Precise and Complete Requirements? An Elusive Goal
Seguridad en sql server 2016 y 2017
1. Seguridad en SQL Server 2014 / 2016 y
2017
Maximiliano Accotto | MVP Data Platform desde el 2005
Owner Triggerdb Consulting | www.triggerdb.com
2. BIOGRAPHY POINT THREE
Especialista en Data Platform con mas de 15 años de experiencia en
trabajos de (tuning – seguridad – migraciones – Desarrollo – BI – Alta
disponibilidad – Big data y Machine Learning
Maximiliano Accotto
BIOGRAPHY POINT ONE
Owner TriggerDB Consulting SRL | www.triggerdb.com
BIOGRAPHY POINT TWO
Microsoft MVP Data Platform desde el año 2005.
https://twitter.com/m
axiaccotto
https://www.linkedin.c
om/in/maxiaccotto/
4. Store data intended for many consumers in a single database/table while at the same time restricting row-level read and
write access based on users’ execution context.
Benefits of row-level security (RLS)
Security
Fine-grained
access control
Keeping multitenant
databases secure by limiting
access by other users who
share the same tables
Application
transparency
RLS works transparently at
query time, no app changes
needed
Compatible with RLS in other
leading products
Centralized
security logic
Enforcement logic resides
inside database and is
schema-bound to the table it
protects providing greater
security. Reduced application
maintenance and complexity
5. CREATE FUNCTION dbo.fn_securitypredicate(@wing int)
RETURNS TABLE WITH SCHEMABINDING AS
return SELECT 1 as [fn_securitypredicate_result]
FROM
StaffDuties d INNER JOIN Employees e
ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID()
AND @wing = d.Wing;
CREATE SECURITY POLICY dbo.SecPol
ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing)
ON Patients
WITH (STATE = ON)
Fine-grained access control over rows in a
table based on one or more pre-defined
filtering criteria, such as user’s role or
clearance level in organization
Concepts:
Predicate function
Security policy
Example
7. Limit access to sensitive data by defining policies to obfuscate specific database fields, without affecting the integrity of the
database.
Benefits of dynamic data masking
Security
Regulatory
compliance
Sensitive data
protection
Agility and
transparency
Data is masked on the fly, with
underlying data in the database
remaining intact. Transparent to
the application and applied
according to user privilege
9. Allows customers to securely store sensitive data outside of their trust boundary.
Data remains protected from high-privileged, yet unauthorized users.
The need for Always Encrypted
Security
Prevents data
disclosure
Client-side encryption of
sensitive data using keys that
are never given to the
database system
Queries on
encrypted data
Support for equality
comparison, including join,
group by, and distinct
operators
Application
transparency
Minimal application changes
via server and client library
enhancements
10. Key provisioning
Security
Security
Officer
1. Generate CEKs and master key
2. Encrypt CEK
3. Store master key securely
4. Upload encrypted CEK to DB
CMK store:
Certificate store
HSM
Azure Key Vault
…
Encrypted
CEK
Column
encryption key
(CEK)
Column
master key
(CMK)
CMK
Database
Encrypted CEK
11. Data remains encrypted
during query
Summary: Always Encrypted
Protect data at rest and in motion, on-premises and in the cloud
Capability
ADO.Net client library provides
transparent client-side encryption, while
SQL Server executes T-SQL queries on
encrypted data
Benefits
Apps TCE-enabled
ADO .NET library
SQL ServerEncrypted
query
Columnar
key
No app
changes
Master
key
Security
13. Backup encryption
Security
• Increase security of backups stored separate from the instance (another
environment such as the Cloud)
• Encryption keys can be stored on-prem while backup files in the cloud
• Support non-encrypted databases (don’t need to turn on Transparent
Data Encryption anymore)
• Different policies for databases and their backups
14. BACKUP DATABASE <dbname> TO <device> = <path to device>
WITH
ENCRYPTION
(
ALGORITHM = <Algorithm_name> ,
{ SERVER CERTIFICATE = <Encryptor_Name> |
SERVER ASYMMETRIC KEY = <Encryptor_Name> }
);
No changes to RESTORE
Backup encryption
Source: https://msdn.microsoft.com/en-us/library/bb510411(v=sql.130).aspx#RLS
Row level security introduces predicate based access control. It features a flexible, centralized, predicate-based evaluation that can take into consideration metadata (such as labels) or any other criteria the administrator determines as appropriate. The predicate is used as a criterion to determine whether or not the user has the appropriate access to the data based on user attributes. Label based access control can be implemented by using predicate based access control. For more information, see Row-Level Security.
Source: https://msdn.microsoft.com/en-us/library/bb510411(v=sql.130).aspx#RLS
Row-level security introduces predicate-based access control. It features a flexible, centralized, predicate-based evaluation that can take into consideration metadata (such as labels) or any other criteria the administrator determines as appropriate. The predicate is used to determine whether or not the user has the appropriate access to the data based on user attributes. Label-based access control can be implemented by using predicate-based access control. For more information, see Row-Level Security.
Source: https://msdn.microsoft.com/en-us/library/mt147923(v=sql.130).aspx
Creating and registering a custom Column Master Key Store Provider
Information the driver receives from SQL Server for query parameters which need to be encrypted, and for query results which need to be decrypted, includes:
An encrypted value of a column encryption key, which should be used to encrypt or decrypt a parameter or a result.
The name of a key store provider that encapsulates a key store containing the column master key which was used to encrypt the column encryption key.
A key path that specifies the location of the column master key in the key store.
The name of the algorithm that was used to encrypt the column encryption key.
The driver uses the above information to use the key store provider implementation to decrypt the retrieved encrypted value of the column encryption key, which is subsequently used to either encrypt a query parameter or to decrypt a query result.
The driver comes with an implementation for one system provider: SqlColumnEncryptionCertificateStoreProvider which can be used to store column master keys in Windows Certificate Store.
You can use a custom key store provider by extending the SqlColumnEncryptionKeyStoreProvider class and registering it using the SqlConnection.RegisterColumnEncryptionKeyStoreProviders() method.
Source: Source: https://msdn.microsoft.com/en-us/library/mt163865(v=sql.130).aspx
When it comes to mission critical security we are introducing a unique encryption technology that protects data at rest and in motion and can be full queried while encrypted. The new ADO .NET library provide transparent client-side ecryption, while SQL Server executes T-SQL queries on encrypted data. The master keys stay with the application and not with SQL Server. This can work on-premises or SQL Server in Azure VM. So think about the hybrid scenarios where you wanted to take advantage of Azure cloud computing, but for certain data could not take advantage of cloud scale due to data security requirements. This technology ensures your data is always encrypted. Best of all no application changes are required.
Source: https://msdn.microsoft.com/en-us/library/mt147923(v=sql.130).aspx
Creating and registering a custom Column Master Key Store Provider
Information the driver receives from SQL Server for query parameters which need to be encrypted, and for query results which need to be decrypted, includes:
An encrypted value of a column encryption key, which should be used to encrypt or decrypt a parameter or a result.
The name of a key store provider that encapsulates a key store containing the column master key which was used to encrypt the column encryption key.
A key path that specifies the location of the column master key in the key store.
The name of the algorithm that was used to encrypt the column encryption key.
The driver uses the above information to use the key store provider implementation to decrypt the retrieved encrypted value of the column encryption key, which is subsequently used to either encrypt a query parameter or to decrypt a query result.
The driver comes with an implementation for one system provider: SqlColumnEncryptionCertificateStoreProvider which can be used to store column master keys in Windows Certificate Store.
You can use a custom key store provider by extending the SqlColumnEncryptionKeyStoreProvider class and registering it using the SqlConnection.RegisterColumnEncryptionKeyStoreProviders() method.