9. What are the three A’s?
• Authentication: proving who you are
• Authorization: determining what rights/permissions
you have
• Accounting / Auditing: tracking what you do
12. What to Look for in Data Security
• Permissions are important, so start there
• Should be tied to data classification
• Encompasses data encryption and obfuscation
• Data handling as well
15. Data Encryption
• Sensitivity of the data (data classification)
• Impact to the organization should information be stolen / lost
• Regulations, compliance requirements, laws, industry standards
• Algorithms for encryption and how they’re implemented
16. SQL Server Encryption Options
• Built-in Encryption Objects and Functions
• AlwaysEncrypted
• Transparent Data Encryption
17. Data Encryption – Operations
• Key Escrow must be specified, tested, and have
approved controls
• Performance impact
• Situations where the data exists in plaintext (in
memory, etc.)
18. Data Obfuscation
• Typically data, in its resting state, is unprotected.
• Could also exist at rest in non-encrypted way.
• For less that privileged access, data is masked in some way.
• Some include encryption as part of data obfuscation
19. Data Obfuscation in SQL Server
• Dynamic Data Masking - Introduced in SQL Server 2017
• Built into table definition - Uses algorithm you define
• Privileged users can still see unmasked data
• Seamless to application / reporting layer
21. What do I care about?
• Changes to Security Principals
• Changes to Security Permissions on Objects
• Changes to Objects Themselves
• Creation of New Databases
• Creation of New Objects
22. Out-of-the-box Options
• Extended Events are your friend.
• Other Options:
– Audit object (built on Extended Events)
– Triggers
– Default Trace
– Transaction Log (maybe)