What’s new in security for Azure SQL | BRK2012

What’s new in security for Azure SQL | BRK2012

Show Video

Thanks a lot for coming thank you for your interest in other, sequel security, my, name is Jakob shemagh and with, me here I have, my, colleague and manager yaw, him hammer we. Are both from, other. Sequel. Product, team we, are. Part of the security, team who builds, all, security. Features and technologies, for various. All. Sequel. Server products. And services, including sequel, server on premises, sequel server in our VM and other, sequel. Database. So. I'm going to start with. Talking. About three. Main differentiators. That make other Sakai sequel. The. Safest. Place to store your relational, data in, the cloud, number, one differentiator. Is the. Comprehensive. Portfolio. Extensive. Portfolio of, building. Security, controls, and building security features that are, included inside the, database. Relational. Engine. That. Spawned multiple areas, from. Authentication. Authorization through. Network security to. Encryption. And key management on. Top of it we enable, you to integrate. Your databases, with. Rich, ecosystem. Of other, security. Services, and and tools, such. As other. Security, center so that you can monitor, the security posture and. Detect. Suspicious activity. In your databases. Along. With other other, assets. And. The. Last but not least. Compliance. Other. In, general and natural sequel database, in particular, has the most. Extensive. Most. Comprehensive, portfolio of, compliance certifications. In the industry, so. That's one way for us to gain earn, your trust but. We do not stop there in addition, to that we invest in technologies, that basically. Enable. You to confidently. Store your most sensitive data a natural sequel, without. Simply, having. You to trust that Microsoft. Is doing the, right thing. - to. Handle when handling your data. Technologies. Such as confidential, computing, and secure comm clades basically. Ensure. That even, if our services. Our infrastructure, get compromised, for example, by malicious, Microsoft, administrator, or some malware even. Even, then these backed actors, won't be able to get. Access to your data and see your data at least in, not in plain text and we're gonna we'll, be talking about some of these technologies, so. When. Preparing, the session we really had a hard job and and, will, have to make some hard. Choices in, terms of picking what we gonna talk about today, so. It's because, of the vast. Amount of investments, in security, it's simply. Impossible to, cover everything. We have done over the last year in the 45. Minute session so. I'm. Going to start actually, about, mentioning. A few things that I won't be spending a lot of time on. But. They're they are worth, at least mentioning, and signaling so, I'll. Start with top. Left a, other. Active, Directory authentication. Is. Has. Has, been has become a D standard way to authenticate. To, us or sequel and databases. In natural sequel we. Continue investing, in Azure. Active Directory authentication. The. Recent, enhancements there, is. Support. For logins. Associated, with utter AD principles, we, just needed to support. Effectively. Certain. Migration, scenarios, from on-prem environments, what do you have logins. As they do with windows principles, if. You, are using.

