Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kristina Rumpff Securing Data on your Terms DAT33 1.

Published byAntonia Martin Modified over 8 years ago

Similar presentations

Presentation on theme: "Kristina Rumpff Securing Data on your Terms DAT33 1."— Presentation transcript:

1

2 Kristina Rumpff Securing Data on your Terms DAT33 1

3

4 Encryption Summary

5

6 Jane Doe Name 198-33-0987 SSN USA Country Jim Gray200-45-7569USA John Smith374-29-0782USA dbo.Patients Jane Doe Name 2467-3874-8234-2245 CardNumber Jim Gray2467-8739-2834-7342 John Smith3845-9384-8892-8234 dbo.Payment Database LevelTable LevelFile Level

7 What is TDE TDE Encrypts data at rest This Occurs at the File level Data within the database is stored in plain text

8 In SQL Server 2016 CTP2, the storage for memory-optimized tables will be encrypted as part of enabling TDE on the database Simply follow the same steps as you would for a disk-based database Windows Operating System Level Data Protection SQL Server Instance Level User Database Level Database Encryption Key Service Master Key DPAPI encrypts the Service Master Key Master Database Level Database Encryption Key Service Master Key Encrypts the Database master Key for the master Database Database Master Key of the master Database creates a certificate in the master database The certificate encrypts the database Encryption Key in the user database The entire user database is secured by the Datbase Encryption Key (DEK) of the user database by using transparent database encryption Created at a time of SQL Server setup Statement: CREAT MASTER KEY… Statement: CREATE CERTIFICATE… Statement: CREATE DATABASE ENCRYPTION KEY… Statement: ALTER DATABSE… SET ENCRYPTION

9 Considerations Key management Backup History Always On You will need the same encryption key across all db’s in the group TempDB The TempDB will be encrypted if any database on the instance is encrypted.

10

11 Demo will include SQL Server 2016 -Creating encryption hierarchy -Encrypt Database SQL Server Azure Show how to turn on TDE

12

13 What is Cell Level Encryption A symmetric key is used to encrypt the data as it is inserted, and to decrypt as it is read. The end result is that the data is stored encrypted. The database engine encrypts/decrypts.

14 Considerations Key management Backup History Import/Export The encrypt/decrypt is part of the sql statement

15 Jane Doe Name 198-33-0987 SSN USA Country Jim Gray200-45-7569USA John Smith374-29-0782USA dbo.Patients Jane Doe Name 2467-3874-8234-2245 CardNumber Jim Gray2467-8739-2834-7342 John Smith3845-9384-8892-8234 dbo.Payment Database LevelTable LevelFile Level

16 dbo.Patients Jane Doe Name 243-24-9812 SSN USA Country Jim Gray198-33-0987USA John Smith123-82-1095USA dbo.Patients Jane Doe Name 1x7fg655se2e SSN USA Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA Country Result Set Jim Gray Name Jane Doe Name 1x7fg655se2e SSN USA Country Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA dbo.Patients SQL Server ciphertext Query Help protect data at rest and in motion, on-premises & cloud Trusted Apps SELECT Name FROM Patients WHERE SSN=@SSN Result Set Jim Gray Name SELECT Name FROM Patients WHERE SSN=@SSN @SSN=0x7ff654ae6d Client side @SSN=0x7ff654ae6d

17

18 Demo will include Show how to create encryption keys Show plain text column Show encrypted column Show how the application will need to be changed.

19

20 What is Always Encryption A way to encrypt your data with minimal change the application. Data is encrypted in transit and at rest.

21 Jane Doe Name 198-33-0987 SSN USA Country Jim Gray200-45-7569USA John Smith374-29-0782USA dbo.Patients Jane Doe Name 2467-3874-8234-2245 CardNumber Jim Gray2467-8739-2834-7342 John Smith3845-9384-8892-8234 dbo.Payment Database LevelTable LevelFile Level

22 dbo.Patients Jane Doe Name 243-24-9812 SSN USA Country Jim Gray198-33-0987USA John Smith123-82-1095USA dbo.Patients Jane Doe Name 1x7fg655se2e SSN USA Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA Country Result Set Jim Gray Name Jane Doe Name 1x7fg655se2e SSN USA Country Jim Gray0x7ff654ae6dUSA John Smith0y8fj754ea2cUSA dbo.Patients SQL Server ciphertext Query Help protect data at rest and in motion, on-premises & cloud Trusted Apps SELECT Name FROM Patients WHERE SSN=@SSN @SSN='198-33-0987' Result Set Jim Gray Name SELECT Name FROM Patients WHERE SSN=@SSN @SSN=0x7ff654ae6d Column Encryption Key Enhanced ADO.NET Library Column Master Key Client side

