Kristina Rumpff Securing Data on your Terms DAT33 1.
-
Upload
antonia-martin -
Category
Documents
-
view
214 -
download
1
Transcript of Kristina Rumpff Securing Data on your Terms DAT33 1.
Spark the future.
Kristina Rumpff
Securing Data on your Terms
DAT331
Encryption
Encryption SummarySQL Server has a number of different options!- Transparent Data Encryption
Why do we need encryption?- Control over who can see what- PII
Cloud Computing has increased the need of encryption
Transparent Data Encryption
Jane Doe
Name
198-33-0987
SSN
USA
Country
Jim Gray 200-45-7569 USA
John Smith 374-29-0782 USA
dbo.Patients
Jane Doe
Name
2467-3874-8234-2245
CardNumber
Jim Gray 2467-8739-2834-7342
John Smith 3845-9384-8892-8234
dbo.Payment
Database Level
Table Level File Level
What is TDETDE Encrypts data at restThis Occurs at the File levelData within the database is stored in plain text
In SQL Server 2016 CTP2, the storage for memory-optimized tables will be encrypted as part of enabling TDE on the databaseSimply follow the same steps as you would for a disk-based database
Windows Operating SystemLevel Data Protection
SQL ServerInstance Level
User DatabaseLevel Database Encryption Key
Service Master Key
Transparent Database Encryption Architecture
DPAPI encrypts the Service Master Key
MasterDatabase Level Database Encryption Key
Service Master Key Encrypts the Database master Key for the master Database
Database Master Key of the master Database creates a certificate in the master database
The certificate encrypts the database Encryption Key in the user database
The entire user database is secured by the Datbase Encryption Key (DEK) of the user database by using transparent database encryption
Created at a time of SQL Server setup
Statement:CREAT MASTER KEY…
Statement:CREATE CERTIFICATE…
Statement:CREATE DATABASE ENCRYPTION KEY…
Statement:ALTER DATABSE… SET ENCRYPTION
ConsiderationsKey management• Backup• HistoryAlways On
You will need the same encryption key across all db’s in the group
TempDBThe TempDB will be encrypted if any database on the instance is encrypted.
Demo
Cell Level Encryption
What is Cell Level Encryption A symmetric key is used to encrypt the data as it is inserted, and to decrypt as it is read.
The end result is that the data is stored encrypted.
The database engine encrypts/decrypts.
ConsiderationsKey management• Backup• History
Import/Export
The encrypt/decrypt is part of the sql statement
Jane Doe
Name
198-33-0987
SSN
USA
Country
Jim Gray 200-45-7569 USA
John Smith 374-29-0782 USA
dbo.Patients
Jane Doe
Name
2467-3874-8234-2245
CardNumber
Jim Gray 2467-8739-2834-7342
John Smith 3845-9384-8892-8234
dbo.Payment
Database Level
Table Level File Level
dbo.Patients
Jane Doe
Name
243-24-9812
SSN
USA
Country
Jim Gray 198-33-0987 USA
John Smith 123-82-1095 USA
dbo.Patients
Jane Doe
Name
1x7fg655se2e
SSN
USA
Jim Gray 0x7ff654ae6d USA
John Smith 0y8fj754ea2c USA
Country
Result Set
Jim Gray
Name
Jane Doe
Name
1x7fg655se2e
SSN
USA
Country
Jim Gray 0x7ff654ae6d USA
John Smith 0y8fj754ea2c USA
dbo.Patients
SQL Server
ciphertext
Query
Help protect data at rest and in motion, on-premises & cloud
TrustedApps
SELECT Name FROM Patients WHERE SSN=@SSN
Result Set
Jim Gray
Name
SELECT Name FROM Patients WHERE SSN=@SSN
@SSN=0x7ff654ae6dClient side
@SSN=0x7ff654ae6d
Demo
Always Encrypted
What is Always Encryption A way to encrypt your data with minimal change the application.
Data is encrypted in transit and at rest.
Jane Doe
Name
198-33-0987
SSN
USA
Country
Jim Gray 200-45-7569 USA
John Smith 374-29-0782 USA
dbo.Patients
Jane Doe
Name
2467-3874-8234-2245
CardNumber
Jim Gray 2467-8739-2834-7342
John Smith 3845-9384-8892-8234
dbo.Payment
Database Level
Table Level File Level
dbo.Patients
Jane Doe
Name
243-24-9812
SSN
USA
Country
Jim Gray 198-33-0987 USA
John Smith 123-82-1095 USA
dbo.Patients
Jane Doe
Name
1x7fg655se2e
SSN
USA
Jim Gray 0x7ff654ae6d USA
John Smith 0y8fj754ea2c USA
Country
Result Set
Jim Gray
Name
Jane Doe
Name
1x7fg655se2e
SSN
USA
Country
Jim Gray 0x7ff654ae6d USA
John Smith 0y8fj754ea2c USA
dbo.Patients
SQL Server
ciphertext
Query
Help protect data at rest and in motion, on-premises & cloud
TrustedApps
SELECT Name FROM Patients WHERE SSN=@SSN@SSN='198-33-0987'
Result Set
Jim Gray
Name
SELECT Name FROM Patients WHERE SSN=@SSN
@SSN=0x7ff654ae6d
Column Encryption
Key
EnhancedADO.NET
Library
ColumnMasterKey
Client side
Randomized encryptionEncrypt('123-45-6789') = 0x17cfd50aRepeat: Encrypt('123-45-6789') = 0x9b1fcf32Allows for transparent retrieval of encrypted data but NO operationsMore secure
Deterministic encryptionEncrypt('123-45-6789') = 0x85a55d3fRepeat: Encrypt('123-45-6789') = 0x85a55d3fAllows for transparent retrieval of encrypted data AND equality comparison• E.g. in WHERE clauses and joins, distinct, group by
Two types of encryption available
Randomized encryption uses a method that encrypts data in a less predictable manner
Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value
Types of Encryption for Always Encrypted
Security Officer
1. Generate CEKs and Master Key
2. Encrypt CEK
3. Store Master Key Securely
4. Upload Encrypted CEK to DB
CMK Store:Certificate Store
HSMAzure Key Vault
…
EncryptedCEK
Column Encryption Key(CEK)
ColumnMaster Key(CMK)
Key Provisioning
CMK
DatabaseEncrypted CEK
Param
Encryption Type/ Algorithm
Encrypted CEK Value
CMK Store Provider Name CMK Path
@Name Non-DET/ AES 256
CERTIFICATE_STORE
Current User/ My/f2260…
EXEC sp_execute_sql N'SELECT * FROM Customers WHERE SSN = @SSN', @params = N'@SSN VARCHAR(11)', @SSN=0x7ff654ae6d
Param
Encryption Type/ Algorithm
Encrypted CEK Value
CMK Store Provider Name CMK Path
@SSN DET/ AES 256
CERTIFICATE_STORE
Current User/ My/f2260…
Enhanced ADO.NET
Plaintext CEKCache
exec sp_describe_parameter_encryption @params = N'@SSN VARCHAR(11)', @tsql = N'SELECT * FROM Customers WHERE SSN = @SSN'
Result set (ciphertext)
Name
Jim Gray
Result set (plaintext)
using (SqlCommand cmd = new SqlCommand("SELECT Name FROM Customers WHERE SSN = @SSN“ , conn)){ cmd.Parameters.Add(new SqlParameter( "@SSN", SqlDbType.VarChar, 11).Value = "111-22-3333"); SqlDataReader reader = cmd.ExecuteReader();
Client - Trusted SQL Server - Untrusted
Encr
yptio
n m
etad
ata
Name
0x19ca706fbd9
Encr
yptio
n m
etad
ata
CMK Store
Example
ConsiderationsKey managementThe keys need to be backed upAlways on replica’s need the same keys
The application client needs access to the key!
Demo
Row Level Security
Fine-grained access control
Keeping multi-tenant databases secure by limiting access by other users who share the same tables.
Application transparency
RLS works transparently at query time, no app changes needed.
Compatible with RLS in other leading products.
Centralized security logic
Enforcement logic resides inside database and is schema-bound to the table it protects providing greater security. Reduced application maintenance and complexity.
Store data intended for many consumers in a single database/table while at the same time restricting row-level read & write access based on users’ execution context.
Benefits of row-level security
CREATE SECURITY POLICY mySecurityPolicyADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime,
endTime) ON dbo.patients
Predicate functionUser-defined inline table-valued function (iTVF) implementing security logicCan be arbitrarily complicated, containing joins with other tables
Security predicateApplies a predicate function to a particular table (SEMIJOIN APPLY)Two types: filter predicates and blocking predicates
Security policyCollection of security predicates for managing security across multiple tables
RLS Concepts
CREATE FUNCTION dbo.fn_securitypredicate(@wing int)
RETURNS TABLE WITH SCHEMABINDING AS
return SELECT 1 as [fn_securitypredicate_result] FROM
StaffDuties d INNER JOIN Employees e
ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID()
AND @wing = d.Wing;
CREATE SECURITY POLICY dbo.SecPol
ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing)
ON Patients
WITH (STATE = ON)
Fine-grained access control over rows in a table based on one or more pre-defined filtering criteria, e.g., user’s role or clearance level in organization.
Concepts:
Predicate function
Security policy
Example
Two
App user (e.g., nurse) selects from Patients tableThree
Security Policy transparently rewrites query to apply filter predicate
Database Policy Manager
CREATE FUNCTION dbo.fn_securitypredicate(@wing int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing;
CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON)
FilterPredicate:
INNER JOIN…
SecurityPolicy
Application
Patients
One
Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients table
Nurse
SELECT * FROM Patients
SELECT * FROM Patients SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing);
SELECT Patients.* FROM Patients, StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;
RLS in Three Steps
-- The following syntax creates a security policy with a filter predicate for the Customer table, and leaves the security policy disabledCREATE SECURITY POLICY [FederatedSecurityPolicy]
ADD FILTER PREDICATE [rls].[fn_securitypredicate]([CustomerId])
ON [dbo].[Customer];
-- Create a new schema and predicate function, which will use the application user ID stored in CONTEXT_INFO to filter rows.CREATE FUNCTION rls.fn_securitypredicate (@AppUserId int)
RETURNS TABLE WITH SCHEMABINDING
AS RETURN (SELECT 1 AS fn_securitypredicate_result WHERE
DATABASE_PRINCIPAL_ID() = DATABASE_PRINCIPAL_ID('dbo') -- application context
AND CONTEXT_INFO() = CONVERT(VARBINARY(128), @AppUserId); GO
Creates a security policy for row level security.
The following examples demonstrate the use of the CREATE SECURITY POLICY syntax.
For an example of a complete security policy scenario, see Row Level Security.
Create Security Policy
Demo
Dynamic Data Masking
Configuration made easy in the new Azure portal
Policy-driven at the table and column level, for a defined set of users
Data masking applied in real-time to query results based on policy
Multiple masking functions available (e.g. full, partial) for various sensitive data categories (e.g. Credit Card Numbers, SSN, etc.)
SQL DatabaseSQL Server 2016 CTP2
Table.CreditCardNo
4465-6571-7868-5796
4468-7746-3848-1978
4484-5434-6858-6550
Real-time data masking; partial masking
Dynamic Data MaskingPrevent the abuse of sensitive data by hiding it from users
Masking TypesDefault Full masking according to the data types of the designated field:
i.e. String will result in “XXXX”
Email Masking will expose the first letter of an email address and will end in “.com”i.e. [email protected]
Custom String Will expose the firsta nd last letter and adds a custom padding string in the middle.i.e KXXXa
Random For use only on numeric. Will replace the original value within a specified range.
Demo
Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.
Continue your Ignite learning pathVisit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com
Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/
Head to the TechNet Eval Centre to download trials of the latest
Microsoft products http://Microsoft.com/en-us/evalcenter/
© 2015 Microsoft Corporation. All rights reserved.Microsoft, Windows and other product names are or may be registered
trademarks and/or trademarks in the U.S. and/or other countries.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,
AS TO THE INFORMATION IN THIS PRESENTATION.