Your SlideShare is downloading. ×
0
Security Enhancements in SQL Server 2008<br />Dr Greg Low <br />greg@greglow.com<br />SolidQ Australia Pty Ltd<br />DAT371...
Who is Greg?<br />Managing Director SolidQ Australia<br />Host of SQL Down Under Podcast<br />Microsoft Regional Director<...
Agenda<br />Short SQL Server 2005 Security Recap<br />Security in SQL Server 2008<br />Extensible Key Management<br />Tran...
SQL Server 2005 Security Recap<br />
Column LevelEncryption<br />demo<br />
Agenda<br />Short SQL Server 2005 Security Recap<br />Security in SQL Server 2008<br />Extensible Key Management<br />Tran...
Data Encryption<br />SQL Server 2005<br />Built-in encryption functions<br />Key management in SQL Server<br />Encrypted F...
Extensible Key Management (EKM)<br />Key storage, management and encryption done by HSM module<br />SQL EKM key is a proxy...
Advantages of Using EKM<br />Security<br />Data and keys are physically separated (keys are stored in HSM modules)<br />Ce...
Cryptographic Providers and Keys<br />EKM providers are server objects<br />EKM keys are very similar to native keys<br />...
EKM Key Hierarchy in SQL 2008<br />Symmetric key<br />Asymmetric key<br />EKM Symmetric key<br />EKM Asymmetric key<br />S...
Agenda<br />Short SQL Server 2005 Security Recap<br />Security in SQL Server 2008<br />Extensible Key Management<br />Tran...
Transparent Data Encryption (TDE)<br />Encryption/decryption at database level<br />DEK is encrypted with<br />Certificate...
TDE – Key Hierarchy<br />DPAPI encrypts Service Master Key<br />Service Master Key encrypts Database Master Key<br />Datab...
TDE – Key Hierarchy with EKM<br />Asymmetric Key resides on the EKM device<br />Asymmetric Key encrypts Database Encryptio...
Reasons to Use TDE<br />Protects data-at-rest<br />Entire database is protected<br />Applications do not need to explicitl...
TDE Scenarios<br />Without the required key or HSM to decrypt the DEK, the database cannot be opened.<br />
TDE Considerations<br />Compatible with Database Compression<br />Not recommended with Backup Compression<br />Database Mi...
Transparent Data Encryption<br />demo<br />
Agenda<br />Short SQL Server 2005 Security Recap<br />Security in SQL Server 2008<br />Extensible Key Management<br />Tran...
Authentication Enhancement<br />SQL Server 2005<br />Kerberos possible with TCP/IP connections only<br />SPN must be regis...
Agenda<br />Short SQL Server 2005 Security Recap<br />Security in SQL Server 2008<br />Extensible Key Management<br />Tran...
Auditing Database Activity<br />SQL Server 2005<br />SQL Trace<br />DDL/DML Triggers<br />Third-party tools to read transa...
SQL Server Audit<br />Audit now a 1st Class Server Object<br />Native DDL for Audit configuration and management<br />Secu...
Audit Specifications<br />Server and database audit specifications for<br />Pre-defined action groups<br />Individual acti...
Audit Specifications<br />File system<br />File<br />Audit<br />Security Event Log<br />Application Event Log<br />0..1<br...
Reasons to Use SQL Audit<br />Leverages high performance eventing infrastructure to generate audits<br />Runs within engin...
SQL Server Audit<br />demo<br />
Session Summary<br />Enable TDE to protect sensitive data in case of loss or theft<br />Use SQL Server EKM solution to lev...
Q & A<br />
Thanks!<br />greg@greglow.com<br />www.sqldownunder.com<br />sqlblog.com/blogs/greg_low<br />www.solidq.com.au<br />
Resources<br />www.microsoft.com/teched<br />Tech·TalksTech·Ed Bloggers<br />Live Simulcasts	Virtual Labs<br />http://micr...
Please complete an<br />evaluation<br />
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be...
Upcoming SlideShare
Loading in...5
×

Slide 1

601

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
601
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Slide 1"

  1. 1.
