Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
MicrosoftDatabasesecurityandcompliancecapabilities,underGeneralDataProtectionRegulation(GDPR)perspective
A N EW S TA N D A R D TO P R O TEC T P ER S O N A L D ATA
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The GeneralDataProtectionRegulation provides European Union citizens, wherever they reside, and lawful residents greater control of their data by requiring organizations to maintain appropriate security of personal data.
GDPRincludes
SOLUTIONS TO HELP YOUPREPARE FOR THE GDPR
D ATA P R O TEC TIO N W ITH S Q L-B A S ED TEC H N O LO G IES
Discover and classify specific dataTag data with sensitivity labelsTrack personal data access across resources
Identify and track personal data
Safeguard dataRespond to breaches
Help secure data whether at rest, in transit or in client applicationsTrack unusual or suspicious activity to identify threats
Track and report on all database activitiesMaintain an updated assessment of data security posture
Help securely authenticate access to your database and apply granular authorization Restrict access to users with easy-to-use tools
Control access Keep records
Discover Manage Protect Report
The SQL platform ensures secure processing and storage of personal data
S Q L-B A S ED TEC H N O LO G IES S U P P O RT Y O U RS EC U R ITY N EED S , IN C LU D IN G G D P R
E a sily que r y da tabases to unc ove r personal data T a g da ta w ith sens i t iv i ty la be ls u s ing E x tende d Pr ope r t ies
E nc r yp t da ta w hethe r a t r e s t , in t r a n s it o r in c l ient a pp lic a t ions
T r a c k a nd r e po rt on a l l da ta ba se a ct ivi t ies w ith g r a nu la rly con figur ab le a ud it ingU se c on tinuous ly lea rn ing a lgo r i thms to ide ntify unusua l o r su sp icious a ct iv ity
Se c u r e ly a u thentica te to you r da ta base a nd a pp ly g r a nu la r a u tho rizat ion po lic ie sRe s tr ic t a cce ss to u se rs u s ing D yna mic D ata Ma sk ing a ndRow - L e vel Se c ur ity
SQ L Q ue r y L a nguageV u lne r a bi l i ty A ssessmen tD a ta D isc ove ry & Cla ss if ic at ion
D yna mic D a ta Ma sk ing ( D D M)Row - L e vel Se c ur ity ( RL S)W indow s a u then tic at ion / AAD a u the n ticat ion
T r a nspa ren t D ata E nc r yp tionA lw a ys E nc ryp te dT r a nspo rt- Layer Se cu ri ty
A ud it ing f o r SQ L D atabase a nd SQ L Se r ve r a ud itT e mpor a l tab lesSQ L D a ta ba se T h rea t D e te c t ion
K ey fea tures
Sinc e SQ L Se r ve r 2016 SP1
Tra ck perso na l da ta
Sepa ra t io n of dut ies
Encry pt io n ev ery where
Co nsist ent pro g ra mma bility ex perience
Audit ca pa bilit ies
D e ve loper s a nd app licat ion pa r tne rs c an bu ild to a s ing le p r og r amming surfaceSc a le a c ro ss SQ L e d it ions a nd the c loud
This image cannot currently be displayed.
Process TechnologyInventory personal data in database systems Data Discovery and Classification
Review access model, understand the attack surface area Vulnerability Assessment
STEP1
D I S C O V E R A N D C L A S S I F Y P E R S O N A L D ATA
Data Disco v ery & Classif icatio n forms a n ew SQL In fo rmation Pro tection parad igm to p ro tect d ata
Disco v ery & Classif ication r ecom mendation s eng ine scan s d atab ase an d id entifies co lumn s con tainin g p o ten tia lly sen sitive d ata
Sen sitiv ity c lassif ication lab els can b e tagged o n co lu m n s for ad vanced aud itin g an d p ro tection
Qu ery r esu lt se t sen sitiv ity is calculated in r eal t im e fo r au d iting
Th e d atab ase c lassificatio n sta te can b e v iewed in a d etailed d ash board o r an Excel r ep ort
Discover
U N C O V E R A N D M A N A G E D ATA W I T H S P E C I F I C T O O L S Easily q u ery d atab ases with SQL q u ery lan guage to id en tify and u ncover per sonal d ata
Create c lassif ied tab les with Extend ed Properties and attr ib u te-b ased label m etad ata
Use Fu ll-Tex t Search in Microso ft SQL to search for k ey wo rds lo cated within f r eeform text
Search an d id en tify p erso nal d ata u sing metadata q u er ies
SQL
Discover
Process TechnologyManage authentication and authorization mechanisms Azure Active Directory authentication, role-based security,
Windows authentication
Properly configure database firewall Azure SQL Firewall
Limit application access according to authorization principles Dynamic Data Masking, Row-Level Security
