The event, held on 21st April 2018, was part of the Global Azure Bootcamp and covered Microsoft's GDPR & SQL whitepaper, and the below new features:
- SQL Information Protection
- Vulnerability Assessment on SSMS & SQL Azure
- Data Classification on SSMS & SQL Azure
- Azure SQL Database Auditing
- Azure SQL Threat Detection
https://techspark.mt/global-azure-bootcamp-21st-april-2018/
2. Ralph: Who am I?
• A Solutions Architect
• at a gaming company
• focus on Data Platforms
• A Microsoft Certified Trainer
• deliver MTA, MCSA, MCSE locally
• covering Windows, SQL Server, C#
• I’m here to describe how Microsoft SQL Platform can help you become
compliant with the upcoming EU General Data Protection Regulation
(GDPR) by introducing SQL Information Protection (SQL IP) as a means
to discover, classify, monitor, and audit potentially sensitive data.
3. Ralph: But…
…not a lawyer
…not GDPR certified
_________________________________________________________________
Get legal advice!
4. Live poll!
How prepared is your organisation to comply with the GDPR?
https://kahoot.it
AppStore Google Play
5. Poll results from Tech-Spark audience
Q1. How prepared is your organisation to comply with the GDPR?
Q2. When is GDPR due to take effect?
▲ "Ready to comply" ♦ "Making preparations" ● "Won't be ready" ■ "What is GDPR?"
8 10 2 4
▲ "25 Apr 2018" ♦ "15 May 2018" ● "25 May 2018" ■ "15 Jun 2018"
0 6 13 5
8. We have a responsibility to protect information
9. GDPR to the rescue
• Over 190 known data breaches took place since 20101
• The EU’s General Data Protection Regulation (GDPR)
• sets a new bar for privacy rights, security, and compliance.
• is due to take effect on May 25, 2018.
• Guide to enhancing privacy and addressing GDPR requirements with the
Microsoft SQL platform whitepaper published on 24th May 20172
1 https://en.wikipedia.org/wiki/List_of_data_breaches
2 https://aka.ms/gdprsqlwhitepaper
10. GDPR to the rescue
Article 25
Data protection by design
and default
Article 30
Records of processing
activities
Article 32
Security of processing
Article 33
Notification of a personal
data breach to the
supervisory authority
Article 35
Data protection impact
assessment
Control who is accessing
data and how
Maintain an audit record
of processing activities on
personal data
Employ pseudonymization
and encryption
Detect breaches Describe processing
operations, including their
necessity and
proportionality
Minimize data being
processed in terms of
amount of data collected,
extent of processing,
storage period, and
accessibility
Monitor access to
processing systems
Restore availability and
access in the event of an
incident
Assess impact on and
identification of personal
data records concerned
Assess risks associated
with processing
Include safeguards for
control management
integrated into processing
Provide a process for
regularly testing and
assessing effectiveness of
security measures
Describe measures to
address breach
Apply measures to address
risks and protect personal
data, and demonstrate
compliance with the GDPR
12. Discovering and classifying personal data and its
access vectors
• Query metadata to identify column names which potentially contain
personal data such as Name, Birthdate, ID number, etc.
• System catalog views: sys.columns
• System stored procedures: sp_columns
• Information Schemas: INFORMATION_SCHEMA.COLUMNS
• Advanced discovery capabilities
• Use Full-Text Search in Microsoft SQL to search for keywords located within
freeform text
• Tag sensitive data using Extended Properties to add sensitivity labels to
relevant columns
13. Managing access and controlling how data is used
and accessed
• Authentication – only users with valid credentials can access the database
• Windows Authentication (via Active Directory)
• Azure AD
• Authorisation – principle of least privildege
• object-level permissions
• role-based security
• Azure SQL Database Firewall – built-in firewall enabled by default on the cloud
• Data-protection principles
• Dynamic Data Masking (DDM)3 – only view parts of the data, e.g. masked credit card details
• Row-Level Security (RLS)3 – only view intended rows
3 http://tech-spark.com/2017/04/22/global-azure-bootcamp-22nd-april-2017/
14. Protecting personal data against security threats
• Encryption
• Transparent Layer Security (TLS) – encrypt data in transit to and from the
database
• Transparent Data Encryption (TDE) – encrypt data at rest
• Always Encrypted – allows customers to encrypt sensitive data inside client
applications and never reveal the encryption keys to the database engine
• Auditing
• Auditing for Azure SQL Database – track database activities
• SQL Database Threat Detection – detect anomalous activities
• SQL Server Audit – track activities on an on-premises database
15. Business continuity
• SQL Server Always On
• Always On Availability Groups4
• Always On Failover Cluster Instances4
• Azure SQL technologies
• Point-in-Time Restore
• Long-term retention
• Active Geo-Replication
4 http://tech-spark.com/2017/03/12/high-availability-10th-march-2017/
16. Reporting on data protection policies and
reviewing regularly
• SQL Server Audit
• Temporal Tables1
3 http://tech-spark.com/2017/04/22/global-azure-bootcamp-22nd-april-2017/
18. Introducing SQL Information Protection
• In public preview, SQL Information Protection (SQL IP) introduces
advanced capabilities for discovering, classifying, labeling, and
protecting the sensitive data in your databases.
• This is built into Azure SQL Database and similar capabilities are also
being introduced for on-premises SQL Server via SQL Server
Management Studio (SSMS).
• Additional features are being worked on and will be rolled-out over
the coming months.
19. What is SQL Information Protection?
• This new information protection paradigm in SQL is aimed at protecting the data, not just the database:
• Discovery and recommendations – The classification engine scans your database and identifies columns containing potentially
sensitive data. It then provides you an easy way to review and apply the appropriate classification recommendations.
• Labeling – Sensitivity classification labels can be persistently tagged on columns.
• Azure SQL DB stores this in new classification metadata attributes introduced into the SQL engine. This metadata can then be utilized for
advanced sensitivity-based auditing and protection scenarios.
• SQL Server stores this using extended properties on columns.
• Monitoring/Auditing – Sensitivity of the query result set is calculated in real time and used for auditing access to sensitive data
(currently in Azure SQL DB only).
• Visibility - The database classification state can be viewed:
• Azure SQL DB in a detailed dashboard in the portal. Additionally, you can download a report, in Excel format, to be used for compliance and
auditing purposes, as well as other needs.
• SSMS in a detailed report that can be printed/exported to be used for compliance & auditing purposes, as well as other needs.
20. SQL Server Management Studio
• SSMS 17.4: Vulnerability Assessment.
• SSMS 17.5: SQL Data Discovery and Classification.
33. Azure SQL Threat Detection:
SQL injection
• This is triggered when an active exploit is currently happening against
an identified vulnerability.
• Usually a random series of SQL statements to see what if data can be
returned.
• Build subsequent attacks based on previously returned information.
• Ultimately goal obtain sensitive information, ransom (e.g. data encryption), or
even disruption (e.g. data deletion).
34. Azure SQL Threat Detection:
SQL injection vulnerability
• Your application is vulnerable to a SQL injection attack:
• A defect that generates faulty SQL statements
• Un-sanitised user input
• Building dynamic SQL without using parameters
• Not using stored procedures
35. Azure SQL Threat Detection:
Anomalous client login
• This is based upon behavioural analytics and anomaly detection:
• Login from an unusual location
• A new user has logged in for the first time
• Credentials brute force such as a high number of failed logins
• Potentially harmful client application
41. Azure backend for a Mobile+ app
8th May 2018
Oliver Gomersall; Mobile Innovation Specialist (Azure) @ Microsoft
Sergio Viana; Microsoft Solutions Lead @ Xpand IT