The document outlines significant security incidents from 2019 involving major organizations, highlighting the importance of data protection. It details various features and improvements in SQL Server 2016 to 2019, including Always Encrypted, row-level security, and dynamic data masking that enhance data security while maintaining performance. Additionally, it emphasizes SQL Server's advanced encryption methods, auditing capabilities, and the integration of certificate management to streamline security tasks.

1. Microsoft SQL Server 2012 – 2017
(with 2019 CTP 2.3 Preview)
Organizational Security
& Compliance
George Walters
Senior Partner Technical Strategist for ISV Partners
george.walters@microsoft.com
@geo_walters on twitter
https://www.linkedin.com/in/georgewalters/

3. Why is security important?
4
https://www.identityforce.com/blog/2019-data-breaches
UConn Health
February 22, 2019: In another major data breach of a university health facility, patients of UConn Health have had their personal
information exposed after a third party accessed employee email accounts. About 326,000 people were affected in the breach, which
compromised names, dates of birth, addresses, Social Security numbers, and limited medical information.
Dow Jones
March 1, 2019: A database containing 2,418,862 identity records on government officials and politicians from every country in the
world was leaked online from a Dow Jones watchlist. The watchlist is compiled from publicly available information on prominent
individuals who have the ability to embezzle money, accept bribes, or launder funds.
Rush University Medical Center
March 4, 2019: About 45,000 patients of Chicago-based Rush health system were exposed in a data breach. Names, addresses,
birthdays, Social Security numbers, and health insurance information were compromised after an employee disclosed billing
documents to an unauthorized third party.
Health Alliance Plan
March 6, 2019: The protected medical information of 120,000 patients has been exposed in a Health Alliance Plan data breach. The
names, addresses, dates of birth, member ID numbers, healthcare provider names, patient ID numbers, and claim information were
compromised after a ransomware attack infiltrated Wolverine Solutions Group, a third-party vendor who manages the network’s
mailing services.
https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/
CITRIX
March 8, 2019: “hackers accessed and downloaded business documents, but Citrix wasn't able to identify what specific documents had
been stolen at the time of his announcement today.”

4. Progress on SQL Engine security
… A Journey through time
5

6. ASE256 for backup keys
SHA512 for password hashes
Built-in cryptography hierarchy
Transparent data encryption
Extensible key management
Sign code modules
Encrypted connection on-premises and in
Azure SQL database
Audit, TDE, Always Encrypted in Azure SQL database or
Azure SQL Managed Instance
Beginning with SQL Server 2016, all algorithms other than AES128, AES192, and
AES256 are deprecated. To use older algorithms (not recommended) you must
set the database to database compatibility level 120 or lower.

8. USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD =
'<UseStrongPasswordHere>';
Go
CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate';
go
USE AdventureWorks2012;
GO
-- RED ALERT: BACKUP THE CERTIFICATE !!!
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE MyServerCert;
GO
ALTER DATABASE AdventureWorks2016
SET ENCRYPTION ON;
GO

9. allow flexible database access for
better separation of duties

11. Performance Security Availability Scalability
Operational analytics
Insights on operational data;
Works with in-memory OLTP and
disk-based OLTP
In-memory OLTP
enhancements
Greater T-SQL surface area,
terabytes of memory supported,
and greater number of parallel
CPUs
Query data store
Monitor and optimize query plans
Native JSON
Expanded support for JSON data
Temporal database support
Query data as points in time
Always encrypted
Sensitive data remains encrypted at
all times with ability to query
Row-level security
Apply fine-grained access control
to table rows
Dynamic data masking
Real-time obfuscation of data to
prevent unauthorized access
Other enhancements
Audit success/failure of database
operations
TDE support for storage of in-
memory OLTP tables
Enhanced auditing for OLTP with
ability to track history of record
changes
Enhanced AlwaysOn
Three synchronous replicas for auto
failover across domains
Round robin load balancing of
replicas
Automatic failover based on
database health
DTC for transactional integrity
across database instances with
AlwaysOn
Support for SSIS with AlwaysOn
Enhanced database caching
Cache data with automatic, multiple
TempDB files per instance in multi-
core environments
Mission-critical performance

12. Always Encrypted
SQL Server 2016+
Azure SQL Database
Azure SQL Managed Instance

13. Prevents Data
Disclosure
Client-side encryption of
sensitive data using keys that
are never given to the
database system.
Queries on
Encrypted Data
Support for equality
comparison, incl. join, group
by and distinct operators.
Application
Transparency
Minimal application changes
via server and client library
enhancements.
Allows customers to securely store sensitive data outside
of their trust boundary.
Data remains protected from high-privileged, yet
unauthorized users.
Benefits of Always Encrypted

14. dbo.Patients
Jane Doe
Name
243-24-9812
SSN
USA
Country
Jim Gray 198-33-0987 USA
John Smith 123-82-1095 USA
dbo.Patients
Jane Doe
Name
1x7fg655se2e
SSN
USA
Jim Gray 0x7ff654ae6d USA
John Smith 0y8fj754ea2c USA
Country
Result Set
Jim Gray
Name
Jane Doe
Name
1x7fg655se2e
SSN
USA
Country
Jim Gray 0x7ff654ae6d USA
John Smith 0y8fj754ea2c USA
dbo.Patients
SQL Server
Query
TrustedApps
SELECT Name FROM
Patients WHERE SSN=@SSN
@SSN='198-33-0987'
Result Set
Jim Gray
Name
SELECT Name FROM
Patients WHERE SSN=@SSN
@SSN=0x7ff654ae6d
Column
Encryption
Key
Enhanced
ADO.NET
Library
Column
Master
Key
Client side
Always Encrypted
Help protect data at rest and in motion, on-premises & cloud
ciphertext

15. Randomized encryption
Encrypt('123-45-6789') = 0x17cfd50a
Repeat: Encrypt('123-45-6789') = 0x9b1fcf32
Allows for transparent retrieval of encrypted
data but NO operations
More secure
Deterministic encryption
Encrypt('123-45-6789') = 0x85a55d3f
Repeat: Encrypt('123-45-6789') = 0x85a55d3f
Allows for transparent retrieval of encrypted
data AND equality comparison
E.g. in WHERE clauses and joins, distinct,
group by
Two types of
encryption available
Randomized encryption uses a
method that encrypts data in a less
predictable manner
Deterministic encryption uses a
method which always generates the
same encrypted value for any given
plain text value
Types of Encryption for Always Encrypted

16. Security
Officer
1. Generate CEKs and Master Key
2. Encrypt CEK
3. Store Master Key Securely
4. Upload Encrypted CEK to DB
CMK Store:
Certificate Store
HSM
Azure Key Vault
…
Encrypted
CEK
Column
Encryption Key
(CEK)
Column
Master Key
(CMK)
Key Provisioning
CMK
Database
Encrypted CEK

17. Param
Encryption
Type/
Algorithm
Encrypted
CEK Value
CMK Store
Provider
Name CMK Path
@Name Non-DET/
AES 256
CERTIFICATE
_STORE
Current User/
My/f2260…
EXEC sp_execute_sql
N'SELECT * FROM Customers WHERE SSN = @SSN'
, @params = N'@SSN VARCHAR(11)', @SSN=0x7ff654ae6d
Param
Encryption
Type/
Algorithm
Encrypted
CEK Value
CMK Store
Provider
Name CMK Path
@SSN DET/ AES
256
CERTIFICATE
_STORE
Current User/
My/f2260…
Enhanced
ADO.NET
Plaintext
CEK
Cache
exec sp_describe_parameter_encryption
@params = N'@SSN VARCHAR(11)'
, @tsql = N'SELECT * FROM Customers WHERE SSN = @SSN'
Result set (ciphertext)
Name
Jim Gray
Result set (plaintext)
using (SqlCommand cmd = new
SqlCommand(
"SELECT Name FROM Customers WHERE SSN
= @SSN“
, conn))
{
cmd.Parameters.Add(new SqlParameter(
"@SSN", SqlDbType.VarChar, 11).Value
=
"111-22-3333");
SqlDataReader reader =
cmd.ExecuteReader();
Client - Trusted SQL Server - Untrusted
Encryptionmetadata
Name
0x19ca706fbd9
Encryptionmetadata
CMK Store
Example

18. Select columns to
be encrypted
Analyze schema
and application
queries to detect
conflicts (build
time)Set up the keys:
master & CEK
Static schema
analysis tool
(SSDT only)
UI for selecting columns (no
automated data classification)
Key setup tool to automate
selecting CMK, generating and
encrypting CEK and uploading
key metadata to the database
Setup (SSMS or SSDT)
User Experience: SSMS or SSDT (Visual Studio)

19. Existing App – Setup
User Experience: SSMS or SSDT (Visual Studio)
UI for selecting columns
(no automated data
classification)
Select candidate
columns to be
encrypted
Analyze schema and
application queries to
detect conflicts and
identify optimal
encryption settings
Set up the keys
Encrypt selected
columns while
migrating the
database to a target
server (e.g. in Azure
SQL Database
Key Setup tool to
streamline selecting CMK,
generating and encrypting
CEK and uploading key
metadata to the database
Encryption tool creating
new (encrypted) columns,
copying data from old
(plain text) columns,
swapping columns and re-
creating dependencies
Select desired
encryption settings
for selected columns
UI for configuring
encryption settings on
selected columns
(accepting/editing
recommendations from
the analysis tool)
Schema/workload analysis
tool analyzing the schema
and profiler logs

20. Data remains encrypted
during query
Summary: Always encrypted
Protect data at rest and in motion, on-premises & cloud
Capability
ADO.Net client library provides
transparent client-side encryption, while
SQL Server executes T-SQL queries on
encrypted data
Benefits
Apps TCE-enabled
ADO .NET library
SQL ServerEncrypted
query
Columnar
key
No app
changes
Master
key

21. Row-Level Security
SQL Server 2016
Azure SQL Database

22. Fine-grained access control over specific
rows in a database table
Help prevent unauthorized access when
multiple users share the same tables, or to
implement connection filtering in
multitenant applications
Administer via SQL Server Management
Studio or SQL Server Data Tools
Enforcement logic inside the database and
schema bound to the table.
Protect data privacy by ensuring the right access across rows
SQL Database
Customer 1
Customer 2
Customer 3
Row-level security

23. Fine-grained
access control
Keeping multi-tenant
databases secure by limiting
access by other users who
share the same tables.
Application
transparency
RLS works transparently at
query time, no app changes
needed.
Compatible with RLS in other
leading products.
Centralized
security logic
Enforcement logic resides
inside database and is
schema-bound to the table it
protects providing greater
security. Reduced application
maintenance and complexity.
Store data intended for many consumers in a single database/table while at the same time restricting
row-level read & write access based on users’ execution context.
Benefits of row-level security

24. CREATE SECURITY POLICY mySecurityPolicy
ADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime,
endTime)
ON dbo.patients
Predicate function
User-defined inline table-valued function (iTVF) implementing security logic
Can be arbitrarily complicated, containing joins with other tables
Security predicate
Applies a predicate function to a particular table (SEMIJOIN APPLY)
Two types: filter predicates and blocking predicates
Security policy
Collection of security predicates for managing security across multiple tables
Row Level Security Concepts

25. CREATE FUNCTION dbo.fn_securitypredicate(@wing int)
RETURNS TABLE WITH SCHEMABINDING AS
return SELECT 1 as [fn_securitypredicate_result]
FROM
StaffDuties d INNER JOIN Employees e
ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID()
AND @wing = d.Wing;
CREATE SECURITY POLICY dbo.SecPol
ADD FILTER PREDICATE
dbo.fn_securitypredicate(Wing)
ON Patients
WITH (STATE = ON)
Fine-grained access
control over rows in a
table based on one or
more pre-defined filtering
criteria, e.g., user’s role or
clearance level in
organization.
Concepts:
Predicate function
Security policy
Example

26. Two
App user (e.g., nurse) selects from Patients table
Three
Security Policy transparently rewrites query to apply filter predicate
Database
Policy Manager
CREATE FUNCTION dbo.fn_securitypredicate(@wing int)
RETURNS TABLE WITH SCHEMABINDING AS
return SELECT 1 as [fn_securitypredicate_result] FROM
StaffDuties d INNER JOIN Employees e
ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing;
CREATE SECURITY POLICY dbo.SecPol
ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON
Patients
WITH (STATE = ON)
Filter
Predicate:
INNER
JOIN…
Security
Policy
Application
Patients
One
Policy manager creates filter predicate and security policy in T-SQL, binding the
predicate to the Patients table
Nurse
SELECT * FROM Patients
SELECT * FROM Patients
SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing);
SELECT Patients.* FROM Patients,
StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;
RLS in Three Steps

27. Creates a security policy for row
level security.
The following examples
demonstrate the use of the
CREATE SECURITY POLICY
syntax.
For an example of a complete
security policy scenario, see Row
Level Security.
Create Security Policy
-- The following syntax creates a security policy with a filter
predicate for the Customer table, and leaves the security
policy disabled
CREATE SECURITY POLICY [FederatedSecurityPolicy]
ADD FILTER PREDICATE
[rls].[fn_securitypredicate]([CustomerId])
ON [dbo].[Customer];
-- Create a new schema and predicate function, which will use
the application user ID stored in CONTEXT_INFO to filter rows.
CREATE FUNCTION rls.fn_securitypredicate (@AppUserId
int)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN (
SELECT 1 AS fn_securitypredicate_result
WHERE
DATABASE_PRINCIPAL_ID() =
DATABASE_PRINCIPAL_ID('dbo')
-- application context
AND CONTEXT_INFO() = CONVERT(VARBINARY(128),
@AppUserId);
GO

28. Dynamic Data Masking
SQL Server 2016
Azure SQL Database

29. Configuration made easy in the new
Azure portal
Policy-driven at the table and column
level, for a defined set of users
Data masking applied in real-time to
query results based on policy
Multiple masking functions available
(e.g. full, partial) for various sensitive
data categories (e.g. Credit Card
Numbers, SSN, etc.)
Azure SQL Database
SQL Server 2016
CTP2+
Table.CreditCardNo
4465-6571-7868-5796
4468-7746-3848-1978
4484-5434-6858-6550
Real-time data masking;
partial masking
Dynamic Data Masking
Prevent the abuse of sensitive data by hiding it from users

30. Audit success/failure
of database
operations
Enhanced auditing
for OLTP with ability
to track history of
record changes
Transparent Data
Encryption support
for storage of In-
memory OLTP
Tables
Backup encryption
now supported with
compression
Other security enhancements

31. gMSA support
Group Managed Service Accounts (gMSA)
Automatically set domain scope for Managed Service Accounts
Automatic password rotation
Much more secure than regular domain accounts
Enables cross-system security context
Why would I want a gMSA?
No need to manually change passwords on all AlwaysOn instances
How does it work?
Passwords are managed by domain
What versions will it be supported in?
Supported in SQL Server 2014 and SQL Server 2016

32. Domain-independent Availability Groups
Environments supported:
Cross domains (with trust)
Cross domains (no trust)
No domain at all
Cluster management via PowerShell only
SQL management as normal
Use of certificate-secured endpoints like DBM
What versions will it be supported in?
SQL Server 2016
SQL 2017: Cross-Windows-and-Linux Availability Groups

33. SQL 2017 new Security Features
.NET CLR (common language runtime)
CLR uses Code Access Security (CAS) in the .NET Framework, which is no longer
supported as a security boundary. (Safe might no longer be safe!)
sp_configure option called clr strict security is introduced to enhance the
security of CLR assemblies.
New Permissions
DATABASE SCOPED CREDENTIAL is now a class of securable, supporting
CONTROL, ALTER, REFERENCES, TAKE OWNERSHIP, and VIEW DEFINITION
permissions.
ADMINISTER DATABASE BULK OPERATIONS, which is restricted to SQL
Database, is now visible in sys.fn_builtin_permissions.

34. SQL 2019 CTP 2.3 new Security Features
Certificate management is now integrated into the
SQL Server Configuration Manager, simplifying
common tasks such as:
• Viewing and validating certificates installed in a SQL Server
instance.
• Viewing certificates close to expiration.
• Deploy certificates across machines participating in Always
On Availability Groups (from the node holding the primary
replica).
• Deploy certificates across machines participating in a failover
cluster instance (from the active node).

35. SQL Server Security Center
https://docs.microsoft.com/en-us/sql/relational-databases/security/security-
center-for-sql-server-database-engine-and-azure-sql-database
SQL Server Security Documentation (2016) (Change
number for version)
https://docs.microsoft.com/en-us/sql/database-engine/whats-new-in-sql-server-
2016#Security
SQL Server 2017 New Features
https://docs.microsoft.com/en-us/sql/database-engine/whats-new-in-sql-server-
2017
SQL Injection Resources
https://docs.microsoft.com/en-us/sql/relational-databases/security/sql-
injection
Security resources

36. End-to-end mobile
BI
on any device
Choice of platform
and language
Most secure
over the last 7 years
0
20
40
60
80
100
120
140
160
180
200
1 2 3 4 5 6
Vulnerabilities(2010-2016)
A fraction of the cost
Self-serviceBIperuser
Only commercial DB
with AI built-in
Microsoft Tableau Oracle
$120
$480
$2,230
Industry-leading
performance
1/10
Most consistent data platform
#1 TPC-H
performance
1TB, 10TB, 30TB
#1 TPC-E performance
#1 price/performance
T-SQL
Java
C/C++
C#/VB.NET
PHP
Node.js
Python
Ruby
R
R and Python +
in-memory at massive scale
Native T-SQL scoring
SQL SERVER 2017
INDUSTRY-LEADING PERFORMANCE AND
SECURIT Y NOW ON LINUX AND DOCKER
Private cloud Public cloud
In-memory across all workloads
1/10th the cost of Oracle

37. Thank you!
george.walters@microsoft.com
@geo_walters on twitter
Blog: https://georgewalters.wordpress.com/
Resources:
SQL Server Blog: https://cloudblogs.microsoft.com/sqlserver/
Microsoft Documentation (Pretty good nowadays!) https://docs.microsoft.com/en-us/
Learning via docs: https://docs.microsoft.com/en-us/learn/
Hands-on labs: https://www.microsoft.com/handsonlabs
In-Person events: https://events.microsoft.com/
SQL Saturday (Centered around Microsoft data platform): http://www.sqlsaturday.com
Microsoft virtual academy: https://mva.microsoft.com/
EdX has tons of material: https://www.edx.org/course?search_query=microsoft