PASS SQL DBA Virtual Chapter

Similar documents
SQL Server Security. Marek

SQL Server 2016 New Security Features. Gianluca Sartori

SQL Server Security Azure Key Vault

Security in Confirmit Software - Additional Options

WHAT S NEW IN SQL SERVER 2016 REPORTING SERVICES?

ENCRYPTION AS.. ALTER VIEW

Protecting Your Data With Encryption

To Receive CPE Credit

Oracle Database Cloud for Oracle DBAs Ed 3

The safer, easier way to help you pass any IT exams. Exam : Designing Database Solutions for Microsoft SQL Server 2012.

Report Exec Dispatch System Specifications

SQL Organizational Security & Compliance. George Walters Senior Technical Evangelist for ISV Partners

SQL Server New innovations. Ivan Kosyakov. Technical Architect, Ph.D., Microsoft Technology Center, New York

<Insert Picture Here> Oracle Database Security

INFO-H-415 Project Overview- Security Database and SQL Server

To Receive CPE Credit

Encrypting Critical Data In Databases. An Overview of the Database Integration Process

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

SQL Server 2016 Row-level security & Dynamic Data Masking. Goran Milanov MVP, MCP, MCSA, MCT, PSM-I

L5: Basic Grammar Based Probabilistic Password Cracking

SQLSaturday #620 Dublin 17 June, 2017 Reports on the Run: Mobile Reporting with SQL Server Peter Myers Bitwise Solutions

Four New Table Level Security Features of SQL Server Karen Lopez, Data Evangelist & Architect

DreamFactory Security Guide

Oracle Database 11g: Security Release 2

Technology Enhancements for SQL Server 2014/2016 Developers. Wylie Blanchard Lead IT Consultant; SQL Server DBA

Lesson 14 Transcript: Triggers

Seven Awesome SQL Server Features

To Receive CPE Credit

Securing SQL Server Processes with Certificates. Robert, Davis, Database Engineer, BlueMountain Capital Management Moderated By: Ivan Sanders

Course Outline. Upgrading Your Skills to SQL Server 2016 Course 10986A: 3 days Instructor Led

SQL Server Evolution. SQL 2016 new innovations. Trond Brande

IBM BigInsights Security Implementation: Part 1 Introduction to Security Architecture

MySQL CLOUD SERVICE. Propel Innovation and Time-to-Market

Transform your data estate with cloud, data and AI

Oracle Database 11g: Security Release 2

STEP BY STEP INSTALL SQL SERVER 2016 STANDALONE

Security Readiness Assessment

The Realities of Data Security and Compliance: Compliance Security

Vendor: Oracle. Exam Code: 1Z Exam Name: Oracle Database 11g Security Essentials. Version: Demo

Data encryption & security. An overview

SAP HANA Leading Marketplace for IT and Certification Courses

SharePoint 2010 Mythbusters. IT112 Spencer Harbar Enterprise Architect harbar.net

Extending Applications Securely Using Service Broker. Ed Leighton-Dick, Founder, Kingfisher Technologies Moderated By: Lance Harra

A: Advanced Technologies of SharePoint 2016

Security in ECE Systems

CONNX SECURITY OVERVIEW

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Data Partitioning. For DB Architects and Mere Mortals. Dmitri Korotkevitch

Course Content. This is the second in a sequence of two courses for IT Professionals and is aligned with the SharePoint 2016 IT Pro certification.

Biometrics & Secure Storage in ios Jason Shapiro, Intertech

Randy Pagels Sr. Developer Technology Specialist DX US Team AZURE PRIMED

Perform scalable data exchange using InfoSphere DataStage DB2 Connector

Leveraging Azure Services for a Scalable Windows Remote Desktop Deployment

mission critical applications mission critical security Oracle Critical Patch Update October 2011 Oracle Database Impact

Protecting Data and Transactions with Encryption and Tokenization. Rich Mogull Securosis

XAMARIN 4 BY EXAMPLE BY MATTEO BORTOLU, ENGIN POLAT DOWNLOAD EBOOK : XAMARIN 4 BY EXAMPLE BY MATTEO BORTOLU, ENGIN POLAT PDF

Microsoft certified solutions associate

Genesys Security Deployment Guide. Encrypted Data in Databases

DB2 9.7 DBA for Linux UNIX and Windows Exam.

