Spark the future.

May 4 – 8, 2015Chicago, IL

Overview and Roadmap for Microsoft SQL Server Security Joachim Hammer & Jakub Szymaszek

Security TeamDatabase Systems Group

BRK2570

Security InvestmentsAlways

EncryptedTDE for SQL

DB, TDE Perf

CLE for SQL DB

Enhancements to SQL

Audit

Row-level SecurityDynamic

Data Masking

Enhancements to Crypto

Encryption

AuditingSecure AppDevelopment

Always Encrypted

SQL Server 2016SQL Database

Customer Benefit

Prevents Data DisclosureClient-side encryption of sensitive data using keys that are never given to the database system.

Queries on Encrypted Data

Support for equality comparison, incl. join, group by and distinct operators.

Application TransparencyMinimal application changes via server and client library enhancements.

Allows customers to securely store sensitive data outside of their trust boundary.Data remains protected from high-privileged, yet unauthorized users.

How it Works

SQL Server or SQL Database

ADO .NET

Name

Wayne Jefferson

Name

0x19ca706fbd9a

Result SetResult Set

Client

Name SSN Country

0x19ca706fbd9a 0x7ff654ae6d USA

dbo.Customers

ciphertext

"SELECT Name FROM Customers WHERE SSN = @SSN", 0x7ff654ae6d

ciphertext

"SELECT Name FROM Customers WHERE SSN = @SSN","111-22-3333"

Encrypted sensitive data and corresponding keys are never seen in plaintext in SQL Server

trust boundary

Types of Encryption in v1

Randomized encryption Encrypt('123-45-6789') = 0x17cfd50a Repeat: Encrypt('123-45-6789') = 0x9b1fcf32 Allows for transparent retrieval of encrypted data but NO operations More secure

Deterministic encryption Encrypt('123-45-6789') = 0x85a55d3f Repeat: Encrypt('123-45-6789') = 0x85a55d3f Allows for transparent retrieval of encrypted data AND equality

comparison E.g. in WHERE clauses and joins, distinct, group by

Key Provisioning

Security Officer

Column Encryption

Key(CEK)

ColumnMaster Key

(CMK)

EncryptedCEK

CMK

1. Generate CEKs and Master Key

2. Encrypt CEK

3. Store Master Key Securely

4. Upload Encrypted CEK to DB

CMK Store:• Certificate Store• HSM• Azure Key Vault• …

Database

EncryptedCEK

DemoAlways Encrypted

Row-Level Security

SQL Server 2016SQL Database

Customer Benefit

Fine-grained Access Control Keeping multi-tenant databases secure by limiting access by other users who share the same tables.

Application TransparencyRLS works transparently at query time, no app changes needed.Compatible with RLS in other leading products.

Centralized Security LogicEnforcement logic resides inside database and is schema-bound to the table it protects providing greater security. Reduced application maintenance and complexity.Store data intended for many consumers in a single database/table while

at the same time restricting row-level read & write access based on users’ execution context.

RLS Concepts

Predicate function User-defined inline table-valued function (iTVF) implementing security logic Can be arbitrarily complicated, containing joins with other tables

Security predicate Applies a predicate function to a particular table (SEMIJOIN APPLY) Two types: filter predicates and blocking predicates

Security policy Collection of security predicates for managing security across multiple

tables

CREATE SECURITY POLICY mySecurityPolicyADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime,

endTime) ON dbo.patients

DemoRLS

Transparent Data Encryption

New for Azure SQL Database v12

How It WorksOn by choice

Protects database and all of its backups, transaction logs and tempdb

“2-click” User ExperienceAlternatively: 2 T-SQL statements

Azure SQL DB manages your keys (aka service managed TDE)

Improved Encryption Performance

Using INTEL’s AES-NI Hardware Acceleration

Available on v12 servers, all SQL DB’s editions

Customer A Customer B

Customer A

Customer B

SQL DB Management Service

DemoTDE

Dynamic Data Masking

SQL Server 2016SQL Database

Dynamic Data Masking

Regulatory Compliance A strong demand for applications to meet privacy standards recommended by regulating authorities.

Sensitive Data ProtectionProtects against unauthorized access to sensitive data in the application.

DemoDynamic Data Masking

Power BI Content Packsfor SQL DB Audit

soon available forSQL Database

Resources MSDN Documentation

https://msdn.microsoft.com/en-us/library/dn765131.aspx

Security Center for SQL Server Database & SQL Database https://msdn.microsoft.com/en-us/bb510589.aspx

SQL Server Security Blog Additional examples, useful tips and tricks http://blogs.msdn.com/b/sqlsecurity/

SQL Server Label Security Toolkit Updated version to take advantage of RLS coming later in CY15 http://sqlserverlst.codeplex.com/

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.