  2. 2. Security Enhancements in SQL Server 2008<br />Dr Greg Low <br />greg@greglow.com<br />SolidQ Australia Pty Ltd<br />DAT371<br />
  3. 3. Who is Greg?<br />Managing Director SolidQ Australia<br />Host of SQL Down Under Podcast<br />Microsoft Regional Director<br />Microsoft MVP for SQL Server<br />Organizer for SDU Code Camp<br />Co-organizer for CodeCampOz<br />PASS Board Member<br />
  4. 4. Agenda<br />Short SQL Server 2005 Security Recap<br />Security in SQL Server 2008<br />Extensible Key Management<br />Transparent Data Encryption<br />Integrated Authentication Enhancements<br />SQL Audit<br />
  5. 5. SQL Server 2005 Security Recap<br />
  6. 6. Column LevelEncryption<br />demo<br />
  7. 7. Agenda<br />Short SQL Server 2005 Security Recap<br />Security in SQL Server 2008<br />Extensible Key Management<br />Transparent Data Encryption<br />Integrated Authentication Enhancements<br />SQL Audit<br />
  8. 8. Data Encryption<br />SQL Server 2005<br />Built-in encryption functions<br />Key management in SQL Server<br />Encrypted File System (EFS)<br />Bit-Locker<br />SQL Server 2008<br />Extensible Key Management (EKM)<br />Transparent Data Encryption (TDE)<br />
  9. 9. Extensible Key Management (EKM)<br />Key storage, management and encryption done by HSM module<br />SQL EKM key is a proxy to HSM key<br />SQL EKM Provider DLL implements SQLEKM interface, calls into HSM module<br />SQL EKM Provider DLL<br />SQL EKM Key<br />(HSM key proxy)<br />Data<br />SQL Server<br />
  10. 10. Advantages of Using EKM<br />Security<br />Data and keys are physically separated (keys are stored in HSM modules)<br />Centralized key management and storage for enterprise<br />Additional authentication layer<br />Separation of duties between db_owner and data owner<br />Performance<br />Pluggable hardware encryption boards<br />
  11. 11. Cryptographic Providers and Keys<br />EKM providers are server objects<br />EKM keys are very similar to native keys<br />Managed using the same TSQL<br />Visible in the same catalogs<br />Data encryption with standard built-ins<br />Used to encrypt SQL native keys<br />CREATE CRYPTOGRAPHIC PROVIDER DataSafeProvider<br />FROM FILE = ‘DataSafeProvider .dll’<br />CREATE SYMMETRIC KEY SymmKeyEkm<br />FROM Provider DataSafeProvider WITH ALGORITHM AES_256 …<br />
  12. 12. EKM Key Hierarchy in SQL 2008<br />Symmetric key<br />Asymmetric key<br />EKM Symmetric key<br />EKM Asymmetric key<br />SQL Server<br />Data<br />Data<br />Native Symmetric key<br />TDE DEK key<br />
  13. 13. Agenda<br />Short SQL Server 2005 Security Recap<br />Security in SQL Server 2008<br />Extensible Key Management<br />Transparent Data Encryption<br />Integrated Authentication Enhancements<br />SQL Audit<br />
  14. 14. Transparent Data Encryption (TDE)<br />Encryption/decryption at database level<br />DEK is encrypted with<br />Certificate<br />Key residing in a Hardware Security Module (HSM)<br />Certificate required to attach database files or restore a backup<br />SQL Server 2008<br />DEK<br />Encrypted data page<br />Client Application<br />
  15. 15. TDE – Key Hierarchy<br />DPAPI encrypts Service Master Key<br />Service Master Key encrypts Database Master Key<br />Database Master Key encrypts Certificate In Master Database<br />Certificate encrypts Database Encryption Key<br />
  16. 16. TDE – Key Hierarchy with EKM<br />Asymmetric Key resides on the EKM device<br />Asymmetric Key encrypts Database Encryption Key<br />
  17. 17. Reasons to Use TDE<br />Protects data-at-rest<br />Entire database is protected<br />Applications do not need to explicitly encrypt/decrypt data!<br />No restrictions with indexes or data types (except Filestream)<br />Performance cost is small<br />Backups are unusable without key<br />
  18. 18. TDE Scenarios<br />Without the required key or HSM to decrypt the DEK, the database cannot be opened.<br />
  19. 19. TDE Considerations<br />Compatible with Database Compression<br />Not recommended with Backup Compression<br />Database Mirroring<br />Copy certificate from primary to mirror<br />Log files are not retroactively encrypted<br />Encryption begins at next VLF boundary<br />Tempdb is encrypted when 1 db in instance uses TDE<br />Enterprise only<br />