Wiki Database Schema Diagram Generate Sql Server 2005

Oracle Database 12c R2: New Features for Administrators Part 2 Ed 1

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

The Right Method To Secure An Oracle Database

Oracle Database 12c R2: New Features for Administrators Part 2 Ed 1 -

Oracle Database 12c R2: New Features for 12c R1 Administrators Ed 1

Advanced Technologies of SharePoint 2016

Technology Note. ER/Studio: Upgrading from Repository (v ) to Team Server 2016+

See What You Want to See in Revit 2016

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SQL Azure. Abhay Parekh Microsoft Corporation

Indira Bandari. Predictive Analytics using R in SQL Server

Distributed PostgreSQL with YugaByte DB

Kentico - Upgrade to Kentico 9. Virgil Carroll Founder / Principal Architect

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Extending JON 2.3 Use cases

Advanced Technologies of SharePoint 2016 ( )

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Azure Certification BootCamp for Exam (Infrastructure)

MOC 6232A: Implementing a Microsoft SQL Server 2008 Database

Extract API: Build sophisticated data models with the Extract API

MySQL for Database Administrators Ed 4

Selecting and Protecting the Right SharePoint Backup Targets. Sean McDonough Product Manager, SharePoint Products Idera

Database Attacks, How to protect the corporate assets. Presented by: James Bleecker

TECHNOLOGY: Security Encrypting Tablespaces

Curriculum Guide. ThingWorx

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Becoming a Certified Facilitator

Securing Data at Rest Using Empress Database - the Ultimate Line of Defense. Empress Software Inc.

Encryption on IBM i. Mark Flora Ciber MRMUG 2/2014

MANAGE YOUR SHOP WITH POLICY BASED MANAGEMENT & CENTRAL MANAGEMENT SERVER

Softchoice Microsoft SQL Server 2017 Migration Guide

Microsoft Exam Designing Database Solutions for Microsoft SQL Server Version: 12.0 [ Total Questions: 111 ]

Updating Your Skills to SQL Server 2016

Javier Villegas. Azure SQL Server Managed Instance

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Overview of AWS Security - Database Services

Percona Software & Services Update

Sensitive Data Warriors: Always On Encryption and Data Masking. Virginia, Mushkatbat, Founder, Hush-Hush Moderated By: Shane O'Neill

Karthik Bharathy Program Manager, SQL Server Microsoft

Transcription:

PASS SQL DBA Virtual Chapter Wed, 7:00 PM - 8:00 PM GMT Lecture By Ronen Ariely Implementing new Security Features in SQL Server 2016, Part 2 SQL Server 2016 provides several new data security features like Always Encrypted, Dynamic Data Masking and Row-Level Security. These new features are a 'game changer' for developers, DBAs, and above all to architects that need to design applications and data platforms. These features increase the security and reduce the development time significantly. Features that usually implemented in the application side, now can be implemented in the server side, while encryption keys, which are usually stored in the server side, can be stored in the client side. The lecture will be held in two parts. In this second part, we will explore the implementation of Row-Level Security and Always Encrypted, using the new built-in features in SQL Server 2016 and in older versions. We will discuss the benefits, limitations, and how actually our data secured using the new features. 1 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO

About Ronen Ariely (Blog, website, Facebook, LinkedIn) Senior consultant and architect, in the fields of applications developing and databases. More than 15 years of experience in variety of programming languages and technologies, leading and managing development teams, and SQL & BI enterprise level solutions. Specialized on Geophysics and seismic data analysis, during Master's degree studies, at the Tel-Aviv University, Israel. Active in communities in the field of Programming, SQL Server, T-SQL Serve several years as Moderator at MSDN Israel communities, and at the MSDN Global communities (aka pituach). Writing technical blogs, TechNet WIKI articles, founder of the TechNet WIKI Ninjas Groups on Facebook, and serve as one of the leaders. Has been awarded as Microsoft Most Valuable Professional (MVP) RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 2