Always, Encrypted already. Or or looking, into. Using it possibly in the future you, will be interested to know that now we support, using. Always encrypted not, done at core applications. And this, is via. Our new, microsoft. Dublin sequel client drive. That. Has been a long-standing customer. Ask the. Other common. Ask from customers, especially those ISD. Customers, it, was about support, for TD our, encryption, and resolution, in the standard edition of sequel server and I'm pleased to announce that deaths. That, has happened, in sequel server 2019. TD, is available, in the in the standard edition, a, few, a couple of general. Availability, releases. Worth. Mentioning, is, data. Classification. And. User. Manage keys for TDs in another. Sequel. Managed, instance. So. I'm going not going to talk about the details of these offerings what. I really, want to focus. On. Are, these, four, things highlighted. Now in bold that constitute. The, agenda, for the for, the rest of this session, so. I'm, going to start with private, link which is a solution for. Addressing. The data exfiltration. Problem. In our sequel, database, in, other sequel database logical, servers. Then, we'll talk about confidential. Computing. Via. Always. Encrypted with secure Enclave and, we'll. Close with, a. Short, discussion about latest. Investments. And enhancements. In, our. Data. Security. Technologies. Threat protection and. Vulnerability. Assessment, we. Have extended, these technologies, recently, to cover other sequel. Virtual, machines tomorrow you can. Comprehensively. Monitor. And. Both. Threats, and and security. Posture, of all, your data assets across. Other sequel, database and sequel, virtual, machines ok, so. I'm, going to start with private, link. Private. Link is the, newest. Addition, to the. Collection of features in the network security space, think. Of it as a mechanism, that. Allows you, to access. In. This case a logical, database server. From. Within, a virtual network over. A private. Endpoint, okay and. So. The primary security, goal and benefit, is prevention. Of data exfiltration because. With, that you do not have to expose the public point, to reach that, resource. Which is the logical server, inside. Other sequel database in this case and. But. One. Another. Key. Differentiator and, key property, of that solution is its simplicity, easy. Of ease of use and ease of Management, you. Don't have to deal with the hassle of configuring, firewall, policies. NS. G's. Express. Routes and so on you. Will see in a demo how easy is it is to to use and configure, although, we're not going to go. Through the entire configuration, process. So. Private. Link and other thing I want to mention about it is that it. Is not specific, to our sequel, this is a standard, error mechanism. That. Today. Prevents. Data exfiltration in, a, other sequel. Logical. Servers but is also available in, preview, for in, other storage, a natural sequel data warehouse, and, in the future we can expect some, other services, to offer the. Same mechanism. So. What, does it take to create, a configure, private, link you, need three things so. First you need to decide what is the private. Link resource, in the case of sequel, that's a natural sequel database logical, server that, you want to, connect to, from. Your virtual network, the, second thing is you need to identify the virtual, network and. Provision. A private IP address, within that virtual network from which you want to connect to your, sequel. Logical, server and finally. You have to define, the mapping between, the. Name the fully qualified name of your resource, and that, private IP, address you will be using for this private communication. And. Once you do that. Once. You have a private, endpoint, representing. Your other sequel, database, logical, server within. Your virtual, network, you, can start using it you can start connecting it obviously. From that the, same virtual. Network, for example a virtual machine within the same P net or. You. Can connect to it from other. V nets possibly, in in other regions, through Venus peering, or v-net gateways, or you, can even connect. From on-premises. Via, an Express, route right then. The most important, point is that you can do all that without. Exposing. A, public. Endpoint of the de la jerkle server, to. The in in the internet right so. With that by, the way I forgot to mention at the beginning that we'll be doing I'll, do like a, demo for each of these of these features, and. Let. Me do the private link them on out. Alright. So for my private, link demo provision. And configuration, that has two. Sets of outer resources. On the, left hand side I have, a resource group with resources, located in West United States and the. Most, important, resource. I will be using here for the demo is this peer.

The Demo, sequel. Logical, server and. On the right hand side I have a resource group in, which the primary, the most important research for the purpose of our demo is this virtual machine it, is part of this peer demo v-net, and our. Goal is to establish private. Communication. Between. That. V-net, and, the, VM within that v-net and a logical server on the on the left hand side so. Before. We do that let me actually show, you, the. Current networking. And firewall, configuration. Of the, logical, server right. So if you go to. Security. And, and firewalls. And virtual, networks, pain. You. Will see that right now initially. The. Access, to that resource. So that logical, server from other other. Services. Is disabled, and, no. IP addresses, are whitelisted, in in firewall, rules which, means that this logical servers, inaccessible. From, the outside in particular, from the internet and we. Can actually check. That it's true so what I'm going to do now I'm going and try I will try to connect, to it from my laptop which is in the internet right and, we'll, see if that works ok so it doesn't work and I'm I'm. Getting, I'm being told that, well. I cannot connect and I'm prompted to. Whitelist. My public. IP address, and added to to. The firewall, configuration. Which, I'm not going to do oh because that's not not. My goal my goal is, to make sure that this. Virtual. Machine can. Connect. Privately. To. That to. That resource, which is the logical server, so. In. This demo so again, the way to do that is via a private, link and private endpoint, I'm, not going to show you the end-to-end process, of configuring. The, the private link because not, because it's it's. Particularly. Complex, or long, what's, longest, is the wait time once you kick it off you need to wait five, to ten minutes for all these resources to get provisioned. Therefore. I have, pre provisioned, the private, endpoint. Representing. That logical, server before. The demo so let's just review its. Configuration, now. So. If I click on my, private. Endpoint, there are a few few. Properties, and few settings, that I want to. Highlight and, make. Sure. You you, catch. Some details, here so, the, first important, detail is that, this. Is a private endpoint, that. Encapsulating. That is representing. My, PR demo sequel logical. Server so. This is the name of the resource and its type and this. Endpoint exists. Represents. A logical, server where. Then the v-net called PL, demo veena and you might remember this is the same veena that contains my virtual, machine and. The. IP address, that this private endpoint, is accessible. At is listed. Here 10 9 0 4 and, here. Is the mapping, for, the fully qualified, name which, is the name of my, logical. Server so. There, is an entry, in, there, is a resource, that. Gets. Provision, as part of provisioning, the private link called. DNS, zone that. Defines. That mapping between DNS, fully qualified, name and that. Private. IP address, so. Let's. Now see what this configuration does, to the VM. So. I have, the. Remote desktop, connection. Window, right here I'm connected. To my VM, that. I just showed you on this right-hand. Part. Of the of, the portal, window and. Let's. Do one thing first. First. Let's. Try to open. The command prompt, and let's. Run the nslookup. Command that. Map's, the fully qualified, name of, my, logical, server to an IP address and, here you can see that that, name gets resolved, to the same private.

