SQL Server Security Azure Key Vault

Transcription

1 Azure SQL database development SQL Server encryption Bmxbzt Fodszufe SQL Server Security Azure Key Vault Always Encrypted SQL Server database development SQL Server Specialists

2 Caroline Eveleigh SQL Server business analyst Director, Anatec Software Author of Microsoft Official Curriculum (MOC) courses, including: Upgrade your Skills to SQL Server 2016 Always Encrypted Row-Level Security Dynamic Data Masking Anatec software Ltd Microsoft SQL Server & Azure specialists

3 PREMIER SPONSOR GOLD SPONSORS SILVER SPONSORS BRONZE SPONSORS SUPPORTERS

4 SQL Server Security & Azure Key Vault Data protection matters Azure Key Vault What it is Role Based Access Control Creating and configuring Azure Key Vault Using Azure Key Vault SQL Server encryption keys Encryption in SQL Server Encrypting columns with Always Encrypted Rotating Keys Anatec software Ltd Microsoft SQL Server & Azure specialists

5 Data Protection Matters Crime has moved to cyberspace Layered security helps, but it s no guarantee New security vulnerabilities appear all the time Cannot fix and forget If hackers get through outer security layers Data is unprotected Planning for business as usual is only good for business as usual

6 QinetiQ Data breach from 2007 to 2012 Classified documents stolen Similarities to Hatten Garden Safe Deposit Co Layered security breached Data was unprotected Alarm was raised, but insufficient action taken

7 Azure Key Vault Stores cryptographic keys, certificates, and other secrets Primarily for cloud applications Keep access to Azure Key Vault limited and secure Manage with PowerShell or the Azure portal Standard or Premium Use with Azure Active Directory Audit log

8 Azure Key Vault Pricing Standard or Premium 0.022/10,000 operations (Get, Set, etc) 0.112/10,000 advanced operations 2.24/certificate renewal Stored encrypted on HSM Standard Software keys Operations performed in Azure Use for test and development Premium HSM protected Keys never leave HSM 0.75p/month Operations performed on HSM Use for production systems Only actively used HSM protected keys (used in prior 30-day period) are charged; each version of an HSM protected key is counted as a separate key.

9 Cryptographic Keys and Secrets Secret Typically connection strings, certificates, etc. 10 kb max Versioned Cryptographic keys RSA 2048 bit key Create or import Encrypted with system key stored on HSM No access to keys Versioned

10 Azure Active Directory Cloud identity management system Azure subscription 1:1 Azure Active Directory Silently created with the Azure subscription or Office365 and Dynamics Online Resource group belongs to one Azure subscription Each resource belongs to one resource group Users can belong to more than one Azure Active Directory Editions - free, basic, and premium Multi-tenanted Azure Active Directory

11 Role Based Access Control (RBAC) Best practice in large or small orgs Reduces the attack area Use in combination with time limited privileges Three built in roles Owner: full access + give access to others Contributor: create and manage only Reader: view resources Fine-grained control assign at: Subscription level Resource Group level Resource level Users Apps Azure Active Directory User group Azure Subscription Resource group Resource group

12 The Cats App One of the UK s most respected catteries Prize winning cats from all over the world Project to encrypt personal kitty data Pressure from the cats owners More Kitty data than ever before Cattery owners concerned about GDPR Kitty data protection is finally being taken seriously

13 The Cats App Architecture

14 Demo 1: Create an Azure Key Vault Already created Azure Active Directory Resource group Storage account for audit logs Sign in as subscription administrator Create key vault Enable audit logging on the key vault Management plane permissions For the security team For the auditors Data plane permissions For the security team To the key vault

15 Key lifecycle Key Generation Key Establishment Key Backup Key Storage Key Archival Key Usage Key Change Key Destruction

16 Key Lifecycle with Azure Key Vault Key Generation Create or import Set Not Before property Key Establishment Key Storage Create or import Key Change HSM Key Backup Key Usage Backup and download key Set Expires and Enabled = No properties Key Archival Set Enabled = Yes property Delete key Key Destruction

17 Azure Key Vault: Logging Enable logging Azure storage account insights-logs-auditevent container Can be used for multiple key vaults Logs Operations on the key vault - key operations and policies Failed operations and unauthenticated requests Azure Key Vault Analytics

18 Demo 2: Create keys and inspect logs Sara create keys in AKV Generates the keys Alok examines the keys Can list keys Cannot get keys Cannot delete keys Alok examines the key vault logs & backups Text formatted as a JSON blob Backup keys as blobs

19 Azure Key Vault Delete key Key creation Backup key Key activation Key expiration Key usage Enabled = Yes

20 SQL Server Encryption Always Encrypted From SQL Server 2016 Enterprise to Express Use with TDE Transparent Data Encryption (TDE) SQL Server 2008 Enterprise only Column-level encryption SQL Server 2008 AKA cell-level encryption Encrypting backups SQL Server 2014

21 Always Encrypted and TDE Always Encrypted At rest and in motion Encrypts specific columns containing sensitive data Encrypted and decrypted on the client side Keys not on the server Protects against DBAs and mitigates risks with regulations Transparent Data Encryption (TDE) At rest Encrypts the whole database Encrypted and decrypted server side Keys held on the server Protects against hard disk theft

22 SQL Server Always Encrypted with AKV CMK01 Asymmetric for security Key encrypting key AKV Symmetric key for efficiency Data encrypting key Metadata for CMK Data Access Driver ADO.NET or ODBC Column Encryption Key Encrypted Column Encryption Key (CEK) Metadata for CMK Client Server

23 Always Encrypted Key Hierarchy Column Master Key Used to encrypt Column Encryption Key Used to encrypt Encrypted Data With AKV, keys are not stored on the client making it more secure

24 Demo 3: Create encrypted columns Create Column Master Key Create Column Encryption Key Create the cats schema Create the cats.owner table No encrypted columns Create the cats.cat table ParticularName deterministic CreditCard randomized Colour - deterministic

25 Always Encrypted: CMK Key Rotation Column Master Key (CMK) Encrypts Column Encryption Key (CEK) You can only have two CMKs at any one time Create a new CMK CMK2 Decrypt the CEK with CMK1 (current) Encrypt CEK with CMK2 The CEK value does not change Just the CMK encryption key Data is not decrypted and re-encrypted

26 Demo 4: Cats App & key rotation Cat table - sensitive fields are encrypted Deterministic fields the same (ParticularName and colour) The Cats App Key rotation Create a new column master key Create a view to display CEK values Make a new encrypted value for the CEK Alter the CEK and drop the old encrypted value Drop the old column master key CMK01

27 Encrypting Data Data is protected, but Key discovery Lost keys = lost data Disaster recovery riskier Vulnerable if keys not rotated Increased cost of data ownership Performance may be impacted Data management overhead Human factors

28 Key Management Secrecy Vulnerable when moved Keys are encrypted with other keys Key length Longer is better Cryptoperiod The longer the cryptoperiod, the greater the vulnerability Storage Store keys safely

29 AKV: Strengths and Weaknesses Strengths Keys in one place Accessible from anywhere Manage keys through their lifecycle Auditing No direct access to keys or plaintext passwords in configuration files Replaces costly HSMs Soft delete option Weaknesses Internet only Vulnerable to social engineering Monthly cost

30 More Information Azure documentation NIST

31 Tell us what you think SQLRelay.co.uk/feedback Live Now Win a Lego BB8!

32 Connect with me Caroline Eveleigh

33 Azure SQL database development SQL Server security Rvftujpot? Questions? Caroline SQL Server Specialists