Introducción a conceptos de SQL Server Secure Enclaves
Sql Server 2008 Security Enhanments
1. Ing. Eduardo Castro, Phd
ecastro@mswindowscr.org
http://comunidadwindows.org
http://ecastrom.blogspot.com
2. Transparent Data Encryption Visual Entity Designer Backup Compression
External Key Management Entity Aware Adapters MERGE SQL Statement
Data Auditing SQL Server Change Tracking Data Profiling
Pluggable CPU Synchronized Programming Model Star Join
Transparent Client Redirect for Visual Studio Support Enterprise Reporting
Database Mirroring SQL Server Conflict Detection Engine
Database Mirroring Enhancements FILESTREAM data type Internet Report
DBM: Auto Page Repair Integrated Full -Text Search Deployment
Declarative Management Sparse Columns Block Computations
Framework Large User-Defined Types Scale-out Analysis
Server Group Management Date / Time Data Types BI Platform Management
Streamlined Installation LOCATION data type Export to Word and Excel
Enterprise System Management SPATIAL data type Author reports in Word,
Performance Data Collection Excel
Virtual Earth Integration
System Analysis Report Builder
Partitioned Table Parallelism Enhancements
Data Compression Query Optimizations TABLIX
Query Optimization Modes Persistent Lookups Rich Formatted Data
Resource Governor Change Data Capture Personalized
Entity Data Model
Perspectives
LINQ
… and many more
3. Transparent data encryption – encrypt an
entire database
Backup encryption – compresses and secures
the backup file
Auditing – now monitors data access and
modifications
Policy-based Framework from Windows Server
2008 automates administrative tasks
4. Enterprise
Data Platform
Protect your information
Transparent Data Encryption Encrypt your data without requiring an
application re-write
External Key Management Consolidate security keys within the data
center
Data Auditing Integrated auditing support
Increase the reliability of your
Pluggable CPU applications
Add system resources without affecting
your users
Enhanced Database Mirroring
Leverage database mirroring to increase
reliability
5. In SQL Server 2000, 3rd party
support required
Since SQL Server 2005
Built-in support for data encryption
Support for key management
Encryption additions in SQL Server 2008
Transparent Data Encryption
Extensible Key Management
6. Support for full SSL Encryption since SQL
Server 2000
Clients: MDAC 2.6 or later
Force encryption from client or server
Login packet encryption
Used regardless of encryption settings
Supported since 2000
Self-generated certificates avail since 2005
7. SQL Server 2005
− Built-in encryption functions
− Key management in SQL Server
− Encrypted File System (EFS)
− Bit-Locker
SQL Server 2008
− Extensible Key Management (EKM)
− Transparent Data Encryption (TDE)
8. Follow principal of least privilege!
Avoid using sysadmin/sa and db_owner/dbo
− Grant required perms to normal login
Never use the dbo schema
− User-schema separation
Applications should have own schema
− Consider multiple schemas
Leverage Flexible Database Roles
− Facilitates role separation
Consider Auditing user activity
9. Key storage,
HSM
management and
encryption done by
HSM module
SQL EKM Provider DLL SQL EKM key is a
proxy to HSM key
SQL EKM Key SQL EKM Provider DLL
(HSM key proxy) implements SQLEKM
Data
interface, calls into
SQL Server
HSM module
10. Security
Data and keys are physically separated (keys
are stored in HSM modules)
Centralized key management and storage for
enterprise
Additional authentication layer
Separation of duties between db_owner and
data owner
Performance
Pluggable hardware encryption boards
11. HSM
Symmetric key Asymmetric key
EKM Symmetric key EKM Asymmetric key
SQL
Server
Data Data
Native TDE DEK key
Symmetric key
12. Encryption/decryption
SQL Server 2008 at database level
DEK
DEK is encrypted
with:
− Certificate
− Key residing in a
Hardware Security
Encrypted data page Module (HSM)
Client Application
Certificate required to
attach database files
or restore a backup
13. Operating System Level
Data Protection API (DPAPI) DPAPI encrypts
Service Master Key
SQL Server 2008
Instance Level
Service Master Key Service Master Key encrypts
Database Master Key
SQL Server 2008
Master Database
Database Master Key Password
Database Master Key
Certificate encrypts Certificate In Master
Database
SQL Server 2008
Master Database
Certificate encrypts Database
Encryption Key
Database Encryption Key
SQL Server 2008
User Database
14. Asymmetric Key resides on
Hardware Security Module (HSM) the EKM device
Asymmetric Key
Asymmetric Key encrypts
Database Encryption Key
Database Encryption Key
SQL Server 2008
User Database
15. Compatible with Database Compression
Not recommended with Backup
Compression
Database Mirroring
Copy certificate from primary to mirror
Log files are not retroactively encrypted
Encryption begins at next VLF boundary
Tempdb is encrypted when 1 db in instance
uses TDE
Enterprise only
16. Operational Impact
Storage replication at hardware level
Background task to encrypt all pages
At HW level, all pages get changed, i.e. all pages need to be replicated
Need to test if your hardware replication can handle this throughput
When using Database Mirroring or Log Shipping,
Ensure that the mirror server has the master key and certificate as well
Bottleneck isn’t throughput of pages
Transaction log will have 1 entry for 4 extents (32 pages) noting extents are
encrypted
But, secondary server restore of transaction log uses less threads than
principle/primary servers, i.e. back log in restore activity
Possible Failover Issues
Synchronous mirroring backlog may result in not being able to failover since
restoring received transaction log records could take a few hours
For log shipping restoration of the backups will fall behind, manual failover
cannot take place before restore finally caught up.