23 Randomized encryption Encrypt('123-45-6789') = 0x17cfd50a Repeat: Encrypt('123-45-6789') = 0x9b1fcf32 Allows for transparent retrieval of encrypted data but NO operations More secure Deterministic encryption Encrypt('123-45-6789') = 0x85a55d3f Repeat: Encrypt('123-45-6789') = 0x85a55d3f Allows for transparent retrieval of encrypted data AND equality comparison E.g. in WHERE clauses and joins, distinct, group by Two types of encryption available Randomized encryption uses a method that encrypts data in a less predictable manner Deterministic encryption uses a method which always generates the same encrypted value for any given plain text value Types of Encryption for Always Encrypted

24 Security Officer 1. Generate CEKs and Master Key 2. Encrypt CEK 3. Store Master Key Securely 4. Upload Encrypted CEK to DB CMK Store: Certificate Store HSM Azure Key Vault … Encrypted CEK Column Encryption Key (CEK) Column Master Key (CMK) Key Provisioning CMK Database Encrypted CEK

25 Param Encryption Type/ Algorithm Encrypted CEK Value CMK Store Provider NameCMK Path @NameNon-DET/ AES 256 CERTIFICATE_ STORE Current User/ My/f2260… EXEC sp_execute_sql N'SELECT * FROM Customers WHERE SSN = @SSN', @params = N'@SSN VARCHAR(11)', @SSN=0x7ff654ae6d Param Encryption Type/ Algorithm Encrypted CEK Value CMK Store Provider NameCMK Path @SSNDET/ AES 256 CERTIFICATE_ STORE Current User/ My/f2260… Enhanced ADO.NET Plaintext CEK Cache exec sp_describe_parameter_encryption @params = N'@SSN VARCHAR(11)', @tsql = N'SELECT * FROM Customers WHERE SSN = @SSN' Result set (ciphertext) Name Jim Gray Result set (plaintext) using (SqlCommand cmd = new SqlCommand( "SELECT Name FROM Customers WHERE SSN = @SSN“, conn)) { cmd.Parameters.Add(new SqlParameter( "@SSN", SqlDbType.VarChar, 11).Value = "111-22-3333"); SqlDataReader reader = cmd.ExecuteReader(); Client - TrustedSQL Server - Untrusted Encryption metadata Name 0x19ca706fbd9 Encryption metadata CMK Store Example

26 Considerations Key management The keys need to be backed up Always on replica’s need the same keys The application client needs access to the key!

27

28

29 Fine-grained access control Keeping multi-tenant databases secure by limiting access by other users who share the same tables. Application transparency RLS works transparently at query time, no app changes needed. Compatible with RLS in other leading products. Centralized security logic Enforcement logic resides inside database and is schema-bound to the table it protects providing greater security. Reduced application maintenance and complexity. Store data intended for many consumers in a single database/table while at the same time restricting row-level read & write access based on users’ execution context. Benefits of row-level security

30 CREATE SECURITY POLICY mySecurityPolicy ADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients Predicate function User-defined inline table-valued function (iTVF) implementing security logic Can be arbitrarily complicated, containing joins with other tables Security predicate Applies a predicate function to a particular table (SEMIJOIN APPLY) Two types: filter predicates and blocking predicates Security policy Collection of security predicates for managing security across multiple tables RLS Concepts

31 CREATE FUNCTION dbo.fn_securitypredicate(@wing int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) Fine-grained access control over rows in a table based on one or more pre-defined filtering criteria, e.g., user’s role or clearance level in organization. Concepts: Predicate function Security policy Example

32 Two App user (e.g., nurse) selects from Patients table Three Security Policy transparently rewrites query to apply filter predicate Database Policy Manager CREATE FUNCTION dbo.fn_securitypredicate(@wing int) RETURNS TABLE WITH SCHEMABINDING AS return SELECT 1 as [fn_securitypredicate_result] FROM StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing; CREATE SECURITY POLICY dbo.SecPol ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients WITH (STATE = ON) Filter Predicate: INNER JOIN… Security Policy Applicatio n Patients One Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients table Nurse SELECT * FROM Patients SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing); SELECT Patients.* FROM Patients, StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId) WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing; RLS in Three Steps

33 Create Security Policy

34

35

36 Configuration made easy in the new Azure portal Policy-driven at the table and column level, for a defined set of users Data masking applied in real-time to query results based on policy Multiple masking functions available (e.g. full, partial) for various sensitive data categories (e.g. Credit Card Numbers, SSN, etc.) SQL Database SQL Server 2016 CTP2 Table.CreditCardNo 4465-6571-7868-5796 4468-7746-3848-1978 4484-5434-6858-6550 Real-time data masking; partial masking Dynamic Data Masking Prevent the abuse of sensitive data by hiding it from users

37 DefaultFull masking according to the data types of the designated field: i.e. String will result in “XXXX” EmailMasking will expose the first letter of an email address and will end in “.com” i.e. aXXX@XXXX.comaXXX@XXXX.com Custom StringWill expose the firsta nd last letter and adds a custom padding string in the middle. i.e KXXXa RandomFor use only on numeric. Will replace the original value within a specified range.

38

39 Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.

40 Continue your Ignite learning path Visit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/ Head to the TechNet Eval Centre to download trials of the latest Microsoft products http://Microsoft.com/en-us/evalcenter/

41

Download ppt "Kristina Rumpff Securing Data on your Terms DAT33 1."

Similar presentations

Overview and Roadmap for Microsoft SQL Server Security

Overview and Roadmap for Microsoft SQL Server Security
15 Copyright © 2006, Oracle. All rights reserved. Database Security.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.

Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
CSIS 4310 – Advanced Databases Virtual Private Databases.

CSIS 4310 – Advanced Databases Virtual Private Databases.
Database Systems Design, Implementation, and Management Coronel | Morris 11e ©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or.

Database Systems Design, Implementation, and Management Coronel | Morris 11e ©2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or.
Mission critical features in SQL 2016 David Lyth Pat Martin Premier Field Engineers, Microsoft New Zealand.

Mission critical features in SQL 2016 David Lyth Pat Martin Premier Field Engineers, Microsoft New Zealand.
Cloud first Speed Agility Proven Feedback All of this results in a better on-premises SQL Server SQL Server 2016.

Cloud first Speed Agility Proven Feedback All of this results in a better on-premises SQL Server SQL Server 2016.
Pierre Sleep tight knowing you’re prepared for outages Protect your environment with Azure ARC32 4.

Pierre Sleep tight knowing you’re prepared for outages Protect your environment with Azure ARC32 4.
Andrew Hennessy Automating Server Application migrations to the Cloud – Goodbye Server 2003. INF21 3.

Andrew Hennessy Automating Server Application migrations to the Cloud – Goodbye Server INF21 3.
James Lewis and Simon Waight Office 365 security: everywhere you need it to be PRD33 1.

James Lewis and Simon Waight Office 365 security: everywhere you need it to be PRD33 1.
Martin Cairney Hybrid data platform – making the most of Azure plus your on- prem kit DAT341 B.

Martin Cairney Hybrid data platform – making the most of Azure plus your on- prem kit DAT341 B.
Jeff Alexander & Andrew McMurray Runtime Provisioning in Windows 10 WIN327.

Jeff Alexander & Andrew McMurray Runtime Provisioning in Windows 10 WIN327.
Michael Niehaus Using the Windows Store for Business: New Capabilities for Managing Apps in the Enterprise WIN335.

Michael Niehaus Using the Windows Store for Business: New Capabilities for Managing Apps in the Enterprise WIN335.
Jessica Payne Microsoft Global Incident Response and Recovery

Jessica Payne Microsoft Global Incident Response and Recovery
Chapter 6 Virtual Private Databases

Chapter 6 Virtual Private Databases
Dr Greg Low Working with SQL Server Spatial Data DAT33 3.

Dr Greg Low Working with SQL Server Spatial Data DAT33 3.
Matt Lavery & Joanna Podgoetsky Being a DBA is cool again with SQL 2016 DAT335 A.

Matt Lavery & Joanna Podgoetsky Being a DBA is cool again with SQL 2016 DAT335 A.

Similar presentations

Ads by Google