Security Talk: Protecting Your Data Using Encryption in SQL Server. Il-Sung Lee Senior Program Manager Microsoft Corporation

Similar documents
SQL Server Encryption Overview. September 2, 2015

Securing Data on Microsoft SQL Server 2012

Database Security SQL Server 2012

MS-55096: Securing Data on Microsoft SQL Server 2012

PrivateServer HSM EKM Provider for Microsoft SQL Server

Microsoft SQL Server Integration Guide

Securing Your Sensitive Data with EKM & TDE. on SQL Server 2008/2012

Alliance Key Manager Cloud HSM Frequently Asked Questions

risk advisory TAX Finance & Accounting Dave Elliott, CIPP/G/C, CISSP, CISA Chip Zodrow Paul Rozek, CGEIT

Microsoft SQL Server Security Best Practices

SQL Server 2012 Security Best Practices - Operational and Administrative Tasks

Managed Encryption Service

Exam Number/Code : Exam Name: Name: PRO:MS SQL Serv. 08,Design,Optimize, and Maintain DB Admin Solu. Version : Demo.

Supporting HIPAA Compliance with Microsoft SQL Server 2008

MySQL Security: Best Practices

SafeNet MSSQL EKM Provider User Guide

Transparent Data Encryption: New Technologies and Best Practices for Database Encryption

Microsoft SQL Server Security and Auditing Clay Risenhoover ISACA North Texas April 14,

Securing Information in LiveBackup

Alliance Key Manager Solution Brief

SQL Server 2008 Designing, Optimizing, and Maintaining a Database Session 1

Key & Data Storage on Mobile Devices

Critical Steps to Encryption & Key Management in the Microsoft Azure Cloud

ClockWork Enterprise 5

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

Thales Database Security Option Pack. for Microsoft SQL Server Integration Guide.

Designing Database Solutions for Microsoft SQL Server 2012 MOC 20465

Applying Cryptography as a Service to Mobile Applications

Encryption Key Management for Microsoft SQL Server 2008/2014

All Things Oracle Database Encryption

Preface. Microsoft Office Sharepoint Server 2007 Integration Guide SafeNet, Inc. All rights reserved. Part Number: (Rev A, 06/2009)

Course Outline: Course 6317: Upgrading Your SQL Server 2000 Database Administration (DBA) Skills to SQL Server 2008 DBA Skills

SafeNet DataSecure vs. Native Oracle Encryption

SharePoint Operational Governance. al 1

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Oracle Database 11g: Security Release 2

EMC Data Protection Search

PrivateServer HSM Integration with Microsoft IIS

CP003 Azure SQL Database V12 updates and comparison with SQL Server

Network Security Protocols

MS SQL Server Backup - User Guide

StrongKey. The industry's first open-source SKMS. Arshad Noor CTO, StrongAuth, Inc. NIST Key Management Workshop 2009

6231A - Maintaining a Microsoft SQL Server 2008 Database

ipad in Business Security

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Administering Microsoft SQL Server Databases MOC 20462

Denodo Data Virtualization Security Architecture & Protocols

D50323GC20 Oracle Database 11g: Security Release 2

Microsoft SQL Database Administrator Certification

SQL Server 2012 Gives You More Advanced Features (Out-Of-The-Box)

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

Security Policy Revision Date: 23 April 2009

Designing Database Solutions for Microsoft SQL Server 2012

MS Administering Microsoft SQL Server Databases

Upgrading Your SQL Server 2000 Database Administration (DBA) Skills to SQL Server 2008 DBA Skills Course 6317A: Three days; Instructor-Led

SQL Server Training Course Content

SQL Server for Database Administrators Course Syllabus

Online Transaction Processing in SQL Server 2008

Cornerstones of Security

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

PrivyLink Internet Application Security Environment *

Administering Microsoft SQL Server 2012 Databases

White Paper How Noah Mobile uses Microsoft Azure Core Services

SQL Best Practices for SharePoint admins, the reluctant DBA. ITP324 Todd Klindt

Pulse Secure, LLC. January 9, 2015

SQL Server 2014

Administering Microsoft SQL Server Databases

Administering Microsoft SQL Server Databases

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Encrypting Data at Rest

WHITE PAPER ENTRUST ENTELLIGENCE SECURITY PROVIDER 7.0 FOR WINDOWS PRODUCT OVERVIEW. Entrust All rights reserved.

LEARNING SOLUTIONS website milner.com/learning phone

Manual for Android 1.5

Implementing a Microsoft SQL Server 2005 Database

LBSEC.

CA SiteMinder. Upgrade Guide. r12.0 SP2

Oracle 1Z0-528 Exam Questions & Answers

Securing Data in Oracle Database 12c

Data Protection: From PKI to Virtualization & Cloud

Basic knowledge of the Microsoft Windows operating system and its core functionality Working knowledge of Transact-SQL and relational databases

MOC Administering Microsoft SQL Server 2014 Databases

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

<Insert Picture Here> Oracle Database Security Overview

Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 Service Pack B; 5 days, Instructor-led

Using etoken for SSL Web Authentication. SSL V3.0 Overview

SQL Server 2012 administration

Complying with PCI Data Security

Microsoft SQL Server Integration Guide

Zmanda Cloud Backup Frequently Asked Questions

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

MOC 20462C: Administering Microsoft SQL Server Databases

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Securing Oracle E-Business Suite in the Cloud

SQL Server 2012/2014 AlwaysOn Availability Group

Server Software Installation Guide

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Owner of the content within this article is Written by Marc Grote

Transcription:

Security Talk: Protecting Your Data Using Encryption in SQL Server Il-Sung Lee Senior Program Manager Microsoft Corporation ilsung@microsoft.com

What We Will Cover Cell-Level Encryption Transparent Data Encryption Extensible Key Management (EKM) Channel Encryption

Data Encryption Why consider encryption? Additional layer of security Required by some regulatory compliance laws In Microsoft SQL Server 2000 Channel Encryption only Since Microsoft SQL Server 2005 Built-in support for data encryption Support for key management Encryption additions in Microsoft SQL Server 2008 Transparent Data Encryption Extensible Key Management

Cell-Level Encryption

Cell-Level Encryption Encryption/Decryption built-ins Symmetric and asymmetric keys, certificates Creation data definition language (DDL) Symmetric keys and private keys stored encrypted Keys secured by: User passwords Automatically (SQL Server key management) Choice of algorithms DES, TRIPLE_DES, RC2, RC4, RC4_128, AES (128, 192, or 256)

Key Hierarchy Password Operating System Level Data Protection API (DPAPI) SQL Server 2005 Instance Level SQL Server 2005 Database Level Service Master Key Database Master Key DPAPI encrypts Service Master Key Service Master Key encrypts Database Master Key Password Password Password Certificates Asymmetric Keys Password Symmetric Keys Value

demonstration Clinic Encryption

Don t Forget Module Signing ALTER LOGIN Bob ENABLE Alice (non-privileged login) Need ALTER ANY LOGIN server permission to ALTER LOGIN Need to GRANT ALTER ANY LOGIN TO Alice? No!

Don t Forget Module Signing SP_ENABLE_LOGIN Alice (non-privileged login) ALTER LOGIN Bob ENABLE ALTER ANY LOGIN Alice has permission to call SP SP run under Alice s context but with elevated privilege SP protected against tampering Cert_login

Best Practices Make signing modules a habit Do not encrypt all of your data Use symmetric encryption Plan carefully Key management is very important Understand changes to existing code needed Consider key size and algorithm on CPU

Transparent Data Encryption

Transparent Data Encryption (TDE) SQL Server 2008 DEK Encrypted data page Client Application Encryption/decryption at database level Database encryption key (DEK) is encrypted with: Service Master Key Key residing in a Hardware Security Module (HSM) DEK must be decrypted to attach database files or restore a backup

TDE Key Hierarchy Operating System Level Data Protection API (DPAPI) SQL Server 2008 Instance Level SQL Server 2008 Master Database Service Master Key Database Master Key DPAPI encrypts Service Master Key Service Master Key encrypts Database Master Key Password Certificate SQL Server 2008 Master Database Database Master Key encrypts Certificate in Master Database Certificate encrypts Database Encryption Key Database Encryption Key SQL Server 2008 User Database

Reasons to Use TDE Protects data at rest Data files, log files, backup Entire database is protected No application changes! No restrictions with indexes or data types (except Filestream) Performance cost is small Storage space size unchanged

TDE Considerations Compatible with Database Compression Not recommended with Backup Compression Database Mirroring Copy certificate from primary to mirror Log files are not retroactively encrypted Encryption begins at next virtual log file (VLF) boundary Tempdb is encrypted when 1 db in instance uses TDE Enterprise only

demonstration Enabling Transparent Data Encryption

Extensible Key Management

Extensible Key Management SQL EKM Provider DLL SQL EKM Key (HSM key proxy) Data SQL Server HSM Key storage, management, and encryption done by HSM module EKM key appears same as normal key to app SQL EKM Provider dynamic-link library (DLL) provided by HSM vendor

Advantages of Using EKM Security Data and keys are physically separated Centralized key management for enterprise Separation of duties between database owner and data owner Performance Pluggable hardware encryption boards

Cryptographic Providers and Keys EKM providers are server objects EKM keys are very similar to native keys Managed using the same TSQL Visible in the same catalogs Data encryption with standard built-ins Used to encrypt SQL native keys

EKM Key Hierarchy in SQL Server 2008 H S M Symmetric key Asymmetric key SQL Server EKM Symmetric key EKM Asymmetric key Data Data Native Symmetric key TDE DEK key

EKM Vendor Support And others coming soon

Channel Encryption

Channel Encryption LOGIN Userid Password... SSL Full Secure-Sockets Layer (SSL) encryption Login credentials always encrypted Self-signed certificates

Protecting Your Data Encrypt data to provide additional layer of security Use TDE to protect data at rest Protect your keys! Leverage EKM to consolidate key management and separate data from keys Protect data in transit

For More Information Visit TechNet at www.microsoft.com/technet For additional information on books, courses, and other community resources that support this session visit SQL Server Encryption http://technet.microsoft.com/en-us/library/bb510663.aspx Database Encryption in SQL Server 2008 Enterprise Edition http://msdn.microsoft.com/en-us/library/cc278098.aspx SQL Server Security home page www.microsoft.com/sqlserver/2008/en/us/security.aspx

Questions and Answers Submit text questions using the Ask button Don t forget to fill out the survey For upcoming and previously live webcasts: www.microsoft.com/webcast Got webcast content ideas? Contact us at: http://go.microsoft.com/fwlink/?linkid=41781

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information