SQL Server includes multiple features that focus on data security, privacy, and developer productivity. In this session, we will review the best features from a database designer’s and developer’s point of view.
– Always Encrypted
– Dynamic Data Masking
– Row Level Security
– Data Classification
– Assessments
– Defender for SQL Server
– Ledger Tables
…and more
We’ll look at new and older features, why you should consider them, where they work, where they don’t, who needs to be involved in using them, and what changes, if any, need to be made to applications or tools that you use with SQL Server.
You will learn:
– The pros and cons of implementing each feature
– How implementing these new features may impact existing applications
– 10 tips for enhancing SQL Server security and privacy protections
Choreo: Empowering the Future of Enterprise Software Engineering
A Designer's Favourite Security and Privacy Features in SQL Server and Azure SQL DB
1. A DATABASE DESIGNER’S
FAVOURITE SECURITY AND
PRIVACY FEATURES IN SQL
SERVER
WITH SOME AZURE STUFF, TOO
KAREN LOPEZ
@DATACHICK
2. KAREN LOPEZ
Karen has 20+ years of
data and information
architecture
experience on large,
multi-project
programs.
She is a frequent
speaker on data
modeling, data-driven
methodologies and
pattern data models.
She wants you to love
your data.
6. 10 TOP WEB SECURITY RISKS
https://owasp.org/www-project-top-ten/
7. Azure Data Catalog - https://azure.microsoft.com/en-
ca/products/data-catalog
Azure Purview - https://azure.microsoft.com/en-
in/products/purview/
WHAT’S HAPPENING WITH DATA GOVERNANCE
CATALOGS AND COCKTAILS?
8. Require Data Governance Programs
Require
Require Chief Data Officer like roles
Require
Require Data Inventories
Require
Require Data Lineage from data source to data use
Require
PRIVACY AND DATA PROTECTION LEGISLATION
NOT JUST ABOUT BACKUPS OR ENCRYPTIN
9. GOVERNANCE
Security at the data level
Models capture security & privacy requirements
Management reports of reviews
Measurement
In other words, Governance
10. DATA MODELS
• Karen’s Preference
• Track all kinds of metadata
• Live
• Advanced Compare features
• Support DevOps and Iterative
development
• Support Conceptual, Logical and
Physical design
22. WHY WOULD A DB
DESIGNER LOVE IT?
Always Encrypted,
yeah.
Allows designers to not
only specify which
columns need to be
protected, but how.
Parameters are
encrypted as well
Built in to the engine,
easier for Devs
26. SECURITY – DYNAMIC DATA MASKING
CREATE TABLE Membership(
MemberID int IDENTITY PRIMARY KEY,
FirstName varchar(100) MASKED WITH (FUNCTION =
'partial(1,"XXXXXXX",0)') NULL,
LastName varchar(100) NOT NULL,
Phone# varchar(12) MASKED WITH (FUNCTION = 'default()') NULL,
Email varchar(100) MASKED WITH (FUNCTION = 'email()') NULL);
27. DYNAMIC
DATA
MASKING
Done at column level
(NOT ENCRYPTION!)
Data in the database, at
rest, has no protection.
Meant to complement
other methods
Performed at the end of
a database query right
before data returned
Performance impact
small
29. DDM FUNCTIONS
Function Mask Example
Default Based on Datatype
String – XXX
Numbers – 000000
Date & Times - 01.01.2000 00:00:00.0000000
Binary – Single Byte 0
XXXX
0
01.01.2000 00:00:00.0000000
0
Email First character of email, then Xs, then .com
Always .com
Kxxx@xxxx.com
Custom First and last values, with Xs in the middle kxxxn
Random For numeric types, with a range 12
29
30. DYNAMIC DATA MASKING
Data in database is not
changed
01
Ad-hoc queries *can*
expose data
02
Does not aim to
prevent users from
exposing pieces of
sensitive data
03
30
31. DYNAMIC DATA
MASKING
Cannot mask an encrypted column (AE)
Cannot be configured on computed column
But if computed column depends on a mask,
then mask is returned
Using SELECT INTO or INSERT INTO results in
masked data being inserted into target (also
for import/export) 31
33. WHY
WOULD A
DB
DESIGNER
LOVE IT?
Allows central, reusable
design for standard masking
Offers more reliable masking
and more usable masking
Removes whining about “we
can do that later”
35. ROW LEVEL SECURITY
Filtering result sets (predicate based access)
Predicates applied when reading data
Can be used to block write access
User defined policies tied to inline table functions
36. ROW LEVEL SECURITY
36
No indication that results have been filtered
If all rows are filtered than NULL set returned
For block predicates, an error returned
Works even if you are dbo or db_owner role
37. WHY WOULD A DB
DESIGNER LOVE IT?
Allows a designer to do
this sort of data
protection IN THE
DATABASE, not just rely
on code.
Many, many pieces of
code.
43. AZURE SQL DB LEDGER TABLE – APPEND ONLY
CREATE SCHEMA [AccessControl]
CREATE TABLE [AccessControl].[KeyCardEvents]
(
[EmployeeID] INT NOT NULL,
[AccessOperationDescription] NVARCHAR (MAX) NOT NULL,
[Timestamp] Datetime2 NOT NULL
)
WITH (LEDGER = ON (APPEND_ONLY = ON) );
44. LEDGER TABLES IN
AZURE SQL DB AND
SQL SERVER
https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-overview
45. AZURE SQL DB LEDGER TABLE – UPDATABLE
CREATE TABLE [Account].[Balance]
(
[CustomerID] INT NOT NULL PRIMARY KEY CLUSTERED,
[LastName] VARCHAR (50) NOT NULL,
[FirstName] VARCHAR (50) NOT NULL,
[Balance] DECIMAL (10,2) NOT NULL
)
WITH
(SYSTEM_VERSIONING = ON, LEDGER = ON);
46. KEY FEATURES
AZURE LEDGER
TABLES
Ledger Databases
Database Digests
Ledger Tables
Updatable
Append only
Immutable storage for transaction recording
Ledger Verification
53. WHY WOULD ONE USE A LEDGER TABLE?
More trustworthy
More protection from DBA/SysAdmin tampering
Don’t need or want full blockchain functionality
54. ARC ENABLED SQL SERVER
Single point of control for
SQL Servers (On-prem, in
Azure, or in other clouds)
• Dashboards
• Best Practices
Assessments
• AAD authentication
• Microsoft Defender
• Microsoft Purview
• PAYG for SQL Server
https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/overview
57. SUPPORTED VERSIONS
Windows Server 2012 and later versions
Ubuntu 20.04 (x64)
Red Hat Enterprise Linux (RHEL) 8 (x64)
SUSE Linux Enterprise Server (SLES) 15
(x64)
SQL Server running in containers.
SQL Server Failover Cluster Instances (FCI).
SQL Server roles other than the Database
Engine, such as SSAS, SSRS, or SSIS)
SQL Server editions: Business Intelligence.
SQL Server 2008 (10.0.x), SQL Server 2008 R2
(10.50.x), and older versions.
SQL Server in Azure Virtual Machines.
SQL Server Azure VMware Solution
VMs in other Clouds
71. AZURE MONITOR
• Most resources include
Monitor-collected data in
the Overview page of
Azure Portal
• Portal option to see
Monitor for all services
• Can monitor Azure and
on-premises resources
73. Microsoft Defender for Cloud—Databases Protection
Protect SQL workloads through security posture management and allow timely responses to threats
• SQL security misconfigurations
• SQL injection attacks
• Brute-force attacks
• Unusual data exfiltration
• Suspicious access or queries
Cloud native
security
1-click enablement of protect
different type of SQL workloads
(IaaS or PaaS)
Security
posture management
Discover, track, and remediate SQL
workloads security misconfigurations
Advanced
threat protection
Detect and response unusual
and harmful attempts to breach
SQL workloads
Centralized
and integrated
Centralize security across all data assets
managed by Azure and built-in integration
with Sentinel and Purview
1 2 3
https://github.com/microsoft/sqlworkshops-sql2022workshop/blob/main/sql2022workshop/slides/The%20SQL%20Server%202022%20Workshop.pptx