SQL Server 2016 New Security Features Gianluca Sartori
Our Sponsors
Gianluca Sartori Independent SQL Server consultant SQL Server MVP, MCTS, MCITP, MCT Works with SQL Server since version 7 DBA @ Scuderia Ferrari Blog: Twitter: spaghettidba.com @spaghettidba
Agenda Security Boundaries Always Encrypted Row Level Security Dynamic Data Masking
Why New Security Features? SQL Server has plenty security features TDE Protects database files and backups at rest Cell-Level Encryption Encrypts single values in database tables SSL Protects data on the network
Security Boundaries Open Apps Manager User Database SSMS Developer DBA Software Vendor Unauthorized Users
Security Boundaries Non Sensitive Apps Software Vendor Manager User Database Copy SSMS DBA Copy Developer Unauthorized Users
Security Boundaries Sensitive Apps Software Vendor Manager User Database Copy SSMS DBA Copy Developer Unauthorized Users
ALWAYS ENCRYPTED
Always Encrypted Key Features Prevents Data Disclosure End-to-end encryption of individual columns in a table with keys that are never given to the database system. Queries on Encrypted Data Support for equality comparison, incl. join, group by and distinct operators. Application Transparency Minimal application changes via server and client library enhancements.
Always Encrypted Sensitive data is encrypted at column level Data is protected from high-privileged users DBAs Cloud providers System Admins Third-parties Hackers Data is stored securely outside security boundaries The database never sees unencrypted data
Always Encrypted How it works App Column Master Key SELECT Name FROM Patients WHERE SSN=@SSN @SSN=0x7ff654ae6d SELECT Name FROM Patients WHERE SSN=@SSN @SSN='198-33-0987' Result Set Name Jim Gray Query Enhanced SQL Server Native ADO.NET Client.NET Library 4.6 dbo.patients Name 0x4A616E65204 0x4A696D20477 SSN Column Encryption Key 1x7fg655se2e Country USA 0x7ff654ae6d USA 0x4A6F686E205 0y8fj754ea2c USA Application - Trusted SQL Server - Untrusted
Encryption Types Deterministic Encryption Same plaintext value Same encrypted value Supports indexing, equality comparison, JOINs, DISTINCT Randomized Encryption Same plaintext value Different encrypted value Supports retrieval of encrypted data No SQL operations supported
Working with Always Encrypted DEMO
TDE vs Always Encrypted Always Encrypted Column level Client encryption Server doesn t know encryption keys Data in memory is encrypted Data travels the network encrypted TDE Database level Server encryption Server knows encryption keys Data in memory is in plaintext Data travels the network in plaintext
Custom encryption vs Always Encrypted Always Encrypted Slight application changes Disallows saving plaintext data Custom Encryption Needs obtrusive changes Plaintext data can be saved by accident Allows indexing of cyphertext * Allows indexing of cyphertext * * depending on encryption algorithm
What changes for Applications? ConnectionString must include new key: Column Encryption Setting=enabled; Ad-hoc queries not supported SELECT SomeColumn FROM SomeTable WHERE EncrypedColumn = 'SomeValue'; Needs correctly parameterized queries SELECT SomeColumn FROM SomeTable WHERE EncrypedColumn = @param;
Always Encrypted for Existing Data Existing columns must be encrypted client side Easiest way: wizard Ad-hoc wizard In SSMS 2016? Import / Export
Performance Impact
Space Usage Impact
Always Encrypted - Limitations Deterministic encryption needs _BIN2 collation Not all datatypes supported Partial support for triggers Unsupported features: Full-text search Replication Change Data Capture In-Memory OLTP Stretch Database
Q&A Questions?
DYNAMIC DATA MASKING
Dynamic Data Masking Key Features Limits Sensitive Data Exposure Sensitive data is masked. Administrators designate how much of the sensitive data to reveal. Useful for Compliance Helps adhering to privacy standards imposed by regulation authorities. Application Transparency No application changes. Existing queries keep working.
Dynamic Data Masking Unmasked Data Privileged User SSN DATA 062-56-4651 Database dbo.employees Name SSN Salary Jane Doe 062-56-4651 2.500 Jim Gray 915-12-9845 2.350 Masked Data John Smith 354-21-9184 1.500 SSN XXX-XX-XXXX Non-Privileged User
Dynamic Data Masking Obfuscates data using 4 masking functions Default: Email: Partial: Random: depends on data type axxx.xxxx.com prefixxxxxxxsuffix random number in a range Data is stored unmasked Masking happens on resultset formation GRANT UNMASK to disclose data Works in Azure SQL Database
Dynamic Data Masking - Limitations Not all datatypes supported Not intended as a complete protection feature for sensitive data Ad-Hoc queries disclose data. Ex: WHERE Salary > 2000 INSERT SELECT does not preserve masking Some quirks Not suitable for handing out copies of the database to software vendors or third-parties
Working with Dynamic Data Masking DEMO
Q&A Questions?
ROW-LEVEL SECURITY
Row Level Security Key Features Fine-grained access control In multi-tenant databases, limits access by other users who share the same tables. Centralized Security Logic Predicate-based access control logic resides inside the database and is schema-bound to the tables it protects. Application Transparency No application changes. Existing queries keep working.
Row-Level Security Manager EMEA Salesperson LATAM Salesperson dbo.customer Name Area Budget Evil Inc. EMEA 2.500 Wealthy Corp. LATAM 2.350 Greedy Corp. APAC 1.500 APAC Salesperson
Row-Level Security - Concepts Predicate function User-defined inline itvf implementing access control logic. Can be arbitrarily complicated Security predicate Applies a predicate function to a particular table (APPLY) Two types: filter predicates and blocking predicates Security policy Collection of security predicates Manages security across multiple tables
Row-Level Security How it works dbo.customer Name Area Budget Evil Inc. EMEA 2.500 Wealthy Corp. LATAM 2.350 Greedy Corp. APAC 1.500 Security Policy DBA SELECT * FROM Customer EMEA Salesperson SELECT * FROM Customer APPLY itvf_securitypredicate()
Working with Row-Level Security DEMO
Row-Level Security - Limitations SCHEMABINDING: all tables in the predicate function must reside in the database Performance impact: queries are rewritten When authenticating the application, CONTEXT_INFO() can be used to filter on real user Not really secure if users can run ad-hoc queries Don t lock out the DBA!
Q&A Questions?
Resources Always Encrypted on MSDN Getting Started With Always Encrypted Performance impact of Always Encrypted Dynamic Data Masking on MSDN Using Dynamic Data Masking Row-Level Security on MSDN Introduction to Row-Level Security Row-Level Security Limitations
How did you like it? Please give us feedback! to the event: www.sqlsaturday.com/579/eventeval.aspx to me as a speaker: www.sqlsaturday.com/579/sessions/sessionevaluation.aspx
Ressources SQL Server 2016 in 15 Minuten https://channel9.msdn.com/series/sqlserver-2016-in-15-minuten SQL PASS Austria Homepage http://austria.sqlpass.org SQL PASS Austria Meeting Archive http://sdrv.ms/zfvdnm
Thank You!