SQL Server 2016 Security Why To Upgrade - Microsoft

Transcription

Welcomes you!

DDoS attack on theTalkTalk Web siteSQL injection to retrievedata from the databaseCustomer data breachedReceived callsdemanding ransom

“[2014] was the year when so many high-profile organizations met with the nighinevitability of “the breach” that “cyber” was front and center at the boardroom level.”Verizon Data Breach Investigation Report 2015Tools SQL UsersLack of knowledgeLack of timeLack of budgetLack of methodsSQL SecuritySQL DataApps Personal Financial Intellectual propertySQL Threats Malicious insiderSQL injectionCredential theftPassword cracking

Protect DataSecurity :Encryption in motion:Transport Layer Security (TLS)Encryption at rest:Transparent Data Encryption (TDE)Encryption in use (client) : Always Encrypted (AE)Control AccessDatabase Access: :Azure Active Directory Authentication (AAD)Application Access :Dynamic Data Masking & Row-Level Security (RLS),Proactive MonitoringTracking & Detecting: Auditing & Threat DetectionCompliance: FedRAMP, ISO, HIPPA, PCI, EU Model Clauses , UK G-Cloud(government)(medial) (payment)(personal)(public sector)

Protect Data

Protect data on SQL database physical storagefrom unauthorized access, Server-side encryption of the data on physical disk Simple to Use , Zero application changes Support for all database operations (ex. joins) on data SQL Database service manages your keys AES-NI Hardware Acceleration (2-3% performance impact )Customer1Customer2Customer3SQL Database

Protects the highly sensitive data in-usefrom high privilege SQL users.Client sideencryptionQueries onEncrypted DataApplicationTransparencyClient-side encryption ofsensitive data using keys thatare never given to thedatabase system.Support for equalitycomparison, incl. join, groupby and distinct operators.Minimal application changesvia server and client libraryenhancements.Status: Preview

Protects the highly sensitive data in-usefrom high privilege SQL users.Encrypted sensitive data and corresponding keysare never seen in plaintext in SQL ServerSQL Server or SQL DatabaseClient"SELECT Name FROM Customers WHERE SSN @SSN",0x7ff654ae6d"SELECT Name FROM Customers WHERE SSN @SSN","111-22-3333"Result SetciphertextADO .NETResult SetNameNameWayne Jefferson0x19ca706fbd9adbo.Customerstrust boundaryStatus: ciphertext

Control Access

A central place to manage users across services Alternative to SQL Server authentication Simplifies database permission management usingexternal Azure Active Directory groups Allows password rotation in a single placeMultiple authentication methods Username/password for Azure AD managed accounts Single Sign-On using Integrated Windows authentication ,for federated domains which is authenticated via Azure AD Certificate-based authentication, in case the certificateregistered with Azure Active DirectoryStatus: PreviewADALSQLADO.NET 4.6

Limit the exposure of sensitive data by obfuscatingquery results for app users and engineerAPP UsersLimit Access toSensitive DataApplicationTransparencyProtects against unauthorizedaccess to sensitive data in theapplication, using built-in orcustom masking rules.Privileged users can still seeunmasked data.Data is masked on-the-fly,underlying data in the databaseremains intact. Transparent tothe application and appliedaccording to user privilege.Dev Users

Limit the exposure of sensitive data by hiding it from usersTable.PhoneNo 1-313-555-5796 972-4-777-1978 1-248-666-6550 Auto-discovery of potentially sensitive data to mask Configurable masking policy from Azure Portal orvia DDL in the Server On-the-fly obfuscation of data in query results Flexibility to define a set of privileged SQL users forun-masked data accessSQL DatabaseOn-the-fly maskingof sensitive data inquery resultsPhoneNumXXX-XXX-5796XXX-XXX-1978

Centralize your row access logic within the database.Fine-grainedAccess ControlApplicationTransparencyControl both read- and writeaccess to specific rows of datain a shared database.Flexible access criteria (useridentity, role/groupmemberships, connection data,time of day, etc). RLS works transparently atquery time, no app changesneeded.Reduces applicationmaintenance and codecomplexity.

Proactive Monitoring

Detect suspicious database activities, gain insight into database events andstreamline compliance-related stigateand mitigateA strong demand for cloudapplications to meet securitystandards recommended byregulating authorities.Proprietary algorithms workaround the clock to develop abehavioral profile of yourdatabase, identifyinganomalous activities andpotential threatsReact and respond to threats inreal-time, via email alerts andthe Azure portal.

Gain insight into database events and streamlinecompliance-related tasksAuditlogAzure Storage Configurable audit policy via the Azure portal andstandard API Audit logs reside in your Azure Storage account Azure portal viewer and excel templates foranalysis of audit logAzure DBAuditing

DemoToolsMalicious insiderSQL DatabaseAppsExternal Attacker

Azure SQL Database SecuritySecuring your data is easier than everProtect DataControl AccessProactiveMonitoringEncrypt the data in-transit ,at-rest and in-useLimit application &database tosensitive dataMonitor and track the ongoingdatabase activities Transport Layer Security Transparent Data Encryption Always Encrypted Dynamic Data Masking Row-Level Security Azure AD Authentication Auditing Threat Detection

Thank you!

Control Access Database Access: :Azure Active Directory Authentication (AAD) Application Access :Dynamic Data Masking & Row-Level Security (RLS), Proactive Monitoring Tracking & Detecting : Auditing & Threat Detection Protect Data Encryption in motion :Transport Layer Security (TLS) Encryption at rest :Transparent Data Encryption (TDE) Encryption in use (client) : Always Encrypted (AE)