Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Data with SQL Server 2016

Published byMilton Lynch Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing Data with SQL Server 2016"— Presentation transcript:

1 Securing Data with SQL Server 2016
By G.R. Prithiviraj Kulasingham Principal DBA, Pearson Lanka

2 Introduction Data is the new Oil – Information is money
One side is to make use of data Other side is securing the data Over 480 million data records are stolen in 2015 57% of crimes conducted by outsiders It means 43% by insiders Mobile phone is identified as the weakest link

3 What Attackers Do? Intruders try to login using commonly used passwords, defaults They gather related information from Linked-In, Facebook etc. SQL Server uses the machine name and port 1433 on default installation They may look for backup files as they are less secured generally Gather useful information like Passwords, Personal Data, Financial Data etc. Sell to competitors, Impersonate, or publish Disrupt operations by removing logins, altering schema or dropping tables SQL injection Some send “heavy requests” or loads of requests to lead to Denial of Service(DOS)

4 Identify the Attackers
Hackers including Criminals They scan the internet/ open networks Local users Legitimate users but go beyond their limit People Have access for one purpose but use for different purpose Can a windows admin check a database? Can a database Admin check the benefits of the CEO?

5 SQL Server Security Overview
How many have used SQL Server 2000 or before? Initially it allowed blank password for “sa” Following an attack, sp3 prevented it SQL Server added many features in SQL Server 2005 User/Schema separation Passwords to follow security policy, expiration – prevents Intruders Encryption of sensitive data Surface area configuration Granular Permissions

6 SQL Server Security Overview
SQL Server 2008 came with added feature set Policy Based Management Transparent Data Encryption, Protected by Database Master Key & Service Master Key Extended Protection Support Secure Connection Kerberos Authentication

7 SQL Server Security Overview
Database Audit – captures who did what Adding automatic accounts is stopped Encryption algorithms improved

8 Securing from Intruders
Security is not just DBAs job – Can’t rely just on application/Network security What protocol to use? Simple Applications & SQL Server on same machine: Can use shared memory MDAC 2.8 or earlier cannot use shared memory protocol Named pipes work well over LAN Complex applications with queues, or over internet should use TCP/IP Are you using default named pipes or default ports? Keep the SQL Server Browser service disabled Make sure database users have strong password and expiration policy Including application users…

9 Securing from Intruders
Log and Monitor failed logins– Or to admins Monitor long running queries – They not only consume resources and lead to deny many other requests (DOS) but also trying to gather all the information you have Use security best practices during database design too

10 Securing from Internal Users
Use secure connection It has performance issues: Connection takes another roundtrip; Each packet goes through an encryption and decryption process Highly recommended for databases managing credit cards, banking, stocks and other sensitive data Secure connection is made at server level not database level

11 database design security best practices
Limit direct access to sensitive information Either separate sensitive information or define views and access only through views Stored Procedures provide better security than ad-hoc queries Actual code and Tables are hidden to network SQL Injection threat is minimized Application user should run with minimum privileges (Use granular permissions)

12 database design security best practices
Don’t keep sensitive data in unencrypted form EncryptByKey EncryptByPassPhrase EncryptByKey provides better security than EncryptByPassPhrase Both needs code changes Subject to exposure to admins

13 database design security best practices
SQL Server 2016 introduces Always encrypted Data is stored always in encrypted form in the database No need to change the client application except change of driver Driver is responsible for encryption and decryption Either deterministic or randomized algorithm could be used Always Encrypted keeps the data encrypted and protect even from DBAs It allows the Business users to have control over the data

14 How Always Encrypted differ with TDE?
TDE encrypts the data “in rest” Decrypted at Read; Encrypted at Write Travels in the network in unencrypted form unless SSL is used DBAs can read the data by simply accessing It prevents only from illegal copying, or stealing the backups Database level setting Always Encrypted keeps the data encrypted until the client application reads Encryption/Decryption happens at client side Unless the same key/certificate is used, data cannot be decrypted Only selected columns are encrypted

15 Dynamic Data Masking Dynamic Data Masking Allows users to read only part of the data Not for Admins; But for people with lesser access Need UNMASK permission to read the data

16 Row Level Security Now you can grant permission at granular level
Based on a property of data security could be defined. FILTER PREDICATE controls the rows selected BLOCK PREDICATE controls data changes

17 References Row Level Security: Dynamic Data Masking: Always Encrypted: Encrypting connections:

18 Questions “Judge a man by his questions rather than by his answers.”  ― Voltaire “He who knows all the answers has not been asked all the questions.” ― Confucius

19 Sponsors Platinum Sponsors Platinum Raffle Sponsors
Gold Sponsors Gold Raffle Sponsors Silver Raffle Sponsors Bronze Sponsors Bronze Raffle Sponsors Crystal Raffle Sponsors

20 Thank you Please evaluate this session: sqlsaturday.com/535/sessions/SessionEvaluation.aspx Please evaluate the event at the end of SQLSaturday: sqlsaturday.com/535/EventEval.aspx

Download ppt "Securing Data with SQL Server 2016"

Similar presentations

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Oracle Database Security

Oracle Database Security
Understand Database Security Concepts

Understand Database Security Concepts
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Additional Security Tools Lesson 15. Skills Matrix.

Additional Security Tools Lesson 15. Skills Matrix.
Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.

Module 4: Managing Security. Overview Implementing an Authentication Mode Assigning Login Accounts to Users and Roles Assigning Permissions to Users and.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:

Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
MANAGING RISK. CYBER CRIME The use of the internet and developments in IT bring with it a risk of cyber crime. Credit card details are stolen, hackers.

MANAGING RISK. CYBER CRIME The use of the internet and developments in IT bring with it a risk of cyber crime. Credit card details are stolen, hackers.

Similar presentations

Ads by Google