About Ronen Ariely (Blog, website, Facebook, LinkedIn) Senior consultant and architect, in the fields of applications developing and databases. More than 15 years of experience in variety of programming languages and technologies, leading and managing development teams, and SQL & BI enterprise level solutions. Specialized on Geophysics and seismic data analysis, during Master's degree studies, at the Tel-Aviv University, Israel. Active in communities in the field of Programming, SQL Server, T-SQL Serve several years as Moderator at MSDN Israel communities, and at the MSDN Global communities (aka pituach). Writing technical blogs, TechNet WIKI articles, founder of the TechNet WIKI Ninjas Groups on Facebook, and serve as one of the leaders. Has been awarded as Microsoft Most Valuable Professional (MVP) RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 3

Agenda SQL Server 2016 Security Features 1. Who are you authentication * Active Directory - central access management * Contained database authentication 2. What can you see - access control * Dynamic Data Masking * Row-level security * Auditing tracks access and changes 3. Securing secrets encryption options * Transparent Data Encryption * Encryption in the database level by certificate, key, or password * Backup encryption * Always Encrypted Id 1 2 3 Credit Card # ******1234 ******5678 ******9012 Id 2 Credit Card # 123456789 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 4

Security - history Database Security a brief overview SQL Server 2000 and before - No native tools for encryption Data at rest encryption could be done with 3rd party tools, or by encrypting the entire drive (TrueCrypt,etc) Column Level Encryption (wrong name!) - Introduced with SQL Server 2005. Should be named Value Level Encryption. Transparent Data Encryption (TDE) Introduced with SQL Server 2008. Files lavel encryption. Certificate based transport encryption Dynamic Data Masking NEW! introduced with SQL Server 2016 Row Level Security - NEW! introduced with SQL Server 2016 Always Encrypted NEW! introduced with SQL Server 2016. Real Column Level Encryption.... RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 5

Dynamic Data Masking Implementing (and cracking) new Security Features in SQL Server 2016, Part 1 Event at Page: http://dba.sqlpass.org/ho me.aspx?eventid=6479 Recording link: https://www.youtube.co m/watch?v=6yjsl9_sbhg Download demos code & presentation: https://gallery.technet.mic rosoft.com/implementing- Dynamic-Data-25903b12 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 6

RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 7

Row Level Security APPLY FINE-GRAINED ACCESS CONTROL TO TABLE ROWS BASED ON USERS RIGHTS RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 8

Row Level Security RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 9

Filter data At Application Level Row Level Security Ronen.Ariely.info App Ariely.info RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 10

Filter data At Application Level Row Level Security Ronen.Ariely.info App Ariely.info RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 11

Filter data At Application Level Filter data At Server Level Row Level Security Ronen.Ariely.info SQL Server 2016, Dynamic Data Masking App Ariely.info Less development resources And Much Better Security RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 12

Security Policy Row Level Security Row Level Security (RLS) allows us to control access to rows in a database table, based on SECURITY POLICY, which enforced by inline table valued function. RLS enables you to store data for many users in a single table, while at the same time it restricts the rows based on a user's identity, role, or execution context. DEMO usercode Salary pass Ronen 1111 a Ronen 2222 b Ariely 3333 d IDNDUG 2222 e Ariely 1111 g RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 13

RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 14

Always Encrypted HELP PROTECT DATA AT REST AND IN MOTION WITH THE MASTER KEY RESIDING WITH THE APPLICATION & NO APPLICATION CHANGES REQUIRED RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 15

Protecting your house against break-ins can be achieved with proper security. 04/07/2016 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 16

But maybe your goal is to protect against break out from a prison?!? Location: Springfield season 16 of The Simpsons 04/07/2016 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 17

Always Encrypted Protect against whom? RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 18

Always Encrypted Protect against whom? RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 19

