Presentation is loading. Please wait.

Presentation is loading. Please wait.

What’s new in SQL Server and Azure SQL Database Security

Published byWacława Dziedzic Modified over 6 years ago

Similar presentations

Presentation on theme: "What’s new in SQL Server and Azure SQL Database Security"— Presentation transcript:

1 What’s new in SQL Server and Azure SQL Database Security
5/9/2019 4:59 AM What’s new in SQL Server and Azure SQL Database Security Andreas Wolter Program Manager SQL Server & Azure SQL Database Security © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Content Advanced Data Security Always Encrypted with Enclaves
Data Discovery & Classification Threat Protection Vulnerability Assessment Always Encrypted with Enclaves Authentication Roadmap

3 Enterprise Grade Security that is Easy-to Use
Customer Data Encryption-in-flight (Transport Layer Security TLS) Encryption-at-rest (Transparent Data Encryption TDE) Service- or User-managed keys, Backup encryption Encryption-in-use (Always Encrypted) Data Masking (dynamic) Data Discovery and Classification Data Protection SQL Permissions Row-level security Column-level security Access Control Authentication SQL Authentication Azure Active Directory Authentication (w/ MFA) We have received much feedback on our Static Data Masking prototype over the past months and thank everybody for their interest and participation in the preview. Based on this feedback we have decided that our current prototype does not meet our customer’s expectations. We will therefore not carry this forward and instead go back to the drawing board. We will update everybody on our plans if / when we have a replacement candidate. Network Security Virtual Networks SQL Firewall (server- and database-level) Data Classification Advanced Threat Protection Auditing Vulnerability Assessment Threat Protection

4 Data Protection & Threat Protection
This brings us to the next layer, Access Management. You need to control the access to your DB and data as a fundamental part of security. This starts with the basic authentication mechanisms and permissions model… but here too as we get more advanced we are introducing more sophisticated security capabilities.

5 5/9/2019 4:59 AM Advanced Data Security Unified  package of SQL security intelligent capabilities Data Classification Vulnerability Assessment Advanced Threat Protection SQL Advanced Threat Protection (ATP) is a unified package of 3 advanced SQL security capabilities, which include: Data Classification for discovering and classifying sensitive data Vulnerability Assessment for discovering and addressing managing your database vulnerabilities Threat Detection for detecting anomalous activities that could indicate a threat to your database. SQL ATP provides a single dashboard for enabling and managing your SQL security. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 5/9/2019 4:59 AM Public Preview SQL Data Classification Discover, classify, protect and track access to sensitive data Automatic discovery of columns with sensitive data Add persistent sensitive data labels Audit and detect access to the sensitive data Manage labels for your entire Azure tenant using Azure Security Center SQL Data Classification is a new feature in the Public Preview, that: Automatically discovers columns containing potentially sensitive data It provides a simple way to review and apply the classification recommendations through the Azure portal. The sensitive data labels are persisted in the database (metadata attributes) and it audits and detects access to the sensitive data. We offer built-in set of labels and information types, however customers can chose to define custom labels across Azure tenant using Azure Security Center Please note that we also offer data classification for SQL on-premises SQL using the latest SQL Server Management Studio. In the near future, we will allow managing policy for all your sensitive data ACROSS Azure integrated with MIP for holistic MS data classification story. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Data Discovery & Classification
Demo

8 5/9/2019 4:59 AM General Availability SQL Vulnerability Assessment Discover, track, and remediate security misconfigurations Identify security misconfigurations Actionable remediation steps Security baseline tuned to your environment Manual/periodic scans Coherent reports for auditors  SQL Vulnerability Assessment provides a visibility into your database security state and allows constant improvements. In short, it runs a set of security checks that Identify security misconfigurations It allows setting a security baseline that customize VA results matching your environment. It provides a clear report which is very helpful for security audits. We also support SQL Vulnerability Assessment for SQL OnPrem using the latest SQL Server Management Studio. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Advanced Threat Protection Detect unusual and harmful attempts to breach your database.
5/9/2019 4:59 AM General Availability (2) Possible threat to access / breach data Attacker Detects potential SQL injection attacks Detects unusual access & data exfiltration activities Actionable alerts to investigate & remediate View alerts for your entire Azure tenant using Azure Security Center User To summarize what you have seen, SQL Threat Detection allows you to respond to unusual and harmful attempts to breach your database. 1) It is super simple to enable and requires no modifications to your application code. 2) It provides you with a set of world-class algorithms that learn, profile and detect potential SQL injections and unusual behavior patterns. 3) It triggers security alerts upon detection, which include clear description and actionable investigation and remediation steps. Developer Apps Azure SQL Database Audit Log Threat Detection (1) Turn on Threat Detection (3) Real-time actionable alerts © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Advanced Threat Protection Suite
5/9/2019 4:59 AM General Availability Potential SQL injection attacks SQLi attempt - An application generated a faulty SQL statement, which may indicate a potential vulnerability of the application to SQL injection. SQLi attack - Potential exploitation of application code vulnerability to SQL Injection, which may indicate a SQL Injection attack. Anomalous access patterns Someone has logged from an unusual location - change in the access pattern from an unusual geographical location An unfamiliar principal successfully logged- - change in the access pattern using an unusual SQL user. Someone is attempting to brute force SQL credentials abnormally high number of failed logins with different credentials. Someone has logged from a potentially harmful application Anomalous queries patterns Data exfiltration by volume - someone has extracted anomalous amounts of data in an hour or using a single query Data exfiltration by location - someone has backup database to an unusual storage location, Unsecure commands - Someone has executed unsecure commands (e.g. xp_cmdshell…) SQL Threat Detection triggers the following type of security alerts: SQL injections - indicates if someone has attempted or succeeded to attacks your database using SQL injection methods Access anomalies - indicates a change in the access pattern to SQL server in the from of brute force, harmful application, usual location Queries anomalies - indicates a change in the query pattern to SQL server in the from of usual data exfiltration or suspicious commands © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 SQL Auditing in Log Analytics and Event Hubs  Gain insight into database audit log
5/9/2019 4:59 AM Configurable via audit policy SQL audit logs can reside in Azure Storage account Azure Log Analytics Azure Event Hubs Rich set of tools for Investigating security alerts Tracking access to sensitive data Azure SQL Database Audit Log Developer (1) Turn on SQL Auditing (2) Analyze audit log SQL Auditing logs can be now be written directly to Azure Log Analytics or Azure Event Hubs. You can simply configure this from Azure portal and centrally manage all audit logs in one place. In addition, it provides a rich set of tools for analyzing database audit logs: Log Analytics, Power BI and Custom Dashboards. It is super helpful for investigating security alerts or for tracking access to your sensitive data. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Advanced Data Security
Demo

13 Gain security insights via Log Analytics and Power BI dashboards

14 SQL ADS Roadmap Centralized Management Full Hybrid support
Azure Security Center manages ADS across entire tenant. Central policy management + central dashboard Full Hybrid support Support of all ADS capabilities (incl Threat Detection) on SQL Anywhere – PaaS, IaaS, on-premises Compliance Scenarios Support specific mapping to compliance regulations, dedicated reports Additional Data Services ADS for Storage, Cosmos DB in addition to Managed Instance, PostgreSQL, MySQL

15 Current GA version in SQL Server 2016/17 and Azure SQL DB
Enhanced Client Driver plaintext ciphertext SQL C: \ Always Encrypted Protects sensitive data in use from high- privileged yet unauthorized SQL users both on-premises and in the cloud Client side Encryption Client-side encryption of sensitive data using keys that are never given to the database system Encryption Transparency Client driver transparently encrypts query parameters and decrypts encrypted results Queries on Encrypted Data Support for equality comparison, including join, group by and distinct operators via deterministic encryption

16 Always Encrypted - Challenges
5/9/2019 4:59 AM Always Encrypted - Challenges Reduced functionality of queries on encrypted columns Encrypted columns only allow equality comparisons Data needs to be moved out of the database for initial encryption and key rotation This process can be time-consuming and prone to network errors © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Always Encrypted using Secure Enclaves
5/9/2019 4:59 AM CTP Always Encrypted using Secure Enclaves Protects sensitive data in use while enabling rich computations and in- place encryption Confidential computing brings secure enclaves Trusted execution environments protecting data in use SQL Server Engine delegates operations on encrypted data to the enclave, where the data can be safely decrypted and processed. Rich computations on encrypted data! In-place encryption and key management, without moving data out of the database Enhanced Client Driver plaintext ciphertext SQL enclave plaintext Always Encrypted, which is about to get a very significant boost with the introduction of Secure Enclaves. Ask – how many are using Always Encrypted today? How many know what it is? The goal of Always Encrypted using enclaves is to keep the same level of security guarantees as the current GA version, while addressing its top limitations: limited functionality of SQL queries and operational challenges associated with moving data out of database for encryption/key rotation. With Always Encrypted using enclaves, customers can protect their data in use without making painful compromises. Background: Always Encrypted was introduced in 2016 – for SQL Server 2016 and Azure SQL DB. It’s an industry-first technology – encrypts sensitive data in-use; ensuring high-privileged but unauthorized users (like DBAs, machine admins, malware running in env hosting your database) do not have access to that sensitive data in plaintext. How does it work? Client-side encryption. A client driver, in your client application, transparently encrypts before sending to the database and decrypts the results coming from encrypted columns. As a result – sensitive data never appears on the DB system in plaintext, it is encrypted even in memory of SQL Server process. Really strong security!. However, common problem with client-side encryption – the data is encrypted on the server side so can’t do much with the data. Most computations are impossible. But we do support some operations via deterministic encryption – which allows for equality comparisons on encrypted data: e.g. simple point lookup queries. Other types of queries, e.g. queries involving pattern matching or sorting, were not supported. Now, big step to bring Always Encrypted to a new level. Using a concept called secure enclaves. Microsoft has just announced the Azure confidential computing initiative that introduces secure enclaves (aka Trusted Execution Environments, or TEEs) to the Azure cloud. Confidential computing makes it possible to protect sensitive data in use. It aims at providing assurance that customer’s sensitive data remains always under customer control. When data is “in the clear,” which is often required to analyze, interpret, or process the data, the data is protected inside a secure enclave. What is this secure enclave? Think of it as a protected region in memory inside a containing process – tamper-proof, trusted execution environment. Data can be safely decrypted and processed in the enclave, but the external world it appears as a black box. Inside the enclave, there is no way to view the data or the operations inside the enclave from the outside, even with a debugger. If you want to learn more bout the technical details of these enclaves and the Azure confidential computing initiative, check out Mark Russinovich’s blog post… How does this relate to SQL and Always Encrypted? Putting component of processing predicates of SQL queries – put this component in the Secure Enclave. The remaining part of SQL Server remains untrusted. So when processing a query, it will delegate computations on encrypted sensitive data to that enclave. There, the data can be safely decrypted and processed. This opens up a broad range of new possibilities – now we can support rich computations on data that is encrypted on the database and protected in-use. On additional benefit… we are leveraging enclaves to support in-place encryption, so that you don’t need to move the data out of the database to initially encrypt it! Status – currently in testing, but open in Early Access Technology preview, you can sign up here. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 Confidential Computing using Enclaves
5/9/2019 4:59 AM Confidential Computing using Enclaves Enclave – an isolated region of memory Provides a trusted execution environment Data stored inside the enclave cannot be accessed outside of the enclave​ Code running inside enclave must be signed and cannot be modified​ Secure isolation powered by Hardware, e.g. Intel Software Guard Extension (SGX), OR Hypervisor, e.g. Virtualization Based Security​ in Windows Server 2019, Windows 10, v. 1809 Code Data App App Operating System Hypervisor Hardware © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Enclave Attestation and Secure Tunnel
5/9/2019 4:59 AM Enclave Attestation and Secure Tunnel How do you know the SQL enclave is trustworthy? Answer: enclave attestation How does the enclave gets the keys to encrypt/decrypt data? Answer: secure tunnel Attestation Service secure tunnel Enhanced Client Driver plaintext ciphertext SQL Enclave plaintext © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Always Encrypted with Enclaves in Screenshots

21 Always Encrypted with Secure Enclaves
Public Preview (SQL Server 2019) Always Encrypted with Secure Enclaves Enhanced Client Driver plaintext ciphertext SQL C: \ Protects sensitive data in use while preserving rich queries and providing in-place encryption plaintext Enclave Secure computations inside an enclave SQL Server Engine delegates operations on encrypted to a secure enclave, where the data can be safely decrypted and processed Rich Queries Supports pattern matching (LIKE), range queries (<, >, etc.), and indexing on encrypted columns In-place Encryption The secure enclave supports initial data encryption and key rotation in-place - without moving the data out of the database

22 Next Steps Try it now in SQL Server 2019 Preview!
Tutorial: Documentation: Tutorial: Getting started with Always Encrypted with secure enclaves using SSMS Blog:

23 Access Management This brings us to the next layer, Access Management. You need to control the access to your DB and data as a fundamental part of security. This starts with the basic authentication mechanisms and permissions model… but here too as we get more advanced we are introducing more sophisticated security capabilities.

24 Interactive Authentication Flexible Configuration
5/9/2019 4:59 AM Azure Active Directory Authentication - Interactive Support for Multi-Factor Authentication (MFA) All the benefits of Azure Active Directory Authentication plus: Interactive Authentication New INTERACTIVE mode      w/o  hard-coded passwords     supporting  MFA MSA & non-MSA accounts Hotmail, Outlook, Live… Google Certificate-based authentication Managed Service Identity (MSI)  Flexible Configuration Conditional Access for configuring domain accounts for MFA Can impose MFA without asking domain administrator to make global change Supported in many Tools and Drivers SSMS (since 17.2+) DacFx SQL Package (Import/Export) SQLCMD, BCP  SSDT (with latest VS 17 release) Drivers: .NET and higher ODBC 17.2 (recent release) JDBC INTERACTIVE mode  originally as universal auth Really only starting SSMS (GA) non-MSA accounts = Guest users Certificate-based authentication for AKV access or any other For Azure SQL DB Managed Service Identity (MSI) - register VM with AAD Rendering VM as a User in a database Conditional Access in AAD (Premium) - set of users, groups, devices MFA supported by Default © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 VNET Service Endpoints
5/9/2019 4:59 AM Generally Available VNET Service Endpoints Restrict access to your SQL Server from a given VNET/subnet Extends VNET to SQL PaaS: An app layer firewall, no messing with IPs Logical SQL Servers are restricted to be accessed from specific VNET(s)/Subnet(s) Focusing on Azure SQL for a moment - one of the most critical features in managing/ restricting access is the SQL DB firewall. Restricts access based on client IPs. However, one of the biggest requests in the space we've heard from customers is the need for VNET support. So we are glad to announce this additional capability, the first major step in the path to VNETs - VNET service endpoints. Recently public previewed. Allows you to restrict access to the DB to VMS only in a certain subnet. Restricting inbound access to a set of Azure VNETS, where the DB resources are in those VNETS. Helps for separation of roles between network and DB admins, keeps data on the Azure network, and simplifies management of IPs and firewall rules on a DB server. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 Private Link – Connectivity scenarios
PUBLIC PREVIEW Beginning H2 19 PaaS Services Peered network App Service Environment 3 2 IaaS hosted app IaaS hosted app 6 Peering channel Private Link subnet App Service Environment 7 SQL DB accessible via private IP No need to open customer network more than necessary Today: shared Gateway for ALL customers New scenarios enabler: Accessing SQLDB through VPN or Express Route PowerBI Service via OnPremise Data Gateway 5 Gateway subnet Express Route / VPN Gateway 4 “VNET Integrated” web app 1 On-prem app

27 Outlook on Roadmap This brings us to the next layer, Access Management. You need to control the access to your DB and data as a fundamental part of security. This starts with the basic authentication mechanisms and permissions model… but here too as we get more advanced we are introducing more sophisticated security capabilities.