  20. 20. Transparent Data Encryption<br />demo<br />
  21. 21. Agenda<br />Short SQL Server 2005 Security Recap<br />Security in SQL Server 2008<br />Extensible Key Management<br />Transparent Data Encryption<br />Integrated Authentication Enhancements<br />SQL Audit<br />
  22. 22. Authentication Enhancement<br />SQL Server 2005<br />Kerberos possible with TCP/IP connections only<br />SPN must be registered with AD<br />SQL Server 2008<br />Kerberos available with ALL protocols<br />SPN may be specified in connection string (OLEDB/ODBC)<br />Kerberos possible without SPN registered in AD<br />
  23. 23. Agenda<br />Short SQL Server 2005 Security Recap<br />Security in SQL Server 2008<br />Extensible Key Management<br />Transparent Data Encryption<br />Integrated Authentication Enhancements<br />SQL Audit<br />
  24. 24. Auditing Database Activity<br />SQL Server 2005<br />SQL Trace<br />DDL/DML Triggers<br />Third-party tools to read transaction logs<br />No management tools support<br />SQL Server 2008<br />SQL Server Audit<br />
  25. 25. SQL Server Audit<br />Audit now a 1st Class Server Object<br />Native DDL for Audit configuration and management<br />Security support<br />Create an Audit object to automatically log actions to<br />File<br />Windows Application Log<br />Windows Security Log<br />Ability to define granular Audit Actions of Users or Roles on DB objects<br />
  26. 26. Audit Specifications<br />Server and database audit specifications for<br />Pre-defined action groups<br />Individual action filters<br />Server action groups<br />Server config changes, login/logoff, role membership change, etc.<br />Database action groups<br />Schema object access, database role membership change, database object access, database config change<br />
  27. 27. Audit Specifications<br />File system<br />File<br />Audit<br />Security Event Log<br />Application Event Log<br />0..1<br />DB audit specification<br />per database <br />per Audit object<br />0..1<br />Server audit specification per Audit object<br />Server Audit Specification<br />Database Audit Components<br />Database Audit Components<br />Database Audit Components<br />Database Audit Specification<br />Server Audit Action<br />Server Audit Action<br />Server Audit Action<br />ServerAuditAction<br />Database Audit Action<br />Server Audit Action<br />Database Audit Action<br />Database Audit Action<br />Database Audit Action<br />Database Audit Action<br />CREATE DATABASE AUDIT SPECIFICATION AuditAC<br />TO SERVER AUDIT PCI_Audit<br />    ADD (SELECT ON Customers BY public)<br />CREATE SERVER AUDIT SPECIFICATION SvrAC<br />TO SERVER AUDIT PCI_Audit<br />    ADD (FAILED_LOGIN_GROUP);<br />
  28. 28. Reasons to Use SQL Audit<br />Leverages high performance eventing infrastructure to generate audits<br />Runs within engine rather than as a side/separate app<br />Parity with SQL 2005 Audit Generation<br />Faster than SQL Trace<br />Records changes to Audit configuration<br />Configuration and management in SSMS<br />(Note: Enterprise Edition only)<br />
  29. 29. SQL Server Audit<br />demo<br />
  30. 30. Session Summary<br />Enable TDE to protect sensitive data in case of loss or theft<br />Use SQL Server EKM solution to leverage advantages of an HSM<br />Use Kerberos auth for all connections when possible<br />Turn on the Audit to keep an eye on activity on your db and comply with regulations<br />
  31. 31. Q & A<br />
  32. 32. Thanks!<br />greg@greglow.com<br />www.sqldownunder.com<br />sqlblog.com/blogs/greg_low<br />www.solidq.com.au<br />
  33. 33. Resources<br />www.microsoft.com/teched<br />Tech·TalksTech·Ed Bloggers<br />Live Simulcasts Virtual Labs<br />http://microsoft.com/technet<br />Evaluation licenses, pre-released products, and MORE!<br />http://microsoft.com/msdn<br />Developer’s Kit, Licenses, and MORE!<br />
  34. 34. Please complete an<br />evaluation<br />
  35. 35. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×