PASS SQL DBA Virtual Chapter Wed, 7:00 PM - 8:00 PM GMT Lecture By Ronen Ariely Implementing new Security Features in SQL Server 2016, Part 2 SQL Server 2016 provides several new data security features like Always Encrypted, Dynamic Data Masking and Row-Level Security. These new features are a 'game changer' for developers, DBAs, and above all to architects that need to design applications and data platforms. These features increase the security and reduce the development time significantly. Features that usually implemented in the application side, now can be implemented in the server side, while encryption keys, which are usually stored in the server side, can be stored in the client side. The lecture will be held in two parts. In this second part, we will explore the implementation of Row-Level Security and Always Encrypted, using the new built-in features in SQL Server 2016 and in older versions. We will discuss the benefits, limitations, and how actually our data secured using the new features. 1 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO
About Ronen Ariely (Blog, website, Facebook, LinkedIn) Senior consultant and architect, in the fields of applications developing and databases. More than 15 years of experience in variety of programming languages and technologies, leading and managing development teams, and SQL & BI enterprise level solutions. Specialized on Geophysics and seismic data analysis, during Master's degree studies, at the Tel-Aviv University, Israel. Active in communities in the field of Programming, SQL Server, T-SQL Serve several years as Moderator at MSDN Israel communities, and at the MSDN Global communities (aka pituach). Writing technical blogs, TechNet WIKI articles, founder of the TechNet WIKI Ninjas Groups on Facebook, and serve as one of the leaders. Has been awarded as Microsoft Most Valuable Professional (MVP) RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 2
About Ronen Ariely (Blog, website, Facebook, LinkedIn) Senior consultant and architect, in the fields of applications developing and databases. More than 15 years of experience in variety of programming languages and technologies, leading and managing development teams, and SQL & BI enterprise level solutions. Specialized on Geophysics and seismic data analysis, during Master's degree studies, at the Tel-Aviv University, Israel. Active in communities in the field of Programming, SQL Server, T-SQL Serve several years as Moderator at MSDN Israel communities, and at the MSDN Global communities (aka pituach). Writing technical blogs, TechNet WIKI articles, founder of the TechNet WIKI Ninjas Groups on Facebook, and serve as one of the leaders. Has been awarded as Microsoft Most Valuable Professional (MVP) RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 3
Agenda SQL Server 2016 Security Features 1. Who are you authentication * Active Directory - central access management * Contained database authentication 2. What can you see - access control * Dynamic Data Masking * Row-level security * Auditing tracks access and changes 3. Securing secrets encryption options * Transparent Data Encryption * Encryption in the database level by certificate, key, or password * Backup encryption * Always Encrypted Id 1 2 3 Credit Card # ******1234 ******5678 ******9012 Id 2 Credit Card # 123456789 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 4
Security - history Database Security a brief overview SQL Server 2000 and before - No native tools for encryption Data at rest encryption could be done with 3rd party tools, or by encrypting the entire drive (TrueCrypt,etc) Column Level Encryption (wrong name!) - Introduced with SQL Server 2005. Should be named Value Level Encryption. Transparent Data Encryption (TDE) Introduced with SQL Server 2008. Files lavel encryption. Certificate based transport encryption Dynamic Data Masking NEW! introduced with SQL Server 2016 Row Level Security - NEW! introduced with SQL Server 2016 Always Encrypted NEW! introduced with SQL Server 2016. Real Column Level Encryption.... RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 5
Dynamic Data Masking Implementing (and cracking) new Security Features in SQL Server 2016, Part 1 Event at Page: http://dba.sqlpass.org/ho me.aspx?eventid=6479 Recording link: https://www.youtube.co m/watch?v=6yjsl9_sbhg Download demos code & presentation: https://gallery.technet.mic rosoft.com/implementing- Dynamic-Data-25903b12 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 6
RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 7
Row Level Security APPLY FINE-GRAINED ACCESS CONTROL TO TABLE ROWS BASED ON USERS RIGHTS RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 8
Row Level Security RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 9
Filter data At Application Level Row Level Security Ronen.Ariely.info App Ariely.info RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 10
Filter data At Application Level Row Level Security Ronen.Ariely.info App Ariely.info RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 11
Filter data At Application Level Filter data At Server Level Row Level Security Ronen.Ariely.info SQL Server 2016, Dynamic Data Masking App Ariely.info Less development resources And Much Better Security RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 12
Security Policy Row Level Security Row Level Security (RLS) allows us to control access to rows in a database table, based on SECURITY POLICY, which enforced by inline table valued function. RLS enables you to store data for many users in a single table, while at the same time it restricts the rows based on a user's identity, role, or execution context. DEMO usercode Salary pass Ronen 1111 a Ronen 2222 b Ariely 3333 d IDNDUG 2222 e Ariely 1111 g RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 13
RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 14
Always Encrypted HELP PROTECT DATA AT REST AND IN MOTION WITH THE MASTER KEY RESIDING WITH THE APPLICATION & NO APPLICATION CHANGES REQUIRED RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 15
Protecting your house against break-ins can be achieved with proper security. 04/07/2016 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 16
But maybe your goal is to protect against break out from a prison?!? Location: Springfield season 16 of The Simpsons 04/07/2016 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 17
Always Encrypted Protect against whom? RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 18
Always Encrypted Protect against whom? RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 19
Always Encrypted Protect against whom? RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 20
Always Encrypted Protect against whom? RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 21
Security Layer Always Encrypted App Service Driver App Client SSN 1234 2223 9876 SSN 0x4a70f56 0x4352d07.. 0x432a7f0 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 22
Always Encrypted Dot.Net 4.6 and above! Always Encrypted is a feature designed to protect sensitive data, stored in SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to SQL Server. As a result, Always Encrypted provides a separation between those who own the data (and can view it) and those who manage the data (but should have no access). Always Encrypted makes encryption transparent to applications. An Always Encrypted-enabled driver installed on the client computer achieves this by automatically encrypting and decrypting sensitive data in the SQL Server client application. The driver encrypts the data in sensitive columns before passing the data to SQL Server, and automatically rewrites queries so that the semantics to the application are preserved. Similarly, the driver transparently decrypts data, stored in encrypted database columns, contained in query results. * The above text is from MSDN RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 23
Always Encrypted How it Works A Column Master Key certificate is stored on in application side at the Key Store. It is used to protect the Column Encryption key. The Column Master Key Definition is stored on the Server. This element includes information about the location of the Column Master Key. The Column Encryption Key, is stored on Server, but it is encrypted. This Column Encryption Key is used to encrypt/decrypt the data. * But since SQL Server does not have the Column Master Key, it cannot use the Column Encryption Key, in order to decrypt the data! RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 24
Always Encrypted How it Works The location of the key store is stored in the Column Master Key Definition on the server. Using the location information, the driver contacts the key store, containing the Column Master Key, in order to decrypt the encrypted Column Encryption Key value, which is stored on the server, and then, it uses the plaintext column encryption key to encrypt the parameter. DEMO RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 25
RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 26
Row Level Security Conclusions This is a very powerful feature, which gives pretty good security in the database level. We can expose data that violate the predicates rules. This feature is very flexible. It behaves similar to CROSS APPLY in terms of performance, and we should use indexes according the security function. It can be used behind application, where the user cannot execute free queries It s basically transparent to the application. It can save development time significantly 2017-01-25 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 27
Always Encrypted Conclusions This is my favorite feature between the three security features, which we mentioned. This is a very powerful feature, which gives perfect security against the DBA, which make it very useful. It has very good performance in compare to other options, which include encrypting the data in the application side. 2017-01-25 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 28
Dynamic Data Masking Security Policy Wrapping Up Before SQL 2016 usercode Salary pass Ronen 1111 a Ronen 2222 b Ariely 3333 d IDNDUG 2222 e Ariely 1111 g Cracker Hacker Always >> You can Encrypted watch part 1 recording in this link: https://www.youtube.com/watch?v=6yjsl9_sb Client hg SSN SSN >> The demos code and the presentation file for 1234 part 1 available to download 0x4a70f56 from this link: 2223 https://gallery.technet.microsoft.com/impleme 0x4352d07.. 9876 nting-dynamic-data-25903b12 0x432a7f0 2017-01-25 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 29
Dynamic Data Masking Security Policy Wrapping Up Before SQL 2016 Demos code and the presentation file: Hacker https://gallery.technet.microso Cracker ft.com/implementing-new- Security-7362f178 usercode Salary pass Ronen 1111 a Ronen 2222 b Ariely 3333 d IDNDUG 2222 e Ariely 1111 g Always Encrypted Client SSN 1234 2223 9876 SSN 0x4a70f56 0x4352d07.. 0x432a7f0 2017-01-25 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 30
Dynamic Data Masking Security Policy Demos code and the presentation file: https://gallery.technet.microsoft.com/implementing-new- Wrapping Up Security-7362f178 Before SQL 2016 usercode Salary pass Ronen 1111 a Ronen 2222 b Ariely 3333 d IDNDUG 2222 e Ariely 1111 g Cracker Hacker Always Encrypted Client SSN 1234 2223 9876 SSN 0x4a70f56 0x4352d07.. 0x432a7f0 2017-01-25 RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 31
RONEN ARIELY, SENIOR CONSULTANT & ARCHITECT, HTTP://ARIELY.INFO 32