IP Address, that you saw in the configuration. Of the private link right. So. That's that's one key part now. From. A tool like sequel server management, studio or, data studio or any other sequel, to our application. I can, now use that fully, qualified, name you would you know you. Saw a few. Seconds before that. It gets resolved, to the private, IP address, I can. Now connect. Again, privately. To. That resource, from that. VM. Ok. So. Now. I'm connected, to the logical server over the private endpoint let's do one more thing I'm. Going to run a query, which. What. It does it basically. Ok. What. It does once, I connect to the database, that I should be talking to it. It. Is going to. Tell. Me what. Is the source IP address this. Connection, from the sequence, point of view is coming, from and again you can see this is the same private, IP endpoint. That. I configured, for my. Private. Private, link and private endpoint so to, summarize, the, VM thinks. It's talking to this IP address and. It as we, saw in, the demo it it reaches, through, it it reaches, the the, logical server and the logical, server from logical server point. Of view the, same IP address is the. Source. IP address all, the traffic, is coming through to, this, logical. Server instance, and I achieved, all that without, the hassle, and complexities. Of, network. Security groups firewalls. Express. Route and so on very, simple, an effective. Way to prevent. Data exfiltration, ok. By. The way if you have any questions, now or as, we, go through various, parts subsequent. Parts of this presentation feel. Free to ask. Yep. Ok. The question is about the impact of authentication. Yes. So if I mean. Repeat the question and alternatively. Feel free to use the microphone, the question is about impact, of private link on outer ID authentication. There is no impact it's completely, orthogonal. Independent. Right. So. Completely. Two different independent technologies. They do. Not intersect with each other. That's. Right. That's. Correct no impact on ad, authentication. To sequel server of on this right. Did. I hear question, okay. All. Right let's, completely. Switch. Gears. And topics, and lots let's talk about something. Very very different so we're jumping from the, networking. Tier. To. Now. Encryption. So. Let's. Talk about confidential. Computing, define, what it is and why we care and why we've been heavily, investing in this space not only in sequel but also in other areas of Microsoft, as well so. Confidential. Computing, in the context, of databases, this. Vision is about enabling. Computations. Inside, in our case a relational, database system. In. Such a way that, in. A way that prevents. Various. Powerful, adversaries. Such as cloud, administrators. Database, administrators. Administrators. Of machines, hosting, sequel server instance, from, seeing the data okay, or stealing. The data, potentially. And. The. Really. Hard thing to do here is to achieve this high level of security in high level of security guarantees, and protection, in a way that. Doesn't compromise. Sequel. Servers, ability. To, perform computations. On the data right you could just simply encrypt, the data on, the client side outside, of sequel, dump it to sequel, and you would achieve the security goal right sequel.

Server Would not see your data an administrator. Would not see your data however, most. Technologies, that allow you to do that, they come. With very. Unpleasant. Side effects namely. A database. Becomes. Simply dump storage, right, it stores, your data the, data is encrypted nobody. Will see it but, the database, engine cannot, anything, with the data that's. Not what we want we want to eat the cake and have it we want to protect. The data from. These powerful adversaries. And be, able to support. Rich. Ideal rich computations. Right so, that's the goal now. About, three. Four years ago we. Started the journey towards. This this. Goal by, releasing, the. Future code always encrypted, it happening, in sequel, Server 2016, and a, few months earlier another. Sequel, database, and this was our first take, first, attempt, to implement, this vision of confidential, computing, and we, did that by. Implementing, a client-side, encryption technology. So. In this approach a client driver inside, the car the application, transferred the encrypts, data that, is sent by the application, to the database, and then, transparency, decrypt, the data that is retrieved, and query results, from the database, right. So. You. Could say that from. The security standpoint the goal is is achieved, because. At. Any point of time sequel. Server can, access, the data in plaintext. Because. One other important, property, of the solutions, that cryptographic, keys, that are used to encrypt decrypt, data are, managed, outside, of the database or managed, on the client side on only the client has access, to the keys right. But. I guess the most relevant point, for this discussion is that in, this previous. Version of always encrypted we. Achieved to. Implement. To. Support, fairly. Limited confidential. Computing, capabilities. Namely. We implemented, the deterministic, encryption algorithm. Which, allowed us to support, just. One operation. On encrypted. Data within, sequel, server without exposing, the data in plaintext in the, sequel server environment, and that, operation, was equality. Comparison, so with that sequel, server could support operations. Like point lookup searches equality, joins and. Pretty. Much that's it right so, again that was our first goal toward, towards, the division, of confidential, computing, it's.

Equality. Comparison. As you may suspect is not sufficient. For many types of applications, that's. Why from, the very beginning, from the moment we shipped sequel Server 2016. We started, working. On that next. Iteration. Next. Major, update. To D. Always encrypted technology, and that's, what we did in sequel server 2019. That was announced earlier this week, so, in sequel server 2019. We, ship the revision, of the always encrypted technology. Called always encrypted with secure Enclave, so let's first explain, what an unclear is an. Enclave, at a high level is a very simple concept it's. A protected, region of memory basically a chunk of memory within, the process, the process in this case is sequel server so sequel server contains, the Enclave, and this, Enclave has some special cool properties, namely. It's a it's a black box to the outside world even that sequel server process, that contains, the Enclave cannot see what's inside it and, so. The. Yunkish therefore, is in ideal environment. For to. Support computations. On sensitive, data because, basically what what, happens inside the Enclave says in the Enclave. Its. Its content, data. Code is not visible. To the outside world, so, how. Are we using, this. This. Idea. Of the Enclave and sequel server so, we have refactor, the sequel. Server process. To be precise, the sequel, server this, the query executor. Inside. The sequel server in such, a way that it delegates, computations. On sensitive, data 2d Enclave and the, Enclave being a black box invisible, to the outside world can, safely decrypt, the data which, is encrypted, outside, of the Enclave perform. Computations. On plaintext, and return partial, results, of these computations, the query executors, that the aggregates these partial results and returns. The comp complete. The results to the client, right, so. So that's the idea and with, that we, can support, much, richer, computations. Again, we're not going to support initially. Full sequel servers, server, surface, area all computations. But eventually you want to get there we, started, with something, that many customers have been asking for support, for pattern, matching and, range. Comparison. Sorting, right sorting, is not supported. Yet but it will be soon they. At least natural sequel database, the. The goal is to enable. Confidential. Computation, on broader. Class, of, sensitive. Information namely, PII. Personally identifiable. Information. Okay. In addition to that another benefit, is that with, this we can support cryptographic, operations, in, place outside y'all unlike, on always encrypted in. Sequel server, 2016-17. With. This you, can encrypt, a large. Column, without moving the data outside of the database that's not possible in the, older, version. Of sequel, okay so. To. Kind of help you imagine. Or. Better, understand, this idea of an enclave so, this is what you would see if you are touch a debugger, to sequel server process, and somehow, magically try. To find, the memory of the Enclave ok if you do that you're not gonna see what's, the. Actual data or code in that memory you you're gonna see this junk or or, nothