SQLintersectionThursday, June 13th 2019

11:15am - 12:30pm

SQL Server 2017+ and Azure SQL DB: Security Smackdown

David Pless

David.Pless@Microsoft.com

© SQLintersection. All rights reserved.http://www.SQLintersection.com

▪ SQL Server Security Features Overview Row Level Security

Dynamic Data Masking

Transparent Data Encryption

Always Encrypted

Advanced Threat Detection

▪ SQL Server Management Studio Improvements

Data Classification / Vulnerability Assessments

▪ The Rising Threats:

Ransomware

Spectre / Meltdown

Security Topics

Why SQL Security Intelligence?

Common threats • SQL injection• Brute force access• Password cracking • Credential theft/leak• Privilege abuse

Secure your database

1. Discover sensitive data

2. Identify & remediate SQL vulnerabilities

3. Detect & remediate suspicious database activities

4. Meet security regulations requirements

Common regulations• GDPR (Personal) • PCI (Payment)• HIPPA (Health)• FedRAMP (Government)

• No organization is immune to data breaches and security incidents • 75% perpetrated by outsiders, while 25% involved internal actors

Security Landscape

Available• TLS (link)

• TDE

• Dynamic Data Masking

• Always Encrypted

• Secure Enclaves

Available• Data Discovery &

Classification

• Vulnerability Assessment

• Advanced Threat Detection

• SQL Database Auditing with Power BI

• Azure Activity Log to Event Hubs

Available• Row-level Security

• Firewall

• Users & Permissions

• SQL Authentication

• Azure Active Directory Authentication

Limiting

Access

Tracking

Activities / Assessment

Protecting

Data

Compliance:• Microsoft Azure Trust Center

Monitoring:• Azure Security Center

• Azure Advisor and Monitor

Row Level Security• Azure SQL Database

• Azure SQL Managed Instance

• SQL Server 2016 / 2017 / 2019

• Fine-grained access control over specific rows

in a database table

• Help prevent unauthorized access when

multiple users share the same tables, or to

implement connection filtering in multitenant

applications

• Administer via SSMS, Azure Data Studio

or SQL Server Data Tools

• Enforcement logic inside the database

and schema is bound to the table

Protect data privacy by ensuring the right access across rows

SQL Database

The Need for Row Level Security (RLS)

Client App

Customer 1

Customer 2

Customer 3

CREATE SECURITY POLICY mySecurityPolicyADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime, endTime) ON dbo.patients

Predicate functionUser-defined inline table-valued function (iTVF) implementing security logic

Can be arbitrarily complicated, containing joins with other tables

Security predicateBinds a predicate function to a particular table, applying it for all queries

Two types: filter predicates and blocking predicates

Security policyCollection of security predicates for managing security across multiple tables

Row Level Security Concepts

Security

What about performance?Inline functions get optimized to

provide comparable performance to

views—as if the logic were directly

embedded in the original query

statement.

Security Predicates

RLS supports two types of security predicates

• Filter Predicates silently filter rows available to read operations

(SELECT, UPDATE, and DELETE)

• Block Predicates explicitly block write operations

(AFTER INSERT, AFTER UPDATE, BEFORE UPDATE, BEFORE DELETE) that violate

predicate*

Access to row-level data in table is restricted by security predicate defined as inline

table-valued function, which is invoked and enforced by security policy

• For filter predicates, no indication to application that rows have been filtered from

result set; if all rows are filtered, a null set will be returned

• For block predicates, any operations that violate predicate will fail with error

--Create a new schema and predicate function, which will use the --application user ID stored in SESSION_CONTEXT to filter rows.CREATE SCHEMA Security; GOCREATE FUNCTION Security.fn_securitypredicate(@AppUserId int) RETURNS TABLE WITH SCHEMABINDING AS RETURN SELECT 1 AS fn_securitypredicate_resultWHERE DATABASE_PRINCIPAL_ID() = DATABASE_PRINCIPAL_ID('AppUser') AND CAST(SESSION_CONTEXT(N'UserId') AS int) = @AppUserId; GO

--Create a security policy that adds this function as a filter --predicate and a block predicate on Sales.CREATE SECURITY POLICY Security.SalesFilterADD FILTER PREDICATE Security.fn_securitypredicate(AppUserId) ON dbo.Sales,

ADD BLOCK PREDICATE Security.fn_securitypredicate(AppUserId) ON dbo.Sales AFTER INSERT

WITH (STATE = ON);

Creates a security policy for row-level security

The following examples demonstrate the use of the CREATE SECURITY POLICY syntax

For an example of a complete security policy scenario, see Row-Level Security

Row Level Security – Application Scenario

Configure Row Level Security (End to End Example)

1. Create user accounts to test Row-Level Security

GRANT SELECT ON Sales.SalesOrderHeader TO Manager; GRANT SELECT ON Sales.SalesOrderHeader TO SalesPerson280;

2. Grant read access to users on a required table

CREATE SCHEMA Security; GO CREATE FUNCTION Security.fn_securitypredicate(@SalesPersonID AS int)

RETURNS TABLE WITH SCHEMABINDING AS

RETURN SELECT 1 AS fn_securitypredicate_result WHERE ('SalesPerson' + CAST(@SalesPersonId as VARCHAR(16)) = USER_NAME()) OR (USER_NAME() = 'Manager');

3. Create a new schema and inline table-valued function

USE AdventureWorks2014; GO CREATE USER Manager WITHOUT LOGIN; CREATE USER SalesPerson280 WITHOUT LOGIN;

CREATE SECURITY POLICY SalesFilterADD FILTER PREDICATE Security.fn_securitypredicate(SalesPersonID) ON Sales.SalesOrderHeader,

ADD BLOCK PREDICATE Security.fn_securitypredicate(SalesPersonID) ON Sales.SalesOrderHeader

WITH (STATE = ON);

4. Create a security policy, adding the function as both a filter and block predicate on the table

5. Execute the query to the required table so that each user sees the result (can also alter the security policy to disable)

Database

How Row Level Security Works

Policy Manager

CREATE FUNCTION dbo.fn_securitypredicate(@wing int)

RETURNS TABLE WITH SCHEMABINDING AS

return SELECT 1 as [fn_securitypredicate_result] FROM

StaffDuties d INNER JOIN Employees e

ON (d.EmpId = e.EmpId)

WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing;

CREATE SECURITY POLICY dbo.SecPol

ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON Patients,

ADD BLOCK PREDICATE dbo.fn_securitypredicate(Wing) ON Patients

WITH (STATE = ON)

Security

Policy

Application

Patients

1) Policy manager creates filter predicate and security policy in T-SQL, binding the predicate to the Patients table2) Nurse, using an app selects from Patients table3) Security Policy transparently rewrites query to apply filter predicate

SELECT FROM

SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing);

SELECT Patients.Name FROM Patients,

StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId)

WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;

Nurse (Employee ID=100986)

SELECT Name FROM

Patients

Database

How Row Level Security Works

Policy Manager

Security

Policy

Application

Patients

4) Filtered rows are returned and nurse sees only the patients on her wing

Nurse (Employee ID=100986)

EmployeeId Wing

100986 a1

206985 a2

345906 a3

331225 b1

Name

Jones, Walker

Rickmann, Earnst

Polka, Dorothy

Wing PatientId Name

a1 100-207 Jones, Walker

b1 201-677 Smith, Weston

b2 898-045 Jarvis, Anne

a1 009-451 Rickmann, Earnst

b2 922-769 Gray, Jim

a1 801-345 Polka, Dorothy

Dynamic Data Masking• Azure SQL Database

• Azure SQL Managed Instance

• SQL Server 2016 / 2017 / 2019

+

• On-the-fly obfuscation of data in query results

• Policy-driven on the table and column

• Multiple masking functions available for various

sensitive data categories

• Flexibility to define a set of privileged logins for

un-masked data access

• By default, database owner is unmaskedhttps://msdn.microsoft.com/en-us/library/mt130841.aspx

SQL Database

SQL Server 2016+

Table.CreditCardNo

4465-6571-7868-5796

4468-7746-3848-1978

4484-5434-6858-6550

Real-time data masking;

partial masking

How Dynamic Data Masking Works

Limit sensitive data exposure by

obfuscating data to non-privileged users

How Dynamic Data Masking Works

Security

Officer

ALTER TABLE [Employee] ALTER COLUMN [SocialSecurityNumber]

ADD MASKED WITH (FUNCTION = 'partial(0,"XXX-XX-",2)’)

ALTER TABLE [Employee] ALTER COLUMN [Email]ADD MASKED WITH (FUNCTION = ‘EMAIL()’)

ALTER TABLE [Employee] ALTER COLUMN [Salary] ADD MASKED WITH (FUNCTION = ‘RANDOM(1,20000)’)

GRANT UNMASK to hrsupervisor

1) Security officer defines dynamic data masking policy in T-SQL over sensitive data in Employee table2) App user selects from Employee table3) Dynamic Data Masking policy obfuscates the sensitive data in the query results

SELECT [Name],

[SocialSecurityNumber],

[Email],

[Salary]

FROM [Employee]

hrsupervisor loginnon-privileged login

Combine with Row Level Security!

Security

Officer

ALTER TABLE [Employee] ALTER COLUMN [SocialSecurityNumber]

ADD MASKED WITH (FUNCTION = 'partial(0,"XXX-XX-",2)’)

ALTER TABLE [Employee] ALTER COLUMN [Email]ADD MASKED WITH (FUNCTION = ‘EMAIL()’)

ALTER TABLE [Employee] ALTER COLUMN [Salary] ADD MASKED WITH (FUNCTION = ‘RANDOM(1,20000)’)

GRANT UNMASK to hrsupervisor

4) Data masking obscures columns, row level security filters rows

SELECT [Name],

[SocialSecurityNumber],

[Email],

[Salary]

FROM [Employee]

hrsupervisor loginnon-privileged login

© SQLintersection. All rights reserved.http://www.SQLintersection.com

Leveraging Row Level Security and Dynamic Data Masking

SQL Server 2016 / 2017+ (T-SQL)

Azure SQL Database Portal

Application Example

Demonstration

Transparent Data Encryption (TDE)• Azure SQL Database

• Azure SQL Managed Instance

• SQL Server 2008+ Enterprise Edition

Protects the user database and all of its backups, Transaction Logs and TempDB

Alternatively: 2 T-SQL statements

Azure SQL DB manages your keys (Service managed TDE)

BYOK support

Using INTEL’s AES-NI Hardware Acceleration

Transparent Data Encryption - How It Works

Customer A Customer B

Customer A

Customer B

SQL DB Management

Service

Best Practice: Enable Transparent Data Encryption on all databases

On Premise vs. Azure: Implementing TDE

Always Encrypted• Azure SQL Database

• Azure SQL Managed Instance

• SQL Server 2016 / 2017 / 2019

Always Encrypted - Protect your Data at Rest and In-Motionwithout impacting database performance

Always Encrypted

Query

TrustedApps

SELECT Name FROM

Patients WHERE SSN=@SSN

@SSN='198-33-0987'

Result Set

SELECT Name FROM

Patients WHERE SSN=@SSN

@SSN=0x7ff654ae6d

Column Encryption

Key

Enhanced

ADO.NET

Library

ColumnMasterKey

Client side

ciphertext

Name

243-24-9812

SSN Country

Denny Usher 198-33-0987 USA

Alicia Hodge 123-82-1095 USA

Philip Wegner USA

dbo.Patients

SQL Server

dbo.Patients

Philip Wegner

Name SSN

USA

Denny Usher 0x7ff654ae6d USA

Alicia Hodge 0y8fj754ea2c USA

1x7fg655se2e

Country

Philip Wegner

Name

1x7fg655se2e

SSN

USA

Country

Denny Usher 0x7ff654ae6d USA

Alicia Hodge 0y8fj754ea2c USA

dbo.Patients

Result Set

Denny Usher

Name

0x7ff654ae6d

SSN

USA

Country

198-33-0987

1x7fg655se2e

0x7ff654ae6d

0y8fj754ea2c

5se20x7fy8fjk

&#^&#%!!

> SELECT SSN FROMdbo.Patients

Randomized EncryptionEncrypt('123-45-6789') = 0x17cfd50aRepeat: Encrypt('123-45-6789') = 0x9b1fcf32Allows for transparent retrieval of encrypted data but NO operationsMore secure

Deterministic EncryptionEncrypt('123-45-6789') = 0x85a55d3fRepeat: Encrypt('123-45-6789') = 0x85a55d3fAllows for transparent retrieval of encrypted data AND equality comparison (i.e. in WHERE clauses and Joins, DISTINCT, GROUP BY)

Two Types of

Encryption:

Randomized Encryption

uses a method that encrypts

data in a less predictable

manner

Deterministic Encryption

uses a method which always

generates the same encrypted

value for any given plaintext

value

Types of Encryption for Always Encrypted

Security

Security

Officer

1. Generate CEKs and master key

2. Encrypt CEK

3. Store master key securely

4. Upload encrypted CEK to DB

CMK store:

Certificate store

HSM

Azure Key Vault

…

Encrypted

CEK

Column

encryption key

(CEK)

Column

master key

(CMK)

Key Provisioning

CMK

Database

Encrypted CEK

Security

Always Encrypted T-SQL Example

CREATE COLUMN MASTER KEY MyCMKWITH ( KEY_STORE_PROVIDER_NAME = ‘MSSQL_CERTIFICATE_STORE’,KEY_PATH = ‘Current User / Personal / f2260f28909d21c642a3d8e0b45a830e79a12420’ );

CREATE COLUMN ENCRYPTION KEY MyCEKWITH VALUES ( COLUMN_MASTER_KEY = MyCMK, ALGORITHM = ‘RSA_OAEP’,ENCRYPTED_VALUE = ‘0x017000_64003);

CREATE TABLE Customers (Customers nvarchar(60) COLLATE Latin1_General_BIN2 ENCRYPTEDWITH (COLUMN_ENCRYPTED_KEY = MyCEK,ENCRYPTION_TYPE = RANDOMIZED, ALGORITHM = ‘AEAD_AES_256_CBC_HMAC_SHA_256’),

SSN varchar(11) COLLATE Latin1_General_BIN2 ENCRYPTEDWITH (COLUMN_ENCRYPTED_KEY = MyCEK,ENCRYPTION_TYPE = DETERMINISTIC, ALGORITHM = ‘AEAD_AES_256_CBC_HMAC_SHA_256’), Age int NULL );

© SQLintersection. All rights reserved.http://www.SQLintersection.com

Leveraging Always Encrypted

Encrypting Data In Place and In Motion

Demonstration

Always Encrypted with Secure Enclaves

Enhanced Client Driver

plaintext ciphertext

secure enclave

plaintext

Protects sensitive data in use while enabling rich computations and in-place encryption

Processing sensitive data inside SQL Enclave

SQL Server Engine delegates operations on encrypted data to the an enclave, where the data can be safely decrypted and processed

Rich Computations

Initially, supports pattern matching (LIKE) and range queries (<, >, etc.).More operations to be supported later: sorting, type conversions, intrinsic functions, and more

In-place Encryption

SQL Enclave can perform initial data encryption and key rotation, without moving the data out of the database

Advanced Threat Detection• SQL injection

• Unusual database access patterns

• Potential risks / vulnerabilities

“SQL Injection is a code injectiontechnique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).”

– Wikipedia - Example Trend

Advanced Threat DetectionDetects Suspicious Database Activities

✓ Just turn it ON

✓ Detects potential vulnerabilities and SQL injection attacks

✓ Detects unusual behavior activities

✓ Actionable alerts which recommend how to investigate & remediate

Azure SQL DatabaseApps

Audit Log Threat Detection (1) Turn on Threat Detection

(3) Real-time actionable alerts

*It costs $15/server/month , first 60 days for free.

(2) Possible threat to

access / breach data

© SQLintersection. All rights reserved.http://www.SQLintersection.com

Azure Advanced Threat Detection

SQL Server Injection Attacks

Alerts and Monitoring

Demonstration

SQL Server Management Studio

• New Features in SSMS 17.4+

• Azure SQL DB and Azure SQL DB Managed Instance

• Azure Security Center

SQL Server Vulnerability Assessment (17.4+)A One-Stop-Shop to Track and Improve your SQL Security State

Azure SQL Database

Vulnerability Assessment

Identifies , tracks , resolves SQL security vulnerabilities

▪ Just run a scan

▪ Discover sensitive data that is not protected

▪ Identify and remediate security misconfigurations

▪ Coherent report that helps meet compliance requirements

▪ SQL Server 2017 andAzure SQL Database

SQL Server On-Prem

Azure SQL Database

SQL Data Discovery and Classification (17.5+)▪ New tool built into SQL Server

Management Studio (SSMS)

▪ For discovering, classifying, labeling and reporting the sensitive data (Financial, healthcare, PII, etc.)

▪ Helping meet data privacy standards and regulatory compliance requirements, such as GDPR

▪ Controlling access to and hardening the security of databases/columns containing highly sensitive data

▪ Data Discovery & Classification is supported for SQL Server 2008 and later

sys.sensitivity_classifications

SQL Data Discovery and Classification

ADD SENSITIVITY CLASSIFICATION TOdbo.sales.price, dbo.sales.discountWITH (LABEL='Highly Confidential', INFORMATION_TYPE='Financial')

© SQLintersection. All rights reserved.http://www.SQLintersection.com

SQL Server Management Studio Improvements (17.5+)

SQL Server Vulnerability Assessment

SQL Data Discovery and Classification

Demonstration

What’s the Best Bet? (Cover your bases)

▪ TLS/SSL - uses encryption to protect the transfer of application data

▪ Use TDE to protect data at rest and tempdb

▪ Use Row Level Security and DDM to limit and protect data specifics

▪ Always Encrypted (with enclaves) to protect data in motion

If you cannot use Always Encrypted, leverage DDM

▪ Audit sensitive columns – If you care enough to DDM/Encrypt..

Consider 3rd party solutions for auditing large environments with alerting

▪ Use static data masking on any non-production purposed copy of your data being aware of the data risk levels

▪ Use vulnerability assessments to regularly implement a security health check

Implement regular independent audits

Addressing Recent Security Vulnerabilities and Risks• Spectre and Meltdown

Ransomware

WannaCry

Spectre

Meltdown

Threats on the Rise

To take advantage of available protections, follow these steps to get the latest updates for both software and hardware:

1. Make sure your antivirus software is up to date

Keep your device up to date by turning on automatic updates

3. Check that you’ve installed the latest Windows operating system security update from Microsoft. If automatic updates are turned on, the updates should be automatic, but you should still confirm

4. Install any firmware updates from your device manufacturer

Microsoft Guidance with Spectre and Meltdown

Note: Customers who only install the latest security updates will not be fully protected. You will need to update both your hardware and your software to fix this vulnerability.

Note: Firmware updates should be available on your device manufacturer's website

<IMPORTANT> Protect SQL Server from attacks on Spectre and Meltdown side-channel vulnerabilitieshttps://support.microsoft.com/en-us/help/4073225/guidance-protect-sql-server-against-spectre-meltdown

Microsoft Guidance with Spectre and Meltdown

Note: Customers who only install the latest security updates will not be fully protected. You will need to update both your hardware and your software to fix this vulnerability.

© SQLintersection. All rights reserved.http://www.SQLintersection.com

▪ SQL Server Security Features Overview Transparent Data Encryption

Row Level Security

Static and Dynamic Data Masking

Always Encrypted / Always Encrypted with Enclaves

Advanced Threat Detection

▪ SQL Server Management Studio Improvements

▪ Ransomware

▪ Spectre / Meltdown

Security Overview

© SQLintersection. All rights reserved.http://www.SQLintersection.com

References▪ Spectre Attacks: Exploiting Speculative Execution

https://spectreattack.com/spectre.pdf

▪ Meltdownhttps://meltdownattack.com/meltdown.pdf

▪ Protect SQL Server from attacks on Spectre and Meltdown side-channel vulnerabilitieshttps://support.microsoft.com/en-us/help/4073225/guidance-protect-sql-server-against-spectre-meltdown

▪ PowerShell Script to patch Meltdown/Spectre Exploits for Windows Serverhttps://gallery.technet.microsoft.com/scriptcenter/Meltdown-Spectre-Script-3cd11f26

▪ Cloud Cybersecurity in Healthcare: Thoughts on Spectre & Meltdown https://enterprise.microsoft.com/en-us/articles/industries/health/cloud-cybersecurity-in-healthcare-thoughts-on-spectre-meltdown/

▪ SQL Whitepaper guiding customers (SQL and GDPR Guide)https://aka.ms/gdprsqlwhitepaper

▪ SQL Server Security Bloghttp://blogs.msdn.microsoft.com/sqlsecurity/

▪ SQL Server Security | Microsoft Docshttps://www.microsoft.com/GDPR/https://www.gdprbenchmark.com/

Don’t forget to complete an online evaluation!

SQL Server 2017 and Azure SQL DB: Security Smackdown

Your evaluation helps organizers build better conferences and helps speakers improve their sessions.

Questions?

Thank you!

Save the DateWeek of November 18, 2019

We’re back in Vegas baby!

www.SQLintersection.com