not encrypted Filestream data is not encrypted BPE files are not encrypted More Overhead (usually < 5%, workload dependent)

32 Dynamic Data Masking (DDM)
Image:

33 Dynamic Data Masking (DDM)
No changes to data or storage DDM defines how data appears when queried. Does not require changes to application code This is a NOT ENCRYPTION This is an application programming convenience feature NOT SECURITY Image:

34 Demo Dynamic Data Masking

35 Dynamic Data Masking - Limitations
Does not work with Always Encrypted columns UNMASK is by database, not by table or column This is an all or nothing feature - data is masked for all rows, no exceptions The query plan, statistics, etc. do not mask data Attacks against the data are possible with adhoc queries Image:

36 Summary SQL Server includes a variety of encryption (and data protection) functions for server and client TDE protects data at rest Always Encrypted is for cases where the client is trusted, but not the server RLS is independent of other security mechanisms, but not perfect DDM is a security convenience feature Column Level encryption protects the data on the server.

37 The End Thank you for coming Questions?
Ask at @way0utwest /in/way0utwest

38 References DDM Dynamic Data Masking (BOL) - A Very Quick Post on SQL Server 2016 Dynamic Data Masking -

39 References Column Level Encryption Row Level Security Always Encrypted
DecryptbyKey - Row Level Security MSDN - Channel 9 - Always Encrypted BOL - Channel 9 -


Download ppt "End to End Security and Encryption in SQL Server"

Similar presentations


Ads by Google