Professional Documents
Culture Documents
Protecting Data With Encryption and Auditing
Protecting Data With Encryption and Auditing
• Limitations:
• Performance impact (DML triggers)
• Sufficiently powerful users can disable triggers
• Lack of SELECT triggers
• Trigger firing order must be managed
Custom Audit Events
• SQL Trace
• Event-driven monitoring tool
• Configured through system stored procedures
• Can be configured to capture user activity
• Server-level audit
• All editions of SQL Server
• Database-level audit
• Enterprise, Developer, and Evaluation editions
• Terminology:
• Server Audit
• Server Audit Specification
• Database Audit Specification
• Actions
• Action Groups
• Target
Defining a Server Audit
• Specify:
• Target
• Queue delay
• Action on failure
• Action Groups
• Server level
• Database level
• Audit level
• Actions
• Database level
• Specify:
• Audit
• Action groups to be included
• State
• Specify:
• Audit
• Action Groups
• Actions on specific securable objects
• May be filtered by specific database principals
• State
CREATE DATABASE AUDIT SPECIFICATION DBSecurity
FOR SERVER AUDIT SecurityAudit
ADD (DATABASE_PRINCIPAL_CHANGE_GROUP),
ADD (SELECT ON SCHEMA::HumanResources BY db_datareader)
WITH (STATE = ON);
Audit-Related Dynamic Management Views and
System Views
• DMVs
• sys.dm_audit_actions
• sys.dm_audit_class_type_map
• sys.dm_server_audit_status
• System Views
• sys.server_audits
• sys.server_file_audits
• sys.server_audit_specifications
• sys.server_audit_specifications_details
• sys.database_ audit_specifications
• sys.audit_database_specification_details
Auditing in Azure SQL Database
SELECT *
FROM sys.fn_get_audit_file('X:\AuditFiles\*',default,default);
Working with the Audit Record Structure
• Server Certificate
• Created in master database; encrypted by DMK
• Encryption Types
• Deterministic
• Randomized
• Restrictions
Dynamic Data Masking
• Mask formats:
• Default
• Email
• Custom String
• Random
• Viewing masked data:
• SELECT permission will see masked data
• UNMASK permission will see unmasked data
• Restrictions
• Always Encrypted
• FILESTREAM
• COLUMN_SET
• Calculated columns
Dynamic Data Masking
SELECT [Name],
[SocialSecurityNumber],
[Email],
[Salary]
FROM [Employee]
Encryption with Azure SQL Database
• TDE
• Supported
• EKM
• Not supported
• Always Encrypted
• Supported
Logon Information
Virtual machine: 20764B-MIA-SQL
User name: ADVENTUREWORKS\Student
Password: Pa$$w0rd
• Review Question(s)
Best Practice