28 Roadmap Always Encrypted with secure enclaves SQL Server 2019 RTM
Working on enabling it in SQL Azure DB Networking & Connectivity Private Link (public preview) Audit logging to firewall protected storage (public preview) SQL MI, network requirements reduction Active Directory Authentication Logins for Azure Server Principals - Azure AD logins (GA) Seamless Windows user migration (public preview) This roadmap is for now – June 2019 Global service endpoint network requirements reduction: H1 access to internet H2 Force to use Tunneling (I.e. for security inspection)

29 Under Consideration Separation of Duties RBAC Integration
More built-in roles coming RBAC Integration Integration of Azure RBAC with SQL Data plane to enable seamless permission control from Portal Advanced Data Security Looking for your input: aka.ms/ADSSurvey19

30 We'd love your feedback! aka.ms/SQLBits19 Andreas Wolter
LinkedIn © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 Resources & References
Overview of Azure SQL DB Security – SQL Advanced Data Security – SQL Information Protection – SQL Vulnerability Assessment – SQL Threat Detection –

32 Azure - The Trusted Cloud
More certifications than any other cloud provider ISO 27001 ISO 27018 ISO 27017 ISO 22301 SOC 1 Type 2 SOC 2 Type 2 SOC 3 CSA STAR Self-Assessment CSA STAR Certification CSA STAR Attestation GLOBAL Moderate JAB P-ATO High JAB P-ATO DoD DISA SRG Level 2 DoD DISA SRG Level 4 DoD DISA SRG Level 5 FIPS 140-2 Section 508 VPAT ITAR CJIS SP IRS 1075 US GOV CDSA HIPAA / HITECH Act PCI DSS Level 1 FACT UK MARS-E FERPA GLBA MPAA Shared Assessments FISC Japan HITRUST GxP 21 CFR Part 11 IG Toolkit UK FFIEC INDUSTRY China DJCP EU Model Clauses UK G-Cloud China GB 18030 China TRUCS New Zealand GCIO Japan My Number Act ENISA IAF Japan CS Mark Gold Spain ENS Spain DPA Privacy Shield Argentina PDPA Singapore MTCS Australia IRAP/CCSL Germany IT Grundschutz workbook India MeitY Canada Privacy Laws REGIONAL

Download ppt "What’s new in SQL Server and Azure SQL Database Security"

Similar presentations

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.

Power BI Sites and Mobile BI. What You Will Learn Sharing and Collaboration Introducing Power BI Exploring Power BI Features and Services Partner Opportunities.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Mirek Sztajno SQL Server Security PM

Mirek Sztajno SQL Server Security PM
Azure SQL Database Updates

Azure SQL Database Updates
Secure your complete data lifecycle using Azure Information Protection

Secure your complete data lifecycle using Azure Information Protection
Deployment Planning Services

Deployment Planning Services
BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.

BRK1017 Taking your hybrid management and security strategy to the cloud with Operations Management Suite Jeremy Winter and Srini Chandrasekar.
A lap around Azure Active Directory Business to Consumer (B2C)

A lap around Azure Active Directory Business to Consumer (B2C)
Data Platform and Analytics Foundational Training

Data Platform and Analytics Foundational Training
A Hitchhiker's Guide to Azure Active Directory

A Hitchhiker's Guide to Azure Active Directory
Enterprise Security in Practice

Enterprise Security in Practice
System Center Marketing

System Center Marketing
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Identity & Access Management for a cloud-first, mobile-first world

Identity & Access Management for a cloud-first, mobile-first world
Accelerate GDPR compliance with Microsoft 365

Accelerate GDPR compliance with Microsoft 365
System Center Marketing

System Center Marketing
Windows Server 2016 Secure IaaS Microsoft Build /1/2018 4:00 AM

Windows Server 2016 Secure IaaS Microsoft Build /1/2018 4:00 AM
Using a Gateway to Leverage On-Premises Data in Power BI

Using a Gateway to Leverage On-Premises Data in Power BI
Hybrid Management and Security

Hybrid Management and Security
Microsoft Operations Management Suite Insight and Analytics

Microsoft Operations Management Suite Insight and Analytics

Similar presentations

Ads by Google