Data Platform Airlift21 de Outubro \\ Microsoft Lisbon Experience
SQL Server 2016Security3 wishes were satisfiedLuís Canastreiro
Microsoft
http://blogs.msdn.com/blogdoezequiel
Agenda
• Row Level Security (RLS)
• Dynamic Data Masking (DDM)
• Always Encrypted
• Azure SQL Database• Cell Level Encryption
• Auditing
• TDE
• Dynamic Data Masking
Security Investments Always
Encrypted
TDE for SQL DB,
TDE PerfCLE for SQL DB
Enhancements
to SQL Audit
Row-level
Security
Dynamic Data
Masking
Enhancements
to Crypto
Encryption
Auditing
Azure SQL DatabaseCell Level Encryption
Azure SQL DB vs SQL Server (on prem)
• In Azure, the key hierarchy is no longer based on an instance-specific Service Master Key (SMK), instead, the root is a certificate controlled and managed by the Azure SQL Database service, which means that management for the keys is simplified to the database-scoped key hierarchy.
DEMO
Row Level Security (RLS)
Customer Benefit
Fine-grained
Access Control
Keeping multi-tenant
databases secure by limiting
access by other users who
share the same tables.
Application
Transparency
RLS works transparently at
query time, no app changes
needed.
Compatible with RLS in other
leading products.
Centralized
Security Logic
Enforcement logic resides
inside database and is
schema-bound to the table it
protects providing greater
security. Reduced application
maintenance and complexity.
Store data intended for many consumers in a single database/table while at the same time
restricting row-level read & write access based on users’ execution context.
RLS Concepts
• User-defined inline table-valued function (iTVF) implementing security logic
• Can be arbitrarily complicated, containing joins with other tables
• Applies a predicate function to a particular table (SEMIJOIN APPLY)
• Two types: filter predicates and blocking predicates
• Collection of security predicates for managing security across multiple tables
CREATE SECURITY POLICY mySecurityPolicyADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients
Database
How It Works
Policy Manager
CREATE FUNCTION dbo.fn_securitypredicate(@wing int)
RETURNS TABLE WITH SCHEMABINDING AS
return SELECT 1 as [fn_securitypredicate_result] FROM
StaffDuties d INNER JOIN Employees e
ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing;
CREATE SECURITY POLICY dbo.SecPol
ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients
WITH (STATE = ON)
Security
Policy
Application
Patients
1) Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients
table
2) App user (e.g., nurse) selects from Patients table
Nurse
3) Security Policy transparently rewrites query to apply filter predicate
SELECT * FROM PatientsSELECT FROM patients
SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing);
SELECT Patients.* FROM Patients,
StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;
Common RLS Use Cases…
Traditional RLS workloads
• Custom business logic to determine which rows each user can SELECT, INSERT, UPDATE, DELETE based on their role, department, security level, etc.
• Target sectors: Finance, insurance, healthcare, oil/gas, Federal, etc.
Multi-tenant databases
• Ensuring tenants can only access their own rows of data in a shared database, with enforcement logic in the database rather than in the app tier
• E.g. multi-tenant shards with elastic database tools on Azure SQL Database
Reporting, analytics, data warehousing
• Different users access same database through various reporting tools, and work with different subsets of data based on their identity/role
DEMO
Dynamic Data Masking (DDM)
Regulatory
Compliance
Sensitive Data
Protection
Customer Benefit
Agility and
Transparency
Data is masked on-the-fly,
underlying data in the
database remains intact.
Transparent to the application
and applied according to user
privilege.
Limit access to sensitive data by defining policies to obfuscate specific database fields,
without affecting the integrity of the database.
How It Works
ALTER TABLE [Employee] ALTER COLUMN [SocialSecurityNumber]
ADD MASKED WITH (FUNCTION = 'Partial(0,"XXX-XX-",2)')
ALTER TABLE [Employee] ALTER COLUMN [Email]ADD MASKED WITH (FUNCTION = ‘EMAIL()’)
ALTER TABLE [Employee] ALTER COLUMN [Salary] ADD MASKED WITH (FUNCTION = ‘RANDOM(1,20000)’)
GRANT UNMASK to admin1
1) Security officer defines dynamic data masking policy in T-SQL over sensitive data in Employee table2) App user selects from Employee table3) Dynamic data masking policy obfuscates the sensitive data in the query results
SELECT [Name],
[SocialSecurityNumber],
[Email],
[Salary]
FROM [Employee]
DEMO
Always Encrypted
Customer Benefit
Prevents Data
Disclosure
Client-side encryption of
sensitive data using keys that
are never given to the
database system.
