Scribd Logo
Upload

Welcome to Scribd!

  • Security en Ha Cements

    Uploaded by

    Jorge mendez
    13 views21 pages
    SQL Server 2016 includes several new security features including Always Encrypted for encrypting sensitive data, Dynamic Data Masking for hiding parts of sensitive data, and Row-Level Security for controlling access to data at the row level based on user properties. Transparent Data Encryption has been enhanced with additional encryption options and offloading capabilities. Credentials can now be scoped at the database level for improved security.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SQL Server 2016 includes several new security features including Always Encrypted for encrypting sensitive data, Dynamic Data Masking for hiding parts of sensitive data, and Row-Level Security for controlling access to data at the row level based on user properties. Transparent Data Encryption has been enhanced with additional encryption options and offloading capabilities. Credentials can now be scoped at the database level for improved security.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views21 pages

    Security en Ha Cements

    Uploaded by

    Jorge mendez
    SQL Server 2016 includes several new security features including Always Encrypted for encrypting sensitive data, Dynamic Data Masking for hiding parts of sensitive data, and Row-Level Security for controlling access to data at the row level based on user properties. Transparent Data Encryption has been enhanced with additional encryption options and offloading capabilities. Credentials can now be scoped at the database level for improved security.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    SQL Server 2016

    Better Security
    Concepts
    Backup Encryption

    Row-Level Security
    Dynamic Data Masking

    Always Encrypted
    TLS 1.2
    AES Encryption
    Database Level
    TDE Offload Credentials
    Security Features in SQL Server 2016

    Transparent Dynamic
    Always Row-Level
    Data Data
    Encrypted Security
    Encryption Masking
    Always Encrypted
    Client Libraries encrypt
    inbound data when it is use by
    SQL Server

    Requires .NET 4.6--other


    libraries available soon

    Encrypted data can be queried


    and indexed
    Always Encrypted—SQL Architecture

    Column
    Column Master
    Encryption Keys--
    Keys--protecting
    protecting keys
    keys used to
    used to encrypt
    encrypt column
    column
    encryption keys
    encryption keys
    Creating a Table with Always Encrypted Columns
    Indexing and Always Encrypted
    DETERMINISTIC columns may be indexed

    RANDOMIZED or DETERMISITIC may be used in include


    statements

    These are treated like regular indexes

    More I/O and network bandwidth will be consumed by these


    indexes
    Always Encrypted—SQL Server
    Deterministic Randomized
    • Can perform equality operations • Most secure
    • Can perform grouping operations • Does not allow grouping
    • Allows indexing on encrypted • Does not allow equality operations
    columns on encrypted columns
    • Should be used for data with large • Good for columns with small
    domain of distinct values domain of distinct values
    • Should not be used for data with
    limited domain of distinct values
    (e.g. birthdays)
    • May leak statistical information
    Transparent Data Encryption

    Performs Export files are


    Encrypts backups
    encryption at not encypted so
    and data files
    rest only be careful
    TDE—SQL Server 2016
    Support for In-Memory OLTP

    Stretch Database Support


    Support for Intel AES-NI hardware
    acceleration
    • This reduces CPU resources for TDE
    Cell Level Encryption
    Used for sensitive data stored in the
    database
    Configure with symmetric key and
    certificates
    Long term replacement is Always
    Encrypted
    Row Level Security
    Allows configuration to only allow users to see
    rows that they are granted access to
    Silently filters rows—users have no insight

    Uses filter and block predicates for security


    Row Level Security
    RLS Predicates are
    Controls access to
    functionally
    rows based on the
    equivalent to a
    user executing the
    WHERE clause in a
    query
    query
    Row Level Security—Practical
    Implementation
    Create inline table function

    Bind security policy to that


    function
    Row Level Security--Sample Code
    Dynamic Data Masking
    Allows
    you to Call center where reps
    show a need to verify last 4 of
    limited SSN
    image
    of
    sensitiv
    e data
    Allow developers to
    query production
    environments without see
    personally indentifable
    information
    Dynamic Data Masking Policies

    Admin Users Excluded

    Policies set which users are subject to masking


    Masking Rules—Which fields are masked and which
    pattern
    Masking functions—Method for which data to expose
    Dynamic Masking Functions
    Default Full Masking based on data types of the field (no data
    exposed)
    Credit Card Shows the last four digits of a credit card number

    Social Method shows the last 4 digits XXX-XX-1234


    Security
    Number
    Random Generates random numbers according to the boundaries
    Number
    Custom Text Exposes first and last characters and adds custom string in the
    middle
    Dynamic Data Masking – Azure SQL DB
    In SQL DB there is a
    This feature was first recommendation
    introduced in SQL engine to
    DB recommend DDM
    fields
    Adding Masking to a New Table
    Other Security Enhancements

    The default
    Credentials can
    encryption for
    now be scoped
    endpoints
    at the database
    changes from
    level
    RC4 to AES

    You might also like