Kristina Rumpff Securing Data on your Terms DAT33 1.

Spark the future.

Kristina Rumpff

Securing Data on your Terms

DAT331

Encryption

Encryption SummarySQL Server has a number of different options!- Transparent Data Encryption

Why do we need encryption?- Control over who can see what- PII

Cloud Computing has increased the need of encryption

Transparent Data Encryption

Jane Doe

Name

198-33-0987

SSN

USA

Country

Jim Gray 200-45-7569 USA

John Smith 374-29-0782 USA

dbo.Patients

Jane Doe

Name

2467-3874-8234-2245

CardNumber

Jim Gray 2467-8739-2834-7342

John Smith 3845-9384-8892-8234

dbo.Payment

Database Level

Table Level File Level

What is TDETDE Encrypts data at restThis Occurs at the File levelData within the database is stored in plain text

In SQL Server 2016 CTP2, the storage for memory-optimized tables will be encrypted as part of enabling TDE on the databaseSimply follow the same steps as you would for a disk-based database

Windows Operating SystemLevel Data Protection

SQL ServerInstance Level

User DatabaseLevel Database Encryption Key

Service Master Key

Transparent Database Encryption Architecture

DPAPI encrypts the Service Master Key

MasterDatabase Level Database Encryption Key

Service Master Key Encrypts the Database master Key for the master Database

Database Master Key of the master Database creates a certificate in the master database

The certificate encrypts the database Encryption Key in the user database

The entire user database is secured by the Datbase Encryption Key (DEK) of the user database by using transparent database encryption

Created at a time of SQL Server setup

Statement:CREAT MASTER KEY…

Statement:CREATE CERTIFICATE…

Statement:CREATE DATABASE ENCRYPTION KEY…

Statement:ALTER DATABSE… SET ENCRYPTION

ConsiderationsKey management• Backup• HistoryAlways On

You will need the same encryption key across all db’s in the group

TempDBThe TempDB will be encrypted if any database on the instance is encrypted.

Cell Level Encryption

What is Cell Level Encryption A symmetric key is used to encrypt the data as it is inserted, and to decrypt as it is read.

The end result is that the data is stored encrypted.

The database engine encrypts/decrypts.

ConsiderationsKey management• Backup• History

Import/Export

The encrypt/decrypt is part of the sql statement

Jane Doe

Name

198-33-0987

SSN

USA

Country



dbo.Patients

Jane Doe

Name

2467-3874-8234-2245

CardNumber

Jim Gray 2467-8739-2834-7342

John Smith 3845-9384-8892-8234

dbo.Payment

Database Level


dbo.Patients

Jane Doe

Name

243-24-9812

SSN

USA

Country



dbo.Patients

Jane Doe

Name

1x7fg655se2e

SSN

USA

Jim Gray 0x7ff654ae6d USA

John Smith 0y8fj754ea2c USA

Country

Result Set

Jim Gray

Name

Jane Doe

Name

1x7fg655se2e

SSN

USA

Country



dbo.Patients

SQL Server

ciphertext

Query

Help protect data at rest and in motion, on-premises & cloud

TrustedApps

SELECT Name FROM Patients WHERE SSN=@SSN

Result Set

Jim Gray

Name


@SSN=0x7ff654ae6dClient side

@SSN=0x7ff654ae6d

Always Encrypted

What is Always Encryption A way to encrypt your data with minimal change the application.

Data is encrypted in transit and at rest.

Jane Doe

Name

198-33-0987

SSN

USA

Country



dbo.Patients

Jane Doe

Name

2467-3874-8234-2245

CardNumber

Jim Gray 2467-8739-2834-7342

John Smith 3845-9384-8892-8234

dbo.Payment

Database Level


dbo.Patients

Jane Doe

Name

243-24-9812

SSN

USA

Country



dbo.Patients

Jane Doe

Name

1x7fg655se2e

SSN

USA



Country

Result Set

Jim Gray

Name

Jane Doe

Name

1x7fg655se2e

SSN

USA

Country



dbo.Patients

SQL Server

ciphertext

Query

Help protect data at rest and in motion, on-premises & cloud

TrustedApps

SELECT Name FROM Patients WHERE SSN=@SSN@SSN='198-33-0987'

Result Set

Jim Gray

Name


@SSN=0x7ff654ae6d

Column Encryption

Key

EnhancedADO.NET

Library

ColumnMasterKey

Client side

Randomized encryptionEncrypt('123-45-6789') = 0x17cfd50aRepeat: Encrypt('123-45-6789') = 0x9b1fcf32Allows for transparent retrieval of encrypted data but NO operationsMore secure

Deterministic encryptionEncrypt('123-45-6789') = 0x85a55d3fRepeat: Encrypt('123-45-6789') = 0x85a55d3fAllows for transparent retrieval of encrypted data AND equality comparison• E.g. in WHERE clauses and joins, distinct, group by

Two types of encryption available

Randomized encryption uses a method that encrypts data in a less predictable manner

Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value

Types of Encryption for Always Encrypted

Security Officer

1. Generate CEKs and Master Key

2. Encrypt CEK

3. Store Master Key Securely

4. Upload Encrypted CEK to DB

CMK Store:Certificate Store

HSMAzure Key Vault

…

EncryptedCEK

Column Encryption Key(CEK)

ColumnMaster Key(CMK)

Key Provisioning

CMK

DatabaseEncrypted CEK

Param

Encryption Type/ Algorithm

Encrypted CEK Value

CMK Store Provider Name CMK Path

@Name Non-DET/ AES 256

CERTIFICATE_STORE

Current User/ My/f2260…

EXEC sp_execute_sql N'SELECT * FROM Customers WHERE SSN = @SSN', @params = N'@SSN VARCHAR(11)', @SSN=0x7ff654ae6d