May want to consider disabling HA and perform resynchronization of
your HA configuration
17. SQL Server 2005
SQL Trace
DDL/DML Triggers
Third-party tools to read transaction logs
No management tools support
SQL Server 2008
SQL Server Audit
18. File
Security Event Log
Audit Application Event Log
File
0..1 system
0..1
Server audit specification DB audit specification
per Audit object per database
per Audit object
Server Audit Database Audit
Specification Components
Database Audit
Database
Components
Database Audit
Components
Audit
Server Audit Action Specification
Server Audit Action
Server Audit Action
Server Audit Action Database Audit Action
Server Audit Action Database Audit Action
Database Audit Action
Database Audit Action
Database Audit Action
CREATE SERVER AUDIT SPECIFICATION CREATE DATABASE AUDIT SPECIFICATION
SvrAC AuditAC
TO SERVER AUDIT PCI_Audit TO SERVER AUDIT PCI_Audit
ADD (FAILED_LOGIN_GROUP); ADD (SELECT ON Customers BY
public) 18
19. Leverages high performance eventing
infrastructure to generate audits
Runs within engine rather than as a
side/separate app
Parity with SQL 2005 Audit Generation
Faster than SQL Trace
Records changes to Audit configuration
Configuration and management in SSMS
(Note: Enterprise Edition only)
20. Centralizing audit logs and reporting
DB Servers
Process Audit Information
Use SSIS to process SQL2008 audit log data and store in its own SQL database.
SSIS
DB Server
Transfer Logs
SQL Audit
DB Server
File Server SQL 2008
DB Server o rts
ep
teR
n era
Ge
SSRS 2008
Compliance Reports
21. Enterprise
Data Platform
Spend less time on ongoing
operations
Declarative Management
Framework Manage via policies instead of scripts
Define Enterprise wide data management
policies
Server Group Management Automated monitoring and enforcement of
policies
Simplify your installation and configuration
Streamlined Installation
Integrated with your enterprise system
management
Enterprise System Define Policies that are compliant with
Management System Definition Model
Manage your data and system infrastructure
with Microsoft System Center
23. • Provide auditors with assurance that SQL Server
Compliance complies with all security and business guidelines
• Complement All Actions Audited
• Ensure peak performance
Consistency • High levels of security & reliability
• Drive strategic management initiative to control
Costs costs
• More efficient and proactive management
24. Defines the evaluation mode, target filters, and schedule of the conditions.
Policy
Specifies a set of allowed states of a managed target with regard to a facet
Condition
Set of related logical properties
Facet
25. Server
Restriction
Category Policy Target
Evaluation
Mode
26. On Demand On Schedule
• Evaluate a policy when specified by user • SQL Server 2008 only
• Available through SSMS or Windows • SQL Server Agent job periodically
PowerShell™ evaluates a policy
• Option to force certain conditions to comply
with policy
• Supports down-level evaluation
(depends on properties exposed)
Evaluation modes
On Change: Prevent On Change: Log Only
• SQL Server 2008 only • SQL Server 2008 only
• DDL triggers prevent policy violations • Event notification evaluates a policy when
a relevant change is made
27. Windows PowerShell™ is a framework and runtime for
executing management commands
Cmdlets are instances of .NET classes that process input
objects from the pipeline
SQL Server Provider for Windows PowerShell™
encompasses SMO
Invoke-PolicyEvaluation –Policy
DatabaseStatus.xml,
Trustworthy.xml -TargetServerName inst1
Invoke-SQLCMD –Query ”SELECT name FROM
sys.Databases;” –ServerInstance
“MyServerInstance”
28. Bringing It All Together
policy
results policy
results
policy
results policy
results
policy
results policy
results
29. Bringing It All Together
policy
results
policy
results
policy
results policy
results
policy
results
policy
results
30. Logically group instances based
on business function(s)
Centrally publish policies to
groups of SQL Server 2008
instances
Evaluate policies on-demand
against a group of servers
Filter by logical groups in
Windows PowerShell™ scripts
31. Add Intelligence to
Policies
Place each policy in a
category
Define server restrictions
for versions and editions
where appropriate
32. Create Custom Server Groups
in the CMS
Run specific policies against a list
of servers
Examples: Production,
Development, PCI
Define Concurrent Jobs
Define multiple concurrent
executions based on Policy
Category and/or logical Central
Management Server group
33. Real-Time Enforcement and
Reporting
Monitor the event log through
Alerting integration
Advanced functionality and
integration with SSMS
Dependency, health states,
subscriptions, history
Scale
Security
Access to other rich features in
SQL Server 2008
35. Dynamic
Development
Access your data from anywhere
SQL Server Change Tracking Store your data locally while
disconnected from server
Synchronize Incremental changes
Synchronized Programming between client and server
Model
Detect conflicts during
synchronization including deletes
Visual Studio Support
Add disconnected scenarios without
re-writing existing applications
SQL Server Conflict
Detection
36. Enterprise Policy Management Framework
http://www.codeplex.com/EPMFramework
Policy Based Management Blog
http://blogs.msdn.com/sqlpbm/default.aspx
37. To learn more about the Windows PowerShell™ scripting
Language
http://www.microsoft.com/downloads/details.aspx?FamilyID=b4720b0
0-9a66-430f-bd56-ec48bfca154f&DisplayLang=en
Windows PowerShell™ Blog
http://blogs.msdn.com/powershell/
SQL Server PowerShell Overview
http://msdn.microsoft.com/en-us/library/cc281954.aspx