Presentation is loading. Please wait.

Presentation is loading. Please wait.

Always Encrypted, Data Masking, Row Level Security

Published byBritton Holmes Modified over 5 years ago

Similar presentations

Presentation on theme: "Always Encrypted, Data Masking, Row Level Security"— Presentation transcript:

1 Always Encrypted, Data Masking, Row Level Security
Intro to SQL 2016 Always Encrypted, Data Masking, Row Level Security Trayce Jordan, MCM, MCA, MCITP, MCTS, MCDBA, MCSD, CISSP Senior Premier Field Engineer - SQL Microsoft Corporation @SeelWellDBA

2

3 Always Encrypted Help protect data at rest and in motion, on-premises & cloud
Trusted Apps SELECT Name FROM Patients WHERE @SSN=' ' SQL Server SELECT Name FROM Patients WHERE @SSN=0x7ff654ae6d Client side Query Enhanced ADO.NET Library dbo.Patients Jane Doe Name SSN USA Country Jim Gray John Smith Result Set Jim Gray Name Jane Doe 1x7fg655se2e SSN USA Country 0x7ff654ae6d John Smith 0y8fj754ea2c dbo.Patients Column Master Key Column Encryption Key Result Set Jim Gray Name ciphertext dbo.Patients Jane Doe Name 1x7fg655se2e SSN USA Jim Gray 0x7ff654ae6d John Smith 0y8fj754ea2c Country Mission critical performance

4 RESTRICTIONS - cannot do/use the following
Columns with default constraints Primary Key columns using randomized Columns referenced by check constraints Columns that use CDC Columns that are masked Columns in Table variables Columns using alias type Sparse column set Columns referenced by computed columns Columns that are keys for FTS Filestream columns Columns with ROWGUIDCOL property String columns that do not use bin2 collations No SSMS inserts/updates or filtering No linked servers No Txnl or Merge Repl No FOR XML / FOR JSON PATH

5 Dynamic Data Masking Policy based data obfuscation
Multiple masks possible Privileged users can view unmasked

6 Dynamic data masking walkthrough
1) Security officer defines dynamic data masking policy in T-SQL over sensitive data in Employee table 2) Application user selects from Employee table 3) Dynamic data masking policy obfuscates the sensitive data in the query results ALTER TABLE [Employee] ALTER COLUMN [SocialSecurityNumber] ADD MASKED WITH (FUNCTION = ‘SSN()’) ALTER TABLE [Employee] ALTER COLUMN [ ] ADD MASKED WITH (FUNCTION = ‘ ()’) ALTER TABLE [Employee] ALTER COLUMN [Salary] ADD MASKED WITH (FUNCTION = ‘RANDOM(1,20000)’) GRANT UNMASK to admin1 Security Officer admin1 login other login SELECT [Name], [SocialSecurityNumber], [ ], [Salary] FROM [Employee] Security

7 Four masking functions
XXXX, 0, Default() () random(1,500) Random() (prefix, [pad], suffix) Partial()

8 RESTRICTIONS - cannot use masking with
Column_set Sparse column part of a column set Mask on a computed column Computed columns MAY use masked columns (but the values it uses may be masked) Cannot be key for FTS Always Encrypted columns READTEXT, WRITETEXT, UPDATETEXT only work if you have permission to view unmasked FILESTREAM

9 Row Level Security Security Policy
Security Predicate(s) / BLOCK or FILTER Simpler than past methods

10 RLS in three steps Database Security Policy Application Nurse
Three Security Policy transparently rewrites query to apply filter predicate Two App user (e.g., nurse) selects from Patients table One Policy manager creates a filter predicate and security policy Nurse Database Policy Manager Filter Predicate: INNER JOIN… Security Policy Application Patients CREATE FUNCTION int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) SELECT * FROM Patients SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing); SELECT * FROM Patients SELECT Patients.* FROM Patients, StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing; Security

11 CAUTIONS for using RLS Memory Optimized Tables
must use WITH NATIVE_COMPILATION CDC & CT can leak information FTS & COLUMN STORE – can suffer performance hits Partitioned Views with FILTER predicates - OK Temporal Table – OK, but must manually add to hist table

12 RESTRICTIONS - RLS does not support
FILESTREAM POLYBASE Indexed Views Partitioned Views (with BLOCK predicates)

13 Demos

14 Thank you! Questions ?

Download ppt "Always Encrypted, Data Masking, Row Level Security"

Similar presentations

Overview and Roadmap for Microsoft SQL Server Security

Overview and Roadmap for Microsoft SQL Server Security
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Module 11: Programming Across Multiple Servers. Overview Introducing Distributed Queries Setting Up a Linked Server Environment Working with Linked Servers.

