Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tech-Spark: Microsoft SQL Platform & GDPR


Published on

The event, held on 21st April 2018, was part of the Global Azure Bootcamp and covered Microsoft's GDPR & SQL whitepaper, and the below new features:

- SQL Information Protection
- Vulnerability Assessment on SSMS & SQL Azure
- Data Classification on SSMS & SQL Azure
- Azure SQL Database Auditing
- Azure SQL Threat Detection

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Tech-Spark: Microsoft SQL Platform & GDPR

  1. 1. Microsoft SQL Platform & GDPR
  2. 2. Ralph: Who am I? • A Solutions Architect • at a gaming company • focus on Data Platforms • A Microsoft Certified Trainer • deliver MTA, MCSA, MCSE locally • covering Windows, SQL Server, C# • I’m here to describe how Microsoft SQL Platform can help you become compliant with the upcoming EU General Data Protection Regulation (GDPR) by introducing SQL Information Protection (SQL IP) as a means to discover, classify, monitor, and audit potentially sensitive data.
  3. 3. Ralph: But… …not a lawyer …not GDPR certified _________________________________________________________________ Get legal advice!
  4. 4. Live poll! How prepared is your organisation to comply with the GDPR? AppStore Google Play
  5. 5. Poll results from Tech-Spark audience Q1. How prepared is your organisation to comply with the GDPR? Q2. When is GDPR due to take effect? ▲ "Ready to comply" ♦ "Making preparations" ● "Won't be ready" ■ "What is GDPR?" 8 10 2 4 ▲ "25 Apr 2018" ♦ "15 May 2018" ● "25 May 2018" ■ "15 Jun 2018" 0 6 13 5
  6. 6. DataWorks Summit 2018 Berlin: Audience Live Poll
  7. 7. Introduction GDPR & implications
  8. 8. We have a responsibility to protect information
  9. 9. GDPR to the rescue • Over 190 known data breaches took place since 20101 • The EU’s General Data Protection Regulation (GDPR) • sets a new bar for privacy rights, security, and compliance. • is due to take effect on May 25, 2018. • Guide to enhancing privacy and addressing GDPR requirements with the Microsoft SQL platform whitepaper published on 24th May 20172 1 2
  10. 10. GDPR to the rescue Article 25 Data protection by design and default Article 30 Records of processing activities Article 32 Security of processing Article 33 Notification of a personal data breach to the supervisory authority Article 35 Data protection impact assessment Control who is accessing data and how Maintain an audit record of processing activities on personal data Employ pseudonymization and encryption Detect breaches Describe processing operations, including their necessity and proportionality Minimize data being processed in terms of amount of data collected, extent of processing, storage period, and accessibility Monitor access to processing systems Restore availability and access in the event of an incident Assess impact on and identification of personal data records concerned Assess risks associated with processing Include safeguards for control management integrated into processing Provide a process for regularly testing and assessing effectiveness of security measures Describe measures to address breach Apply measures to address risks and protect personal data, and demonstrate compliance with the GDPR
  11. 11. Existing technological capabilities Microsoft SQL as a hub of private data and sensitive information
  12. 12. Discovering and classifying personal data and its access vectors • Query metadata to identify column names which potentially contain personal data such as Name, Birthdate, ID number, etc. • System catalog views: sys.columns • System stored procedures: sp_columns • Information Schemas: INFORMATION_SCHEMA.COLUMNS • Advanced discovery capabilities • Use Full-Text Search in Microsoft SQL to search for keywords located within freeform text • Tag sensitive data using Extended Properties to add sensitivity labels to relevant columns
  13. 13. Managing access and controlling how data is used and accessed • Authentication – only users with valid credentials can access the database • Windows Authentication (via Active Directory) • Azure AD • Authorisation – principle of least privildege • object-level permissions • role-based security • Azure SQL Database Firewall – built-in firewall enabled by default on the cloud • Data-protection principles • Dynamic Data Masking (DDM)3 – only view parts of the data, e.g. masked credit card details • Row-Level Security (RLS)3 – only view intended rows 3
  14. 14. Protecting personal data against security threats • Encryption • Transparent Layer Security (TLS) – encrypt data in transit to and from the database • Transparent Data Encryption (TDE) – encrypt data at rest • Always Encrypted – allows customers to encrypt sensitive data inside client applications and never reveal the encryption keys to the database engine • Auditing • Auditing for Azure SQL Database – track database activities • SQL Database Threat Detection – detect anomalous activities • SQL Server Audit – track activities on an on-premises database
  15. 15. Business continuity • SQL Server Always On • Always On Availability Groups4 • Always On Failover Cluster Instances4 • Azure SQL technologies • Point-in-Time Restore • Long-term retention • Active Geo-Replication 4
  16. 16. Reporting on data protection policies and reviewing regularly • SQL Server Audit • Temporal Tables1 3
  17. 17. New technological capabilities SQL Information Protection (SQLIP)
  18. 18. Introducing SQL Information Protection • In public preview, SQL Information Protection (SQL IP) introduces advanced capabilities for discovering, classifying, labeling, and protecting the sensitive data in your databases. • This is built into Azure SQL Database and similar capabilities are also being introduced for on-premises SQL Server via SQL Server Management Studio (SSMS). • Additional features are being worked on and will be rolled-out over the coming months.
  19. 19. What is SQL Information Protection? • This new information protection paradigm in SQL is aimed at protecting the data, not just the database: • Discovery and recommendations – The classification engine scans your database and identifies columns containing potentially sensitive data. It then provides you an easy way to review and apply the appropriate classification recommendations. • Labeling – Sensitivity classification labels can be persistently tagged on columns. • Azure SQL DB stores this in new classification metadata attributes introduced into the SQL engine. This metadata can then be utilized for advanced sensitivity-based auditing and protection scenarios. • SQL Server stores this using extended properties on columns. • Monitoring/Auditing – Sensitivity of the query result set is calculated in real time and used for auditing access to sensitive data (currently in Azure SQL DB only). • Visibility - The database classification state can be viewed: • Azure SQL DB in a detailed dashboard in the portal. Additionally, you can download a report, in Excel format, to be used for compliance and auditing purposes, as well as other needs. • SSMS in a detailed report that can be printed/exported to be used for compliance & auditing purposes, as well as other needs.
  20. 20. SQL Server Management Studio • SSMS 17.4: Vulnerability Assessment. • SSMS 17.5: SQL Data Discovery and Classification.
  21. 21. SSMS: SQL Vulnerability Assessment
  22. 22. SSMS: Classification Recommendations
  23. 23. SSMS: Classification Addition
  24. 24. SSMS: Extended Properties
  25. 25. SSMS: Classification Overview
  26. 26. SSMS
  27. 27. Azure SQL: Vulnerability Assessment
  28. 28. Azure SQL: Classification Recommendations
  29. 29. Azure SQL: Classification Addition
  30. 30. Azure SQL: Classification Overview
  31. 31. Azure SQL Database Auditing • sys.fn_get_audit_file upgraded to display data sensitivity SELECT * FROM sys.fn_get_audit_file ('https://<Storage><Server>/<Database>/<Audit>/<CreationDate>/<File>.xel',default,default) WHERE data_sensitivity_information != ''
  32. 32. Azure SQL Threat Detection • Requires SQL Database Auditing • Supports 3 types of threats: • SQL injection • SQL injection vulnerability • Anomalous client login • Sends email alerts • Integrates with Security Center
  33. 33. Azure SQL Threat Detection: SQL injection • This is triggered when an active exploit is currently happening against an identified vulnerability. • Usually a random series of SQL statements to see what if data can be returned. • Build subsequent attacks based on previously returned information. • Ultimately goal obtain sensitive information, ransom (e.g. data encryption), or even disruption (e.g. data deletion).
  34. 34. Azure SQL Threat Detection: SQL injection vulnerability • Your application is vulnerable to a SQL injection attack: • A defect that generates faulty SQL statements • Un-sanitised user input • Building dynamic SQL without using parameters • Not using stored procedures
  35. 35. Azure SQL Threat Detection: Anomalous client login • This is based upon behavioural analytics and anomaly detection: • Login from an unusual location • A new user has logged in for the first time • Credentials brute force such as a high number of failed logins • Potentially harmful client application
  36. 36. Azure SQL Threat Detection: Email Alerts
  37. 37. Azure SQL Threat Detection: Audit Logs
  38. 38. Azure SQL Threat Detection: Security Alerts
  39. 39. Azure SQL Threat Detection: Potential SQL Injection
  40. 40. Azure SQL
  41. 41. Azure backend for a Mobile+ app 8th May 2018 Oliver Gomersall; Mobile Innovation Specialist (Azure) @ Microsoft Sergio Viana; Microsoft Solutions Lead @ Xpand IT
  42. 42. Contact Us Ralph Attard Tech Spark