Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview and Roadmap for Microsoft SQL Server Security

Published byEunice Beasley Modified over 9 years ago

Similar presentations

Presentation on theme: "Overview and Roadmap for Microsoft SQL Server Security"— Presentation transcript:

1

2 Overview and Roadmap for Microsoft SQL Server Security
BRK2570 Overview and Roadmap for Microsoft SQL Server Security Joachim Hammer & Jakub Szymaszek Security Team Database Systems Group

3 Enhancements to Crypto Enhancements to SQL Audit
Security Investments Always Encrypted Enhancements to Crypto TDE for SQL DB, TDE Perf CLE for SQL DB Encryption Secure App Development Auditing Row-level Security Enhancements to SQL Audit Dynamic Data Masking

4 Always Encrypted SQL Server 2016 SQL Database

5 Customer Benefit Prevents Data Disclosure Queries on Encrypted Data
4/16/2017 Customer Benefit Prevents Data Disclosure Client-side encryption of sensitive data using keys that are never given to the database system. Queries on Encrypted Data Support for equality comparison, incl. join, group by and distinct operators. Application Transparency Minimal application changes via server and client library enhancements. Allows customers to securely store sensitive data outside of their trust boundary. Data remains protected from high-privileged, yet unauthorized users. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 SQL Server or SQL Database
How it Works Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server SQL Server or SQL Database trust boundary Client "SELECT Name FROM Customers WHERE SSN " " "SELECT Name FROM Customers WHERE SSN 0x7ff654ae6d ciphertext ADO .NET Result Set Result Set Name Wayne Jefferson Name 0x19ca706fbd9a dbo.Customers Name SSN Country 0x19ca706fbd9a 0x7ff654ae6d USA ciphertext

7 Types of Encryption in v1
Randomized encryption Encrypt(' ') = 0x17cfd50a Repeat: Encrypt(' ') = 0x9b1fcf32 Allows for transparent retrieval of encrypted data but NO operations More secure Deterministic encryption Encrypt(' ') = 0x85a55d3f Repeat: Encrypt(' ') = 0x85a55d3f Allows for transparent retrieval of encrypted data AND equality comparison E.g. in WHERE clauses and joins, distinct, group by

8 Key Provisioning 1. Generate CEKs and Master Key 2. Encrypt CEK
Column Encryption Key (CEK) Column Master Key (CMK) 2. Encrypt CEK Encrypted CEK CMK Store: Certificate Store HSM Azure Key Vault CMK 3. Store Master Key Securely Security Officer 4. Upload Encrypted CEK to DB Encrypted CEK Database

9 Demo Always Encrypted

10 Row-Level Security SQL Server 2016 SQL Database

11 Customer Benefit Fine-grained Access Control Application Transparency
4/16/2017 Customer Benefit Fine-grained Access Control Keeping multi-tenant databases secure by limiting access by other users who share the same tables. Application Transparency RLS works transparently at query time, no app changes needed. Compatible with RLS in other leading products. Centralized Security Logic Enforcement logic resides inside database and is schema-bound to the table it protects providing greater security. Reduced application maintenance and complexity. Store data intended for many consumers in a single database/table while at the same time restricting row-level read & write access based on users’ execution context. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 RLS Concepts Predicate function Security predicate Security policy
User-defined inline table-valued function (iTVF) implementing security logic Can be arbitrarily complicated, containing joins with other tables Security predicate Applies a predicate function to a particular table (SEMIJOIN APPLY) Two types: filter predicates and blocking predicates Security policy Collection of security predicates for managing security across multiple tables CREATE SECURITY POLICY mySecurityPolicy ADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients

13 Demo RLS

14 Transparent Data Encryption New for Azure SQL Database v12

15 SQL DB Management Service
How It Works On by choice Protects database and all of its backups, transaction logs and tempdb “2-click” User Experience Alternatively: 2 T-SQL statements Azure SQL DB manages your keys (aka service managed TDE) Improved Encryption Performance Using INTEL’s AES-NI Hardware Acceleration Available on v12 servers, all SQL DB’s editions Customer A Customer B Customer B Customer A SQL DB Management Service

16 Demo TDE

17 Dynamic Data Masking SQL Server 2016 SQL Database

18 Dynamic Data Masking Regulatory Compliance Sensitive Data Protection
4/16/2017 Dynamic Data Masking Regulatory Compliance A strong demand for applications to meet privacy standards recommended by regulating authorities. Sensitive Data Protection Protects against unauthorized access to sensitive data in the application. © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Demo Dynamic Data Masking Microsoft Ignite 2015 4/16/2017 4:27 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Power BI Content Packs for SQL DB Audit soon available for SQL Database
Microsoft Ignite 2015 4/16/2017 4:27 PM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 Resources MSDN Documentation
Security Center for SQL Server Database & SQL Database SQL Server Security Blog Additional examples, useful tips and tricks SQL Server Label Security Toolkit Updated version to take advantage of RLS coming later in CY15

22 Please evaluate this session
4/16/2017 4:27 PM Please evaluate this session Your feedback is important to us! Visit Myignite at or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 4/16/2017 4:27 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Overview and Roadmap for Microsoft SQL Server Security"

Similar presentations

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Vormetric Data Security

Vormetric Data Security
1Key – Report Creation with DB2. DB2 Databases Create Domain for DB2 Test Demo.

1Key – Report Creation with DB2. DB2 Databases Create Domain for DB2 Test Demo.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
CryptDB: A Practical Encrypted Relational DBMS Raluca Ada Popa, Nickolai Zeldovich, and Hari Balakrishnan MIT CSAIL New England Database Summit 2011.

CryptDB: A Practical Encrypted Relational DBMS Raluca Ada Popa, Nickolai Zeldovich, and Hari Balakrishnan MIT CSAIL New England Database Summit 2011.
Toolbox Mirror -Overview Effective Distributed Learning.

Toolbox Mirror -Overview Effective Distributed Learning.
یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.

یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
15 Copyright © 2006, Oracle. All rights reserved. Database Security.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.
Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11 Xiaosong Zhu Senior Software Engineer Copyright © 2014, Oracle and/or its affiliates.

Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11 Xiaosong Zhu Senior Software Engineer Copyright © 2014, Oracle and/or its affiliates.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Subtitle color From Windows Azure From Outside Microsoft Datacenter From Windows Azure & Outside Microsoft Datacenter Application / Browser Windows.

Subtitle color From Windows Azure From Outside Microsoft Datacenter From Windows Azure & Outside Microsoft Datacenter Application / Browser Windows.
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Cao Tiến Đức. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference.

Cao Tiến Đức. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference.
Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.

Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
CSIS 4310 – Advanced Databases Virtual Private Databases.

CSIS 4310 – Advanced Databases Virtual Private Databases.
Additional Security Tools Lesson 15. Skills Matrix.

Additional Security Tools Lesson 15. Skills Matrix.
Chapter No 4 Query optimization and Data Integrity & Security.

Chapter No 4 Query optimization and Data Integrity & Security.
VM Azure Storage Backup to Azure Storage On Premise Data Files in Azure Storage Optionally Managed Microsoft Azure Secondary Primary AlwaysOn.

VM Azure Storage Backup to Azure Storage On Premise Data Files in Azure Storage Optionally Managed Microsoft Azure Secondary Primary AlwaysOn.

Similar presentations

Ads by Google