Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sql Server 2016 Always Encrypted

630 views

Published on

A walkthrough on implementing Always Encrypted Encryption on sensitive information to reduce your attack surface area and develop an active data security posture.

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

Sql Server 2016 Always Encrypted

  1. 1. SQL SERVER 2016 ALWAYS ENCRYPTED MIDLANDS UK SQL SERVER USER GROUP NOVEMBER 2016 Duncan Greaves MSc, CISSP, MCSE PhD Researcher Centre for Business in Society (CBiS)
  2. 2. WHY ENCRYPT? Increase in Data Breaches (Frequency & Size).  The database is a single store with millions of rows.  SQL Server is secure, but all databases are vulnerable to information loss and leakage.  Changes in Business Computing  Adoption of cloud computing, IoT, and Services  Collaboration with external enterprises.  Internal Risk is lower  Enforces Separation of Duties  Prevents unauthorised browsing using privileges and data visibility.  Audit Changes / Policy / DLP  Take an Active Security Posture  Assume a breach has happened.  Decrease attack surface area.
  3. 3. ENCRYPTION OPTIONS USING SQL SERVER Target SQL Server Feature Usage Scenario Drive BitLocker Laptop / USB Security Directory Folder NTFS Encryption Connection SSL/TLS Encryption by Certificate Database Backup Backup Encryption Backup file encryption Database Files Transparent Data Encryption (TDE) Database and Backup file encryption Data (Column/ Cell) Encryption by Certificate , Symmetric key, Asymmetric key or Passphrase Sensitive data encryption Data (Table/ Column/ Cell) Always Encrypted End to End encryption. Also Consider: Row Level Security Department Data HashBytes function Credit Card CVV Data Masking Credit Card Number
  4. 4. SQL SERVER ALWAYS ENCRYPTED  Data is ‘Always Encrypted’ , stored as encrypted cipher text in the database.  Allows client software to handle sensitive data without ever revealing the Master key to SQL Server.  Field Encryption and Decryption is performed by a security layer on the client.  Client Receives information from SQL Server with encrypted results to allow it to decrypt – Column encryption key, Key Store Location, Key Path, Encryption used.  Encryption keys can be held in the Windows Certificate Store, External Security module or the Azure key vault.
  5. 5. SQL SERVER ALWAYS ENCRYPTED CLIENT DATA ACCESS
  6. 6. SQL SERVER ALWAYS ENCRYPTED  SQL Server Always Encrypted uses Symmetric key encryption.  Involves configuring encryption on the server and performing encryption or decryption on the client to protect the ‘data objects’.  Data Inserts MUST use a client application using ADO.net parameterised queries.  (Cannot use SSMS to insert or update)  SQL client code must use version .Net 4.6 onwards.  SSMS CAN be used to select encrypted fields using the Connection Option  Column Encryption Setting=Enabled
  7. 7. Deterministic  Same plain text always gives the same cipher text  Allows Equality / Exact search  Allows Grouping  Where data ranges are large and randomly distributed.  Data Type restrictions apply Randomised  Each value is assigned a different cipher text.  No operations are carried out on the data, select only.  Does not support Indexes COLUMN KEYS AND ENCRYPTION MODES Column Master Key - Key protecting keys used to protect the column encrypting keys. Column Encryption Key(s) - The keys used to encrypt column data. Types of Key: Types of Encryption Mode:
  8. 8. Return Key Path & Details COMPONENTS AT DESIGN & RUNTIME SQL Server Certificate Store Client Application Create Master key Encrypt Columns Select Encrypted Data Decrypt and Display Data Returns CEK and Key Store Details Request Column Master Key Return Column Master key Request Encrypted Data
  9. 9. CLIENT DEVELOPMENT  Ensure that the client has access to a key store containing the Column Master Key .  Certificate is stored in the /CurrentUser or /Machine store, or accessed via the Azure key store or Hardware Security Module.  Azure key store access can be granted using PowerShell scripts.  The Key store provider name must match the name registered with the client application.  Modify connection strings to add Column Encryption Setting=enabled;  Parameters that use encrypted columns must always use the SqlParameter class, not free text.
  10. 10. IMPLEMENTATION CONSIDERATIONS  Only certain data types are suitable for encryption.  Keys, Indexes and statistics on encrypted Deterministic fields.  Cannot use indexes or optimisation on Randomised Fields.  Increase in storage volume required.  Decrease in IO due to the Encryption/Decryption round trip overhead.  Implement a Key Rotation and Cleansing Policy.  Use different keys for Development, Test and Production.
  11. 11. STRETCH DATABASE  Always Encrypted works with Stretch Database without modification.  The key used for encryption is the same in both databases.
  12. 12. OTHER SQL TOOLS  Always Encrypted can be utilised by any client written using the .Net 4.6 library.  ODBC Clients now available  SQL Server Reporting Services  Master Key must be installed on Report Server machine  SQL Server Integration Services  Set Connection property Column Encryption Setting = Enabled  Use parameterised insert using ADO.net connection type  Can be used to move data between tables  Always Encrypted is NOT currently supported in Power BI
  13. 13. KEY MANAGEMENT  Cycle Keys on a frequent basis as part of security policy.  Rotation creates a second encryption key and uses this to encrypt data into a second column.  The keys used by the client application are retired / replaced with the new encryption key.  When all clients are using the new key the old encryption column is removed.  SSMS Wizard assists in key rotation.
  14. 14. CONCLUSION  Sensitive data leakage continues to present significant and growing business challenges.  Encryption is a major tool in countering this threat when used as part of a defence in depth approach to information security:  SQL always encrypted protects data in transit, at rest and in memory by holding data values as cipher text (non readable).  The ADO.net 4.6 library works with SQL server to manage the complexity of implementing the protection of data in use and in transit.  Can be used in SSIS packages.  SSMS is already implemented as an Always Encrypted enabled client, aiding the protection of data from administrators.  Existing client apps require minor code changes to enable this functionality.
  15. 15. FURTHER READING & CONTACT DETAILS https://msdn.microsoft.com/en-us/library/mt163865.aspx Database engine https://msdn.microsoft.com/library/mt147923.aspx Client Development https://blogs.msdn.microsoft.com/sqlsecurity/tag/always-encrypted/ Microsoft Security Blog greavesd@uni.coventry.ac.uk @duncan_greaves InformationWithInsight.com

×