Module 11: Programming Across Multiple Servers. Overview Introducing Distributed Queries Setting Up a Linked Server Environment Working with Linked Servers.
Mission critical features in SQL 2016 David Lyth Pat Martin Premier Field Engineers, Microsoft New Zealand.

Mission critical features in SQL 2016 David Lyth Pat Martin Premier Field Engineers, Microsoft New Zealand.
Cloud first Speed Agility Proven Feedback All of this results in a better on-premises SQL Server SQL Server 2016.

Cloud first Speed Agility Proven Feedback All of this results in a better on-premises SQL Server SQL Server 2016.
Kristina Rumpff Securing Data on your Terms DAT33 1.

Kristina Rumpff Securing Data on your Terms DAT33 1.
SQLintersection Session: Tuesday, 12:00-1:00pm NEW SECURITY FEATURES IN SQL SERVER 2016 & AZURE SQL DB Aaron Bertrand

SQLintersection Session: Tuesday, 12:00-1:00pm NEW SECURITY FEATURES IN SQL SERVER 2016 & AZURE SQL DB Aaron Bertrand
Consistent experience is everything End-to-end mobile BI Advanced Analytics Enterprise-grade DW Mission critical OLTP Speed Agility Proven Feedback.

Consistent experience is everything End-to-end mobile BI Advanced Analytics Enterprise-grade DW Mission critical OLTP Speed Agility Proven Feedback.
#SQLSAT454 SQL Server 2016 New Security Features Gianluca

#SQLSAT454 SQL Server 2016 New Security Features Gianluca
SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.

SQL SATURDAY #444 – Kansas City, MO. A LOOK AT ALWAYS ENCRYPTED SQL SATURDAY #444 – KANSAS CITY, MO DAVE WALDEN PRINCIPAL SOLUTIONS ARCHITECT DB BEST.
SQL Server Evolution New innovations Jen Underwood Sr. Program Manager of Business Intelligence & Analytics Microsoft George Walters Sr. Technical Solutions.

SQL Server Evolution New innovations Jen Underwood Sr. Program Manager of Business Intelligence & Analytics Microsoft George Walters Sr. Technical Solutions.
Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016.

Securing Data on your Terms Kristina Rumpff SQL Saturday #464, Melbourne 20 th February 2016.
Warwick Rudd | Principal Consultant – consulting.com.au #456 | Auckland 2015 Mission Critical SQL Server.

Warwick Rudd | Principal Consultant – consulting.com.au #456 | Auckland 2015 Mission Critical SQL Server.
SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.

SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.
Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 18/06/2016David Postlethwaite.

Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 18/06/2016David Postlethwaite.
Session Name Pelin ATICI SQL Premier Field Engineer.

Session Name Pelin ATICI SQL Premier Field Engineer.
SQL 2012 - 2016 Organizational Security & Compliance George Walters Senior Technology Solutions Professional Data Platform

SQL Organizational Security & Compliance George Walters Senior Technology Solutions Professional Data Platform
Comprehensive Flexible Global Storage and Search Responsive Available Secure Manageable Federation Coordination Consolidation Transformation Synchronization.

Comprehensive Flexible Global Storage and Search Responsive Available Secure Manageable Federation Coordination Consolidation Transformation Synchronization.
Sean Werick Principal Consultant

Sean Werick Principal Consultant
Data Security with Power BI, SSAS, SQL Server 2016 and Active Directory June 10, 2017.

Data Security with Power BI, SSAS, SQL Server 2016 and Active Directory June 10, 2017.

Similar presentations

Ads by Google