Data Platform Airlift21 de Outubro \\ Microsoft Lisbon Experience

SQL Server 2016Security3 wishes were satisfiedLuís Canastreiro

Microsoft

http://blogs.msdn.com/blogdoezequiel

Agenda

• Row Level Security (RLS)

• Dynamic Data Masking (DDM)

• Always Encrypted

• Azure SQL Database• Cell Level Encryption

• Auditing

• TDE

• Dynamic Data Masking

Security Investments Always

Encrypted

TDE for SQL DB,

TDE PerfCLE for SQL DB

Enhancements

to SQL Audit

Row-level

Security

Dynamic Data

Masking

Enhancements

to Crypto

Encryption

Auditing

Azure SQL DatabaseCell Level Encryption

Azure SQL DB vs SQL Server (on prem)

• In Azure, the key hierarchy is no longer based on an instance-specific Service Master Key (SMK), instead, the root is a certificate controlled and managed by the Azure SQL Database service, which means that management for the keys is simplified to the database-scoped key hierarchy.

DEMO

Row Level Security (RLS)

Customer Benefit

Fine-grained

Access Control

Keeping multi-tenant

databases secure by limiting

access by other users who

share the same tables.

Application

Transparency

RLS works transparently at

query time, no app changes

needed.

Compatible with RLS in other

leading products.

Centralized

Security Logic

Enforcement logic resides

inside database and is

schema-bound to the table it

protects providing greater

security. Reduced application

maintenance and complexity.

Store data intended for many consumers in a single database/table while at the same time

restricting row-level read & write access based on users’ execution context.

RLS Concepts

• User-defined inline table-valued function (iTVF) implementing security logic

• Can be arbitrarily complicated, containing joins with other tables

• Applies a predicate function to a particular table (SEMIJOIN APPLY)

• Two types: filter predicates and blocking predicates

• Collection of security predicates for managing security across multiple tables

CREATE SECURITY POLICY mySecurityPolicyADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients

Database

How It Works

Policy Manager

CREATE FUNCTION dbo.fn_securitypredicate(@wing int)

RETURNS TABLE WITH SCHEMABINDING AS

return SELECT 1 as [fn_securitypredicate_result] FROM

StaffDuties d INNER JOIN Employees e

ON (d.EmpId = e.EmpId)

WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing;

CREATE SECURITY POLICY dbo.SecPol

ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients

WITH (STATE = ON)

Security

Policy

Application

Patients

1) Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients

table

2) App user (e.g., nurse) selects from Patients table

Nurse

3) Security Policy transparently rewrites query to apply filter predicate

SELECT * FROM PatientsSELECT FROM patients

SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing);

SELECT Patients.* FROM Patients,

StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId)

WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;

Common RLS Use Cases…

Traditional RLS workloads

• Custom business logic to determine which rows each user can SELECT, INSERT, UPDATE, DELETE based on their role, department, security level, etc.

• Target sectors: Finance, insurance, healthcare, oil/gas, Federal, etc.

Multi-tenant databases

• Ensuring tenants can only access their own rows of data in a shared database, with enforcement logic in the database rather than in the app tier

• E.g. multi-tenant shards with elastic database tools on Azure SQL Database

Reporting, analytics, data warehousing

• Different users access same database through various reporting tools, and work with different subsets of data based on their identity/role

DEMO

Dynamic Data Masking (DDM)

Regulatory

Compliance

Sensitive Data

Protection

Customer Benefit

Agility and

Transparency

Data is masked on-the-fly,

underlying data in the

database remains intact.

Transparent to the application

and applied according to user

privilege.

Limit access to sensitive data by defining policies to obfuscate specific database fields,

without affecting the integrity of the database.

How It Works

ALTER TABLE [Employee] ALTER COLUMN [SocialSecurityNumber]

ADD MASKED WITH (FUNCTION = 'Partial(0,"XXX-XX-",2)')

ALTER TABLE [Employee] ALTER COLUMN [Email]ADD MASKED WITH (FUNCTION = ‘EMAIL()’)

ALTER TABLE [Employee] ALTER COLUMN [Salary] ADD MASKED WITH (FUNCTION = ‘RANDOM(1,20000)’)

GRANT UNMASK to admin1

1) Security officer defines dynamic data masking policy in T-SQL over sensitive data in Employee table2) App user selects from Employee table3) Dynamic data masking policy obfuscates the sensitive data in the query results

SELECT [Name],

[SocialSecurityNumber],

[Email],

[Salary]

FROM [Employee]

DEMO

Always Encrypted

Customer Benefit

Prevents Data

Disclosure

Client-side encryption of

sensitive data using keys that

are never given to the

database system.

Queries on

Encrypted Data

Support for equality

comparison, incl. join, group

by and distinct operators.

Application

Transparency

Minimal application changes

via server and client library

enhancements.

Allows customers to securely store sensitive data outside of their trust boundary.

Data remains protected from high-privileged, yet unauthorized users.

How it Works

SQL Server or SQL Database

ADO .NET

Name

Wayne Jefferson

Name

0x19ca706fbd9a

Result SetResult Set

Client

Name SSN Country

0x19ca706fbd9a 0x7ff654ae6d USA

dbo.Customers

ciphertext

"SELECT Name FROM Customers WHERE SSN = @SSN",0x7ff654ae6d

ciphertext

"SELECT Name FROM Customers WHERE SSN = @SSN","111-22-3333"

Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server

trust boundary

Types of Encryption

• Encrypt('123-45-6789') = 0x17cfd50a

• Repeat: Encrypt('123-45-6789') = 0x9b1fcf32

• Allows for transparent retrieval of encrypted data but NO operations

• More secure

• Encrypt('123-45-6789') = 0x85a55d3f

• Repeat: Encrypt('123-45-6789') = 0x85a55d3f

• Allows for transparent retrieval of encrypted data AND equality comparison• E.g. in WHERE clauses and joins, distinct, group by

Key Provisioning

Security

Officer

Column

Encryption

Key

(CEK)

Column

Master Key

(CMK)

Encrypted

CEK

CMK

1. Generate CEKs and Master Key

2. Encrypt CEK

3. Store Master Key Securely

4. Upload Encrypted CEK to DB

CMK Store:

• Certificate Store

• HSM

• Azure Key Vault

• …

Database

Encrypted

CEK

DEMO

Azure SQL DatabaseAuditing

Enable Auditing

Deep analysis of Azure SQL DB Audit log data

Deep analysis of Azure SQL DB Audit log data

DEMO

Azure SQL DatabaseTransparent Data Encryption (TDE)

General Availability since 14/10/2015

• TDE for Azure SQL Database is based on SQL Server TDE technology, which encrypts the storage of an entire database by using an industry standard AES-256 symmetric key called the database encryption key. SQL Database protects this database encryption key with a service managed certificate. All key management for database copying, geo-replication, and database restores anywhere in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click Save.

• Transparent Data Encryption for Azure SQL Database is built on the transparent data feature that has been running reliably on SQL Server since 2008. Updates to this core technology include support for the Intel AES-NI hardware acceleration of encryption. This reduces the overhead of turning on Transparent Data Encryption.

Enable TDE (Azure Management Portal)

Enable TDE (SQL Server Management Studio)

-- CREATE DEK based on a SERVER CERTIFICATE (Not Mandatory)

CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM =AES_256

ENCRYPTION BY SERVER CERTIFICATE ##MS_TdeCertificate##

-- Check DEK list

select * from sys.dm_database_encryption_keys

-- Enable TDE

ALTER DATABASE AIRLIFT SET ENCRYPTION ON

DEMO

Overview of Encryption TechnologiesFeature

Capability

Always

Encrypted

Transparent

Data

Encryption

Cell-level

Encryption

Level of

protectionEnd-to-end At-rest At-rest

Can server see

sensitive data?No Yes Yes

T-SQL operations

on encrypted

data

Equality

comparison

All (after

decryption)

All (after

decryption)

App

development cost

to use feature

Low Very low High

Encryption

granularityColumn Database Cell

“Ad-hoc”

Client-side

Encryption

End-to-end

No

Possible with the

appropriate

encryption algo

Very High

Cell

Azure Active Directory AuthenticationSQL Database v12

Azure Active Directory Authentication

Central ID

Management

Provides an alternative to SQL

authentication, helps stop the

proliferation of user identities

across database servers, pwd

rotation in a single place.

Simplified

Permission

ManagementCustomers can manage

database permissions using

external (AAD) groups.

Can Eliminate

Storing

Password

Enables integrated Windows

authentication and certificate-

based authentication

Giving customers a single place to manage SQL Database users and their permissions.

Questões

Muito Obrigado!

SQL Server 2014: Security,

Optimizer, and Columnstore

Index Enhancements

www.microsoftvirtualacademy.comMicrosoft Virtual Academy

Free Azure

Trial

Try SQL Server

2016 CTP2http://aka.ms/trysql2016

http://aka.ms/tryazureUse Power BI for Free

http://powerbi.microsoft.com