Always Encrypted Protect against whom? RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 20

Always Encrypted Protect against whom? RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 21

Security Layer Always Encrypted App Service Driver App Client SSN 1234 2223 9876 SSN 0x4a70f56 0x4352d07.. 0x432a7f0 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 22

Always Encrypted Dot.Net 4.6 and above! Always Encrypted is a feature designed to protect sensitive data, stored in SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to SQL Server. As a result, Always Encrypted provides a separation between those who own the data (and can view it) and those who manage the data (but should have no access). Always Encrypted makes encryption transparent to applications. An Always Encrypted-enabled driver installed on the client computer achieves this by automatically encrypting and decrypting sensitive data in the SQL Server client application. The driver encrypts the data in sensitive columns before passing the data to SQL Server, and automatically rewrites queries so that the semantics to the application are preserved. Similarly, the driver transparently decrypts data, stored in encrypted database columns, contained in query results. * The above text is from MSDN RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 23

Always Encrypted How it Works A Column Master Key certificate is stored on in application side at the Key Store. It is used to protect the Column Encryption key. The Column Master Key Definition is stored on the Server. This element includes information about the location of the Column Master Key. The Column Encryption Key, is stored on Server, but it is encrypted. This Column Encryption Key is used to encrypt/decrypt the data. * But since SQL Server does not have the Column Master Key, it cannot use the Column Encryption Key, in order to decrypt the data! RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 24

Always Encrypted How it Works The location of the key store is stored in the Column Master Key Definition on the server. Using the location information, the driver contacts the key store, containing the Column Master Key, in order to decrypt the encrypted Column Encryption Key value, which is stored on the server, and then, it uses the plaintext column encryption key to encrypt the parameter. DEMO RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 25

RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 26

Row Level Security Conclusions This is a very powerful feature, which gives pretty good security in the database level. We can expose data that violate the predicates rules. This feature is very flexible. It behaves similar to CROSS APPLY in terms of performance, and we should use indexes according the security function. It can be used behind application, where the user cannot execute free queries It s basically transparent to the application. It can save development time significantly 2017-01-25 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 27

Always Encrypted Conclusions This is my favorite feature between the three security features, which we mentioned. This is a very powerful feature, which gives perfect security against the DBA, which make it very useful. It has very good performance in compare to other options, which include encrypting the data in the application side. 2017-01-25 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 28

Dynamic Data Masking Security Policy Wrapping Up Before SQL 2016 usercode Salary pass Ronen 1111 a Ronen 2222 b Ariely 3333 d IDNDUG 2222 e Ariely 1111 g Cracker Hacker Always >> You can Encrypted watch part 1 recording in this link: https://www.youtube.com/watch?v=6yjsl9_sb Client hg SSN SSN >> The demos code and the presentation file for 1234 part 1 available to download 0x4a70f56 from this link: 2223 https://gallery.technet.microsoft.com/impleme 0x4352d07.. 9876 nting-dynamic-data-25903b12 0x432a7f0 2017-01-25 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 29

Dynamic Data Masking Security Policy Wrapping Up Before SQL 2016 Demos code and the presentation file: Hacker https://gallery.technet.microso Cracker ft.com/implementing-new- Security-7362f178 usercode Salary pass Ronen 1111 a Ronen 2222 b Ariely 3333 d IDNDUG 2222 e Ariely 1111 g Always Encrypted Client SSN 1234 2223 9876 SSN 0x4a70f56 0x4352d07.. 0x432a7f0 2017-01-25 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 30

Dynamic Data Masking Security Policy Demos code and the presentation file: https://gallery.technet.microsoft.com/implementing-new- Wrapping Up Security-7362f178 Before SQL 2016 usercode Salary pass Ronen 1111 a Ronen 2222 b Ariely 3333 d IDNDUG 2222 e Ariely 1111 g Cracker Hacker Always Encrypted Client SSN 1234 2223 9876 SSN 0x4a70f56 0x4352d07.. 0x432a7f0 2017-01-25 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 31

RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback