Professional Documents
Culture Documents
Protecting Data With Encryption and Auditing
Protecting Data With Encryption and Auditing
• Limitations:
• Performance impact (DML triggers)
• Sufficiently powerful users can disable triggers
• Lack of SELECT triggers
• Trigger firing order must be managed
Auditing with Temporal Tables
• Server-level audit
• All editions of SQL Server
• Database-level audit
• Enterprise, Developer, and Evaluation editions
• Terminology:
• Server Audit – Where does the data go?
• Server Audit Specification – Server-level action groups raised by EE
• Database Audit Specification – DB-level actions raised by EE
• Actions – Raise events to be added to an audit
• Action Groups – Logical groups of actions
• Target – Stores the results of the audit
Defining a Server Audit
• Specify:
• Target
• Queue delay (time in ms that SQL buffers before sending to target)
• Action on failure
• Set STATE = ON to enable
CREATE SERVER AUDIT SecurityAudit
TO FILE (FILEPATH = '\\MIA-SQL\AuditFiles\’ ,
MAXSIZE = 0 MB ,
MAX_ROLLOVER_FILES = 2147483647 ,
RESERVE_DISK_SPACE = OFF)
WITH (QUEUE_DELAY = 1000 ,
ON_FAILURE = FAIL_OPERATION);
GO
• Action Groups
• Server level
• Database level
• Audit level
• Actions
• Database level
• Specify:
• Audit
• Action groups to be included
• State
• Specify:
• Audit
• Action Groups
• Actions on specific securable objects
• May be filtered by specific database principals
• State
CREATE DATABASE AUDIT SPECIFICATION DBSecurity
FOR SERVER AUDIT SecurityAudit
ADD (DATABASE_PRINCIPAL_CHANGE_GROUP),
ADD (SELECT ON SCHEMA::HumanResources BY db_datareader)
WITH (STATE = ON);
Audit-Related Dynamic Management Views and
System Views
• Keys:
• Service master key
• Created at installation of SQL Server
• Encrypts and protects the Database Master Key
• Database master key
• Used to generate a certificate in the master database
• Server certificate
• Generated in the master database
• Encrypts a key in each TDE-enabled database
• Database encryption key
• Used to encrypt the entire database
Transparent Data Encryption
• To enable TDE:
1. Create a Database Master Key
2. Create a server certificate
3. Create a Database Encryption Key
4. Encrypt the database
Moving Encrypted Databases
• Encryption Types
• Deterministic (like a hash from known text)
• Randomized (“hash” unpredictable)
• Mask formats:
• Default (Fully Masked)
• Email (first letter exposed, remainder marked xxxxx, end in .com)
• Custom String (String data only, such as address)
• Random (Numbers only, like a phone number)
• Viewing masked data:
• SELECT permission will see masked data
• UNMASK permission will see unmasked data
• Restrictions (you cannot mask the following):
• Always Encrypted
• Calculated columns
Encryption with Azure SQL Database
• Always Encrypted
• Supported
Logon Information
Virtual machine: 20764C-MIA-SQL
User name: ADVENTUREWORKS\Student
Password: Pa55w.rd
• Review Question(s)
• Best Practice