Param

Encryption Type/ Algorithm

Encrypted CEK Value

CMK Store Provider Name CMK Path

@SSN DET/ AES 256

CERTIFICATE_STORE

Current User/ My/f2260…

Enhanced ADO.NET

Plaintext CEKCache

exec sp_describe_parameter_encryption @params = N'@SSN VARCHAR(11)', @tsql = N'SELECT * FROM Customers WHERE SSN = @SSN'

Result set (ciphertext)

Name

Jim Gray

Result set (plaintext)

using (SqlCommand cmd = new SqlCommand("SELECT Name FROM Customers WHERE SSN = @SSN“ , conn)){ cmd.Parameters.Add(new SqlParameter( "@SSN", SqlDbType.VarChar, 11).Value = "111-22-3333"); SqlDataReader reader = cmd.ExecuteReader();

Client - Trusted SQL Server - Untrusted

Encr

yptio

n m

etad

ata

Name

0x19ca706fbd9

Encr

yptio

n m

etad

ata

CMK Store

Example

ConsiderationsKey managementThe keys need to be backed upAlways on replica’s need the same keys

The application client needs access to the key!

Row Level Security

Fine-grained access control

Keeping multi-tenant databases secure by limiting access by other users who share the same tables.

Application transparency

RLS works transparently at query time, no app changes needed.

Compatible with RLS in other leading products.

Centralized security logic

Enforcement logic resides inside database and is schema-bound to the table it protects providing greater security. Reduced application maintenance and complexity.

Store data intended for many consumers in a single database/table while at the same time restricting row-level read & write access based on users’ execution context.

Benefits of row-level security

CREATE SECURITY POLICY mySecurityPolicyADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime,

endTime) ON dbo.patients

Predicate functionUser-defined inline table-valued function (iTVF) implementing security logicCan be arbitrarily complicated, containing joins with other tables

Security predicateApplies a predicate function to a particular table (SEMIJOIN APPLY)Two types: filter predicates and blocking predicates

Security policyCollection of security predicates for managing security across multiple tables

RLS Concepts

CREATE FUNCTION dbo.fn_securitypredicate(@wing int)

RETURNS TABLE WITH SCHEMABINDING AS

return SELECT 1 as [fn_securitypredicate_result] FROM

StaffDuties d INNER JOIN Employees e

ON (d.EmpId = e.EmpId)

WHERE e.UserSID = SUSER_SID()

AND @wing = d.Wing;

CREATE SECURITY POLICY dbo.SecPol

ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing)

ON Patients

WITH (STATE = ON)

Fine-grained access control over rows in a table based on one or more pre-defined filtering criteria, e.g., user’s role or clearance level in organization.

Concepts:

Predicate function

Security policy

Example

Two

App user (e.g., nurse) selects from Patients tableThree

Security Policy transparently rewrites query to apply filter predicate

Database Policy Manager

CREATE FUNCTION dbo.fn_securitypredicate(@wing int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing;

CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON)

FilterPredicate:

INNER JOIN…

SecurityPolicy

Application

Patients

One

Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients table

Nurse

SELECT * FROM Patients

SELECT * FROM Patients SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing);

SELECT Patients.* FROM Patients, StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;

RLS in Three Steps

-- The following syntax creates a security policy with a filter predicate for the Customer table, and leaves the security policy disabledCREATE SECURITY POLICY [FederatedSecurityPolicy]

ADD FILTER PREDICATE [rls].[fn_securitypredicate]([CustomerId])

ON [dbo].[Customer];

-- Create a new schema and predicate function, which will use the application user ID stored in CONTEXT_INFO to filter rows.CREATE FUNCTION rls.fn_securitypredicate (@AppUserId int)

RETURNS TABLE WITH SCHEMABINDING

AS RETURN (SELECT 1 AS fn_securitypredicate_result WHERE

DATABASE_PRINCIPAL_ID() = DATABASE_PRINCIPAL_ID('dbo') -- application context

AND CONTEXT_INFO() = CONVERT(VARBINARY(128), @AppUserId); GO

Creates a security policy for row level security.

The following examples demonstrate the use of the CREATE SECURITY POLICY syntax.

For an example of a complete security policy scenario, see Row Level Security.

Create Security Policy

https://msdn.microsoft.com/en-us/library/azure/dn765131.aspx

Dynamic Data Masking

Configuration made easy in the new Azure portal

Policy-driven at the table and column level, for a defined set of users

Data masking applied in real-time to query results based on policy

Multiple masking functions available (e.g. full, partial) for various sensitive data categories (e.g. Credit Card Numbers, SSN, etc.)

SQL DatabaseSQL Server 2016 CTP2

Table.CreditCardNo

4465-6571-7868-5796

4468-7746-3848-1978

4484-5434-6858-6550

Real-time data masking; partial masking

Dynamic Data MaskingPrevent the abuse of sensitive data by hiding it from users

Masking TypesDefault Full masking according to the data types of the designated field:

i.e. String will result in “XXXX”

Email Masking will expose the first letter of an email address and will end in “.com”i.e. [email protected]

Custom String Will expose the firsta nd last letter and adds a custom padding string in the middle.i.e KXXXa

Random For use only on numeric. Will replace the original value within a specified range.

mailto:[email protected]

Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.

Continue your Ignite learning pathVisit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com

Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/

Head to the TechNet Eval Centre to download trials of the latest

Microsoft products http://Microsoft.com/en-us/evalcenter/

© 2015 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered

trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,

AS TO THE INFORMATION IN THIS PRESENTATION.

Kristina Rumpff Securing Data on your Terms DAT33 1.

Documents

Transcript of Kristina Rumpff Securing Data on your Terms DAT33 1.