Overview of Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston 1 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Agenda Who am I? What’s new in security for SQL Database V12 and SQL Server 2016 SQL Threat Detection (SQL Database V12) Dynamic Data Masking Always Encrypted Azure Active Directory Authentication (SQL Database V12) Row-level Security Questions 2 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Jamey Johnston Data Scientist for an O&G Company 20+ years DBA Experience TAMU MS in Analytics (2016) http://analytics.stat.tamu.edu Professional Photographer http://jamey.photography @STATCowboy http://blog.jameyjohnston.com 3 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database SQL Database Threat Detection Detect anomalous database activities indicating a potential security threat to the database Configurable threat detection policy via Azure portal Multiple database threat detectors Identify and alert upon anomalous database activities Audit log viewer in Azure portal and Excel template 4 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database SQL Database Threat Detection 5 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database SQL Threat Detection: Learn More Getting started with SQL Database Threat Detection http://go.microsoft.com/fwlink/?LinkId=691678 Channel 9 Videos: https://channel9.msdn.com/Shows/Data-Exposed/Azure-SQL-Database-Threat-Detection 6 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Dynamic Data Masking Limit sensitive data exposure by obfuscating it to non-privileged users Limit exposure of sensitive data to app users Avoid exposure of sensitive data to Engineers (e.g., Troubleshooting) IT, BI users 7 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Dynamic Data Masking: Learn More Getting Started (Azure SQL DB) MSDN (SQL Server) https://msdn.microsoft.com/library/mt130841.aspx Blogs https://azure.microsoft.com/documentation/articles/sql-database-dynamic-data-masking-get-started/ http://blogs.msdn.com/b/sqlsecurity/archive/2015/10/22/dynamic-data-masking-highlighting-the-latestimprovements.aspx https://azure.microsoft.com/blog/limit-the-exposure-of-sensitive-data-in-azure-sql-database-using-dynamicdata-masking/ Channel 9 Videos: https://channel9.msdn.com/Shows/Data-Exposed/Dynamic-Data-Masking-Updates https://channel9.msdn.com/Shows/Data-Exposed/Dynamic-Data-Masking-in-Azure-SQL-Database 8 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Always Encrypted 9 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Always Encrypted – How It Works 10 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Always Encrypted: Learn More Books Online https://msdn.microsoft.com/en-us/library/mt163865.aspx SQL Security Blog (keyword Always Encrypted) http://blogs.msdn.com/b/sqlsecurity/archive/tags/always+encrypted/ Channel 9 Videos https://channel9.msdn.com/Shows/Data-Exposed/SQL-Server2016-Always-Encrypted https://channel9.msdn.com/Shows/Data-Exposed/Getting-Startedwith-Always-Encrypted-with-SSMS 11 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Azure Active Directory Authentication 12 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Azure AD Authentication: Learn More MSDN https://azure.microsoft.com/en-us/documentation/articles/sql-databaseaad-authentication/ SQL Security Blog (keyword Azure AD auth) http://blogs.msdn.com/b/sqlsecurity/ Channel 9 Videos: https://channel9.msdn.com/Shows/Data-Exposed/Azure-ActiveDirectory-Authentication-for-SQL-Database-V12 13 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Row Level Security RLS allows for controlled access to rows in tables based on attributes of the user executing the query 2 Methods or RLS in SQL Server: Filter Based (2005+) SQL Server Security Label Toolkit http://sqlserverlst.codeplex.com/ Use views on tables with “labels” to limit access Problem is you have to change the application code and add views (i.e. upgrades are a pain, unsupported applications) Predicate Based (2016 and Azure) Uses functions and policies to apply predicates to the SQL No application code changes and base database schema left intact (i.e. upgrades not impacted very much by RLS) 14 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Row Level Security: Basic Steps 1. Define Table(s) for RLS 2. Create a new Schema, RLS, for Security Objects 3. Create Table Value Function to define “how” to enforce security on Table 4. Create a Security Policy on the table using the TVF 15 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Table Value Functions User defined function that returns a data table Powerful alternative to View Expand beyond SELECT and use more powerful T-SQL RLS uses them to return a 1 for row matches CREATE FUNCTION RLS.fn_RLSpredicate(@Region AS sysname) RETURNS TABLE WITH SCHEMABINDING AS RETURN SELECT 1 AS fn_RLSpredicate_result WHERE USER_NAME() = 'VP_US' or @Region = USER_NAME(); GO 16 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Security Policy Policy that is created to apply the Security Predicate CREATE SECURITY POLICY Well_HeaderFilter ADD FILTER PREDICATE RLS.fn_RLSpredicate(Region) ON dbo.Well_Header ADD BLOCK PREDICATE RLS.fn_RLSpredicate(Region) ON dbo.Well_Header AFTER INSERT GO 17 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Recursive Queries with CTE Use them to query tables with Hierarchical Data https://technet.microsoft.com/en-us/library/ms186243(v=sql.105).aspx 18 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Why Predicate Based RLS for Business? • No application code changes and Base database schema left Intact (i.e. upgrades not impacted very much by RLS) • With ISV applications it is not advisable to change the Schema • Increased ventures with Internal Partners require row-level granular access to the applications • RLS allows for the row-level security and eliminates the need for federated/”broken-out” databases/applications 19 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Demos Simple RLS Demo Advanced RLS Demo with Hierarchies 20 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database RLS with Parent/Child Hierarchies Demo will show how an organizational hierarchy and asset hierarchy can be leveraged together to provide RLS on tables using the new predicate based RLS feature in SQL Server 2016 and Azure Important Concepts: Organization Unit Hierarchy Based Security Represents a position in the company (not employee) Security is assigned to the Organization Unit and propagated to the User ID Allows for inheritance of permissions via the Organization and Asset Hierarchy Do NOT need to assign security to every node in the hierarchy. Child nodes can inherit from Parent Nodes Parent/Child Hierarchy Employee ID / Manager ID - Unary Relationship 21 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Asset Hierarchy Snapshot of the Asset Hierarchy 22 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Organizational Hierarchy Snapshot of the Org Hierarchy 23 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Hierarchies and RLS insert into [SEC_ASSET_MAP] values (100001, 'ALL', 'ALL'); Inherits from CEO Inherits from SVP who Inherits from CEO insert into [SEC_ASSET_MAP] values (100010, 'REGION', 'NORTHERN US'); insert into [SEC_ASSET_MAP] values (100028, 'ASSET_GROUP', 'PRB'); Inherits from Manger Security Record for Every Employee is NOT Required! 24 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database RLS with HierarchyID Datatype Demonstrates how the HierarchyID Datatype can be used for RLS SEC_ORG_USER_BASE_HID Same as SEC_ORG_USER_BASE but includes HierarchyID column to demonstrate RLS with HierarchyID data types https://msdn.microsoft.com/en-us/library/bb677290.aspx 25 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Parent/Child vs HierarchyID Data Type Parent/Child Most familiar and most likely to be supported by ISV Easier to implement security across multiple hierarchies (Org and Asset) More flexible to support access across multiple node levels (i.e. User has access to multiple nodes in the Hierarchy) HierarchyID Datatype Does not work easily across multiple hierarchies and with multiple node level access Very fast when working with one hierarchy Still researching as it is fast and would like to use! 26 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Demo ERD 27 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Row-level Security: Learn More Books Online https://msdn.microsoft.com/en-us/library/dn765131.aspx SQL Security Blog (keyword RLS) http://blogs.msdn.com/b/sqlsecurity/archive/tags/rls/ Channel 9 Videos https://channel9.msdn.com/Shows/Data-Exposed/Row-Level-Security-Updates https:// channel9.msdn.com/Shows/Data-Exposed/Row-Level-Security-in-Azure-SQLDatabase https://channel9.msdn.com/Shows/Data-Exposed/SQL-Server-2016-Row-LevelSecurity Code Samples https://rlssamples.codeplex.com/ 28 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Questions? Thank you for attending! @STATCowboy http://blog.jameyjohnston.com Download Demos SQL Server Security Blog http://blogs.msdn.com/b/sqlsecurity 29 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database Thank You Sponsors! Visit the Sponsor tables to enter their end of day raffles. Turn in your completed Event Evaluation form at the end of the day in the Registration area to be entered in additional drawings. 30 | 1/30/2016 Security Investments in SQL Server 2016 and Azure SQL Database
© Copyright 2025 Paperzz