Queries on
Encrypted Data
Support for equality
comparison, incl. join, group
by and distinct operators.
Application
Transparency
Minimal application changes
via server and client library
enhancements.
Allows customers to securely store sensitive data outside of their trust boundary.
Data remains protected from high-privileged, yet unauthorized users.
How it Works
SQL Server or SQL Database
ADO .NET
Name
Wayne Jefferson
Name
0x19ca706fbd9a
Result SetResult Set
Client
Name SSN Country
0x19ca706fbd9a 0x7ff654ae6d USA
dbo.Customers
ciphertext
"SELECT Name FROM Customers WHERE SSN = @SSN",0x7ff654ae6d
ciphertext
"SELECT Name FROM Customers WHERE SSN = @SSN","111-22-3333"
Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server
trust boundary
Types of Encryption
• Encrypt('123-45-6789') = 0x17cfd50a
• Repeat: Encrypt('123-45-6789') = 0x9b1fcf32
• Allows for transparent retrieval of encrypted data but NO operations
• More secure
• Encrypt('123-45-6789') = 0x85a55d3f
• Repeat: Encrypt('123-45-6789') = 0x85a55d3f
• Allows for transparent retrieval of encrypted data AND equality comparison• E.g. in WHERE clauses and joins, distinct, group by
Key Provisioning
Security
Officer
Column
Encryption
Key
(CEK)
Column
Master Key
(CMK)
Encrypted
CEK
CMK
1. Generate CEKs and Master Key
2. Encrypt CEK
3. Store Master Key Securely
4. Upload Encrypted CEK to DB
CMK Store:
• Certificate Store
• HSM
• Azure Key Vault
• …
Database
Encrypted
CEK
DEMO
Azure SQL DatabaseAuditing
Enable Auditing
Deep analysis of Azure SQL DB Audit log data
Deep analysis of Azure SQL DB Audit log data
DEMO
Azure SQL DatabaseTransparent Data Encryption (TDE)
General Availability since 14/10/2015
• TDE for Azure SQL Database is based on SQL Server TDE technology, which encrypts the storage of an entire database by using an industry standard AES-256 symmetric key called the database encryption key. SQL Database protects this database encryption key with a service managed certificate. All key management for database copying, geo-replication, and database restores anywhere in SQL Database is handled by the service. To enable it on your database, in the Azure preview portal, click ON, and then click Save.
• Transparent Data Encryption for Azure SQL Database is built on the transparent data feature that has been running reliably on SQL Server since 2008. Updates to this core technology include support for the Intel AES-NI hardware acceleration of encryption. This reduces the overhead of turning on Transparent Data Encryption.
Enable TDE (Azure Management Portal)
Enable TDE (SQL Server Management Studio)
-- CREATE DEK based on a SERVER CERTIFICATE (Not Mandatory)
CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM =AES_256
ENCRYPTION BY SERVER CERTIFICATE ##MS_TdeCertificate##
-- Check DEK list
select * from sys.dm_database_encryption_keys
-- Enable TDE
ALTER DATABASE AIRLIFT SET ENCRYPTION ON
DEMO
Overview of Encryption TechnologiesFeature
Capability
Always
Encrypted
Transparent
Data
Encryption
Cell-level
Encryption
Level of
protectionEnd-to-end At-rest At-rest
Can server see
sensitive data?No Yes Yes
T-SQL operations
on encrypted
data
Equality
comparison
All (after
decryption)
All (after
decryption)
App
development cost
to use feature
Low Very low High
Encryption
granularityColumn Database Cell
“Ad-hoc”
Client-side
Encryption
End-to-end
No
Possible with the
appropriate
encryption algo
Very High
Cell
Azure Active Directory AuthenticationSQL Database v12
Azure Active Directory Authentication
Central ID
Management
Provides an alternative to SQL
authentication, helps stop the
proliferation of user identities
across database servers, pwd
rotation in a single place.
Simplified
Permission
ManagementCustomers can manage
database permissions using
external (AAD) groups.
Can Eliminate
Storing
Password
Enables integrated Windows
authentication and certificate-
based authentication
Giving customers a single place to manage SQL Database users and their permissions.
Questões
Muito Obrigado!
SQL Server 2014: Security,
Optimizer, and Columnstore
Index Enhancements
www.microsoftvirtualacademy.comMicrosoft Virtual Academy
Free Azure
Trial
Try SQL Server
2016 CTP2http://aka.ms/trysql2016
http://aka.ms/tryazureUse Power BI for Free
http://powerbi.microsoft.com
Top Related