STEP2
M A N A G E D ATA A C C E S S W I T HR O W - L E V E L S E C U R I T YFin e-g rained access co ntro l o v er sp ecif ic ro ws in a d atab ase
Prev en t u n au thor ized access wh en f ilter ing in m u ltiten ant ap plication s
En fo rcement lo gic insid e th e d atabase an d sch ema b o u n d to th e table
Cen tr alize Ro w-Level access lo gic within th e d atab ase
Pro v id e b etter su ppo rt services p reventing y o ur r ep resen tativ e f rom getting access to cu stomer ’s sen sitiv e d ata
Manage
C O N T R O L S E N S I T I V E D ATA A C C E S S W I T H D Y N A M I C D ATA M A S K I N G
No n -p r ivileg ed u sers can not see sen sitive d ata
Ap p ly d ata m asking in r eal-time to q uery r esu lts b ased o n secu rity po licy
Av ailab le in th e Azu re p orta l and also v ia T-SQL
Table.CreditCardNo
4465-6571-7868-5796
4468-7746-3848-1978
4484-5434-6858-6550
CreditCardNo
XXXX-XXXX-XXXX-579 6
XXXX-XXXX-XXXX-197 8
XXXX-XXXX-XXXX-655 0
Manage
Process TechnologyEncryption of data at rest, in motion, in use Transparent Data Encryption, Always Encrypted
Maintain records and audits of all database activities Auditing
Detect data breach and respond accordingly Threat Detection
Ensure business continuity Always On, Active Geo-Replication
STEP3
E N C R Y P T D ATAI N U S E W I T H A LWAY S E N C R Y P T E DPro tect d ata in u se f rom h ighly p r ivileg ed y et u n au th or ized u ser s with Alway s Encry pted
Co n f ig u re Alway s Encry pted for ind ividu al d atab ase co lu m n s co ntaining sen sitive d ata
Lev erag e colum n en cryp tio n k eys an d co lumn m aster k ey s to p ro tect d ata
Data set
EnhancedSQL Server
Library
CIPHERTEXT
Column master key Column encryption key
Customer Credit card # Exp.
Denny Usher 0x7ff654ae6d 5/174949-8003-8473-1930
Customer Credit card # Exp.
Tim Irish 4839-2939-1919-3987 7/19
Denny Usher 4949-8003-8473-1930 5/17
Alicia Hodge 9000-4899-1600-1324 4/18
Credit card #
1x7fg655se2e
0x7ff654ae6d
0y8fj754ea2c
SQL
Protect
M A X I M I Z E AVA I L A B I L I T Y O N A N Y P L AT F O R M
Alway s On cro ss-p latfo rm capabilit ies with HA an d DR fo r L in ux and Windo ws
Su p p o r t for c lu sterless Av ailab ility Gro ups
Ultim ate HA with OS- lev el r edu ndan cy an d lo w-d owntime m igration
Lo ad b alancing o f r eadable second aries
Protect
D E T E C T U N U S U A L A N D P O T E N T I A L LY H A R M F U L A C T I V I T Y Azu re SQL Th reat Detection d iscov er s an d id en tif ies an o m alo us activities
User s r eceiv e a ler ts u pon su spicious d atabase activ ities, p o ten tia l v ulnerab ilit ies, an d SQL in jectio n a ttack s
Reco m m en ded action s o n h ow to in vestigate an d m itig ate th reats
Protect
Process TechnologyMaintain audit records of database activities Auditing, Temporal tables
Continuously assess and analyze security measures Vulnerability Assessment
STEP4
T R A C K A N D L O G E V E N T S W I T H S Q L S E RV E R A U D I T
En ab le , sto re , and v iew au dits o n v ariou s server an d d atab ase o b jects with d ed icated to ols
Def in e m u ltiple server o r database aud its to ru n sim u ltan eo usly
Track an d lo g u ser-defin ed d atabase-level au dits with th e h elp o f predefined tem plates
Report
K N O W Y O U R S E C U R I T Y S TAT E W I T H S Q L V U L N E R A B I L I T Y A S S E S S M E N T Meet co m p liance r eq uirem en ts th at r equir e d atabase scan r ep o r ts
Meet secu r ity stan dard s o f GDPR
Mo n ito r a d yn am ic d atabase env iron ment wh ere ch an g es ar e d ifficult to tr ack
Dr ill-d o wn o n assessm ent r esu lts to u nd er stand th e im p acts o f f in dings an d u se action able r em ed iation in fo rm atio n to r eso lve issu es
Report
DiscoverData identifica tionTracking
ManageAccess controlGranular authorization
ProtectData security
Data Discovery & ClassificationScan, identify, and label columns containing potentially sensitive data in your database
Access control Administrators can manage and govern access to personal data with Windows authentication and Azure Active Directory authentication
Transparent Data EncryptionHelp secure personal data through encryption at the physical storage layer using encryption-at-rest
Metadata queries, SQL queries and statementsHelps you search and identify personal data using queries
Role-based access controlApply role-based access control to help manage authorization policies in the database, and to implement the separation of duties principle
Always EncryptedPrevent unauthorized, high-privileged users from accessing data in transit, at rest, and while in use
Full text queriesUsing full-text queries against character-based data in SQL Server tables
Row-level securityPrevent access to rows in a table (such as those that may contain sensitive information) based on characteristics of the user trying to access the data
Always On Availability GroupsMaximize the availability of a group of user databases for an enterprise
Azure Data Catalog Unlock tribal knowledge by sharing information about data usage and intent throughout the organization
Dynamic Data MaskingControl access to sensitive data by enabling how much data to reveal with minimal impacts to app layers
SQL Database Threat Detection Get help detecting anomalous database activities indicating potential security threats to the database
ReportDocumentationAssessment of security
SQL Server AuditVerify changes to data that occur in a SQL Server table
SQL Server AuditUnderstand ongoing database activities, and analyze and investigate historical activity to identify potential threats or suspected abuse and security violations
SQL Server AuditMaintain audit trails and gain useful input for performing a Data Protection Impact Assessment (DPIA)
Master data servicesKeep personal data complete and ensure that requests to edit, delete, or discontinue the processing of data are propagated throughout the system
Vulnerability assessmentReports that can serve as a security assessment for your database. These reports can also be used as part of a Data Protection Impact Assessment (DPIA)
DATA SECURITY SOLUTION S WITH SQL-BASED TECHNOLOG IES
MODERNIZE YOUR DATA PLATFORM TODAY
Upg ra de scena rios
O n-premises: Co m plete d ata pla tfo rm with m ission critical p er fo rmance and r eal t im e r ep orting
Priv a te Clo ud: Dedicated bu siness r esou rces in side the en terp r ise
Ia a S: Keep m anagem en t while r ed ucing TCO with Azu re VMs
Sa a S: No ap p lication co de ch an ge, wh ile tak ing ad vantage o f scalab le an d h ig hly av ailable DBaaS
Pa a S: Fu lly m anag ed so lution with h ig h av ailability an d scalab ility
Shar
ed In
fras
truc
ture
/ L
ower
cos
tD
edic
ated
Infr
astr
uctu
re/ H
ighe
r co
st
Higher administration Lower administration
Hybrid Cloud
Ph y sicalSQL ServerPhysical Machine (raw iron)
I aaSSQL Server in Azure VMVirtualizes Machines
Vir tu alSQL Server Private CloudVirtualized Machine + Appliance
PaaS & SaaSAzure SQL DatabaseVirtualized Database
SQL
SQL
EN D O F S U P P O RT M EA N S EN D O F C O M P LIA N C E
Businesses using unsupported SQL Server versions may not meet GDPR standards
End of support means no more critical security updates, leading to greater threats and increased maintenance costs
Vers ion Cu rren t support l evel E n d mainstream E n d extended
SQL Server 2014 Currently supporting all versions July 9, 2019 July 9, 2024
SQL Server 2012 SQL Server 2012 SP2+ is in mainstream support until CY 2017 July 11, 2017 July 12, 2022
SQL Server 2008 and SQL Server 2008 R2
SQL Server 2008 and 2008 R2 are in extended support which includes security updates, paid support, and requires purchasing non-security hotfix support
July 8, 2014 July 9, 2019
SQL Server 2005 SQL Server 2005 support ended on April 12, 2016 April 12, 2011 April 12, 2016
SQL Server end of support schedule
End-to-end mobile BI on any device
Choice of platform and language
Most secure over the last 8 years6
0
20
40
60
80
100
120
140
160
180
200
Vul
nera
bili
ties
(20
10-2
017)
A fraction of the cost
Only commercial DB with AI built-in
Self
-ser
vice
BI
per
user
Microsoft Tableau Oracle
$120
$480
$2,230
Industry-leading performance
Most consistent data platform
#1 OLTP performance1
#1 DW performanceon 1TB2, 10TB3, and 30TB4
#1 OLTP price/performance5
#1 DW price/performanceon 1TB2, 10TB3, and 30TB4
T-SQLJavaC/C++
C#/VB.NET
PHPNode.jsPython
Ruby
RR and Python +
in-memory at massive scale
Native T-SQL scoring
Private cloud Public cloud
In-memory across all workloads
National Institute of Standards and Technology Comprehensive Vulnerability Database
SQL SERVER 2017
+
Strengthen data security on a leading data platform