SQL Server 2016 New Security Features. Gianluca Sartori

Similar documents
SQL Organizational Security & Compliance. George Walters Senior Technical Evangelist for ISV Partners

PASS SQL DBA Virtual Chapter

Four New Table Level Security Features of SQL Server Karen Lopez, Data Evangelist & Architect

SQL Server Security. Marek

SQL Server Everything built-in

SQL Server 2016 Row-level security & Dynamic Data Masking. Goran Milanov MVP, MCP, MCSA, MCT, PSM-I

Benchmarking in the Cloud

Technology Enhancements for SQL Server 2014/2016 Developers. Wylie Blanchard Lead IT Consultant; SQL Server DBA

SQL 2016 Performance, Analytics and Enhanced Availability. Tom Pizzato

Seven Awesome SQL Server Features

Gianluca Sartori. Benchmarking Like a PRO

SQL Server Evolution. SQL 2016 new innovations. Trond Brande

SQL Server 2014/2016 Enhancements for Developers. Wylie Blanchard Lead IT Consultant; SQL Server DBA

Randy Pagels Sr. Developer Technology Specialist DX US Team AZURE PRIMED

SQL Server 2016 R Integration for database administrators

WHAT S NEW IN SQL SERVER 2016 REPORTING SERVICES?

Azure SQL Database. Indika Dalugama. Data platform solution architect Microsoft datalake.lk

SQL Server Security Azure Key Vault

Ooops, data breach? Not with Always Encrypted. Daniel de Sousa, BI Specialist, Dominos Pizza Enterprise Moderated By: Shane O'Neill

WHAT APPLICATION DEVELOPERS SHOULD KNOW ABOUT SQL SERVER?

SQL Server 2017 Power your entire data estate from on-premises to cloud

Javier Villegas. Azure SQL Server Managed Instance

Introducing Microsoft SQL Server Preview Edition Better Security. Stacia Varga, Denny Cherry, Joseph D Antoni

Azure SQL Database Training. Complete Practical & Real-time Trainings. A Unit of Sequel Gate Innovative Technologies Pvt. Ltd.

Database Centric Information Security. Speaker Name / Title

Encrypting Data within Sql Server

SQL Server New innovations. Ivan Kosyakov. Technical Architect, Ph.D., Microsoft Technology Center, New York

WHAT APPLICATION DEVELOPERS SHOULD KNOW ABOUT SQL SERVER?

Azure SQL Database Training. Complete Practical & Real-time Trainings. A Unit of SequelGate Innovative Technologies Pvt. Ltd.

Database Administration for Azure SQL DB

SQL Azure. Abhay Parekh Microsoft Corporation

SQL Server Evolution. New innovations. George Walters. Sr. Technical Solutions Professional, Data Platform Microsoft

Martin Cairney. Hybrid data platform making the most of Azure plus your onprem

<Insert Picture Here> Oracle Database Security

Protecting Your Data With Encryption

MySQL for Database Administrators Ed 3.1

Michael Wells Microsoft Specialist, Dell EMC. SQL DBaaS on Microsoft Azure Stack

Improve the Performance of Your T-SQL by Changing Your Habits. Mickey Stuewe Microsoft Junkie Sr Database Developer

Index. Pranab Mazumdar, Sourabh Agarwal, Amit Banerjee 2016 P. Mazumdar et al., Pro SQL Server on Microsoft Azure, DOI /

Training 24x7 DBA Support Staffing. Administering a SQL Database Infrastructure (40 Hours) Exam

Course Outline. Upgrading Your Skills to SQL Server 2016 Course 10986A: 3 days Instructor Led

Data Partitioning. For DB Architects and Mere Mortals. Dmitri Korotkevitch

Row and Column Access Control in Db2 11. (Db2 on Linux, UNIX and Windows) Philip K. Gunning, CISSP

Click Studios. Passwordstate. Upgrade Instructions to V8 from V5.xx

DreamFactory Security Guide

Oracle Database Auditing

Oracle Database 11g: Security Release 2

Protecting Data and Transactions with Encryption and Tokenization. Rich Mogull Securosis

Enabling Secure Hadoop Environments

Bring Your Own Device Part I Yuqing Zhao 趙宇清 Protocol Test Suite Developer Microsoft Corporation

Using Tableau to report on SharePoint lists and libraries: A step by step guide

Survey of Oracle Database

MySQL Database Administrator Training NIIT, Gurgaon India 31 August-10 September 2015

The safer, easier way to help you pass any IT exams. Exam : Designing Database Solutions for Microsoft SQL Server 2012.

Designing and Developing your Database for Application Availability

SQL Server on Linux and Containers

Oracle Database Vault

The Freedom to Choose

Masking Engine User Guide. October, 2017

AvePoint Online Services 2

Duration: 5 Days Course Code: M20764 Version: B Delivery Method: Elearning (Self-paced)

One Schema In Sql Server 2005 Management >>>CLICK HERE<<<

Administering a SQL Database Infrastructure

State of the Dolphin Developing new Apps in MySQL 8

Administering a SQL Database Infrastructure (20764)

Data Privacy and Protection GDPR Compliance for Databases

Location Agnostic Data

Private Clouds: Opportunity to Improve Data Security and Lower Costs. InfoTRAMS Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt t W Pracy

Building Cloud Trust. Ioannis Stavrinides. Technical Evangelist MS Cyprus

Eternal Story on Temporary Objects

20764C: Administering a SQL Database Infrastructure

Columnstore Technology Improvements in SQL Server 2016

Transform your data estate with cloud, data and AI

Oracle Data Masking and Subsetting

Duration Level Technology Delivery Method Training Credits. Classroom ILT 5 Days Advanced SQL Server

Vormetric Data Security

An Oracle White Paper September Security and the Oracle Database Cloud Service

McAfee Database Security

SQL Server Internals: The Practical Angle Sneak Peek. Dmitri Korotkevitch Moderated by Roberto Fonseca

Vendor: Oracle. Exam Code: 1Z Exam Name: Oracle Database 11g Security Essentials. Version: Demo

Vendor: IBM. Exam Code: C Exam Name: DB Fundamentals. Version: Demo

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

2 Me. 3 The Problem. Speaker. Company. Ed Breay Sr. Sales Engineer, Hitachi ID Systems.

Course 20764: Administering a SQL Database Infrastructure

Roy Lawson. Introduction to Office 365 Development Presented By. SDS pays for referrals!

Database Encryption with DataSecure. Appendix: Demo. Professional Services EMEA Insert Date Sept. 2011

Karthik Bharathy Program Manager, SQL Server Microsoft

SQL Server DBA Course Details

ITS. MySQL for Database Administrators (40 Hours) (Exam code 1z0-883) (OCP My SQL DBA)

MOC 6232A: Implementing a Microsoft SQL Server 2008 Database

Securing ArcGIS Services

Oracle Database 11g: Security Release 2

Distributed KIDS Labs 1

"Charting the Course... MOC C: Administering an SQL Database Infrastructure. Course Summary

Oracle E-Business Suite Certified with Oracle Database Vault Certification Overview

Updating Your Skills to SQL Server 2016

Microsoft Administering a SQL Database Infrastructure

Change Schema For All Tables In Sql Server 2008

Real Application Security Administration

Brian T. Jackett Sr. Premier Field Engineer Microsoft

Transcription:

SQL Server 2016 New Security Features Gianluca Sartori

Our Sponsors

Gianluca Sartori Independent SQL Server consultant SQL Server MVP, MCTS, MCITP, MCT Works with SQL Server since version 7 DBA @ Scuderia Ferrari Blog: Twitter: spaghettidba.com @spaghettidba

Agenda Security Boundaries Always Encrypted Row Level Security Dynamic Data Masking

Why New Security Features? SQL Server has plenty security features TDE Protects database files and backups at rest Cell-Level Encryption Encrypts single values in database tables SSL Protects data on the network

Security Boundaries Open Apps Manager User Database SSMS Developer DBA Software Vendor Unauthorized Users

Security Boundaries Non Sensitive Apps Software Vendor Manager User Database Copy SSMS DBA Copy Developer Unauthorized Users

Security Boundaries Sensitive Apps Software Vendor Manager User Database Copy SSMS DBA Copy Developer Unauthorized Users

ALWAYS ENCRYPTED

Always Encrypted Key Features Prevents Data Disclosure End-to-end encryption of individual columns in a table with keys that are never given to the database system. Queries on Encrypted Data Support for equality comparison, incl. join, group by and distinct operators. Application Transparency Minimal application changes via server and client library enhancements.

Always Encrypted Sensitive data is encrypted at column level Data is protected from high-privileged users DBAs Cloud providers System Admins Third-parties Hackers Data is stored securely outside security boundaries The database never sees unencrypted data

Always Encrypted How it works App Column Master Key SELECT Name FROM Patients WHERE SSN=@SSN @SSN=0x7ff654ae6d SELECT Name FROM Patients WHERE SSN=@SSN @SSN='198-33-0987' Result Set Name Jim Gray Query Enhanced SQL Server Native ADO.NET Client.NET Library 4.6 dbo.patients Name 0x4A616E65204 0x4A696D20477 SSN Column Encryption Key 1x7fg655se2e Country USA 0x7ff654ae6d USA 0x4A6F686E205 0y8fj754ea2c USA Application - Trusted SQL Server - Untrusted

Encryption Types Deterministic Encryption Same plaintext value Same encrypted value Supports indexing, equality comparison, JOINs, DISTINCT Randomized Encryption Same plaintext value Different encrypted value Supports retrieval of encrypted data No SQL operations supported

Working with Always Encrypted DEMO

TDE vs Always Encrypted Always Encrypted Column level Client encryption Server doesn t know encryption keys Data in memory is encrypted Data travels the network encrypted TDE Database level Server encryption Server knows encryption keys Data in memory is in plaintext Data travels the network in plaintext

Custom encryption vs Always Encrypted Always Encrypted Slight application changes Disallows saving plaintext data Custom Encryption Needs obtrusive changes Plaintext data can be saved by accident Allows indexing of cyphertext * Allows indexing of cyphertext * * depending on encryption algorithm

What changes for Applications? ConnectionString must include new key: Column Encryption Setting=enabled; Ad-hoc queries not supported SELECT SomeColumn FROM SomeTable WHERE EncrypedColumn = 'SomeValue'; Needs correctly parameterized queries SELECT SomeColumn FROM SomeTable WHERE EncrypedColumn = @param;

Always Encrypted for Existing Data Existing columns must be encrypted client side Easiest way: wizard Ad-hoc wizard In SSMS 2016? Import / Export

Performance Impact

Space Usage Impact

Always Encrypted - Limitations Deterministic encryption needs _BIN2 collation Not all datatypes supported Partial support for triggers Unsupported features: Full-text search Replication Change Data Capture In-Memory OLTP Stretch Database

Q&A Questions?

DYNAMIC DATA MASKING

Dynamic Data Masking Key Features Limits Sensitive Data Exposure Sensitive data is masked. Administrators designate how much of the sensitive data to reveal. Useful for Compliance Helps adhering to privacy standards imposed by regulation authorities. Application Transparency No application changes. Existing queries keep working.

Dynamic Data Masking Unmasked Data Privileged User SSN DATA 062-56-4651 Database dbo.employees Name SSN Salary Jane Doe 062-56-4651 2.500 Jim Gray 915-12-9845 2.350 Masked Data John Smith 354-21-9184 1.500 SSN XXX-XX-XXXX Non-Privileged User

Dynamic Data Masking Obfuscates data using 4 masking functions Default: Email: Partial: Random: depends on data type axxx.xxxx.com prefixxxxxxxsuffix random number in a range Data is stored unmasked Masking happens on resultset formation GRANT UNMASK to disclose data Works in Azure SQL Database

Dynamic Data Masking - Limitations Not all datatypes supported Not intended as a complete protection feature for sensitive data Ad-Hoc queries disclose data. Ex: WHERE Salary > 2000 INSERT SELECT does not preserve masking Some quirks Not suitable for handing out copies of the database to software vendors or third-parties

Working with Dynamic Data Masking DEMO

Q&A Questions?

ROW-LEVEL SECURITY

Row Level Security Key Features Fine-grained access control In multi-tenant databases, limits access by other users who share the same tables. Centralized Security Logic Predicate-based access control logic resides inside the database and is schema-bound to the tables it protects. Application Transparency No application changes. Existing queries keep working.

Row-Level Security Manager EMEA Salesperson LATAM Salesperson dbo.customer Name Area Budget Evil Inc. EMEA 2.500 Wealthy Corp. LATAM 2.350 Greedy Corp. APAC 1.500 APAC Salesperson

Row-Level Security - Concepts Predicate function User-defined inline itvf implementing access control logic. Can be arbitrarily complicated Security predicate Applies a predicate function to a particular table (APPLY) Two types: filter predicates and blocking predicates Security policy Collection of security predicates Manages security across multiple tables

Row-Level Security How it works dbo.customer Name Area Budget Evil Inc. EMEA 2.500 Wealthy Corp. LATAM 2.350 Greedy Corp. APAC 1.500 Security Policy DBA SELECT * FROM Customer EMEA Salesperson SELECT * FROM Customer APPLY itvf_securitypredicate()

Working with Row-Level Security DEMO

Row-Level Security - Limitations SCHEMABINDING: all tables in the predicate function must reside in the database Performance impact: queries are rewritten When authenticating the application, CONTEXT_INFO() can be used to filter on real user Not really secure if users can run ad-hoc queries Don t lock out the DBA!

Q&A Questions?

Resources Always Encrypted on MSDN Getting Started With Always Encrypted Performance impact of Always Encrypted Dynamic Data Masking on MSDN Using Dynamic Data Masking Row-Level Security on MSDN Introduction to Row-Level Security Row-Level Security Limitations

How did you like it? Please give us feedback! to the event: www.sqlsaturday.com/579/eventeval.aspx to me as a speaker: www.sqlsaturday.com/579/sessions/sessionevaluation.aspx

Ressources SQL Server 2016 in 15 Minuten https://channel9.msdn.com/series/sqlserver-2016-in-15-minuten SQL PASS Austria Homepage http://austria.sqlpass.org SQL PASS Austria Meeting Archive http://sdrv.ms/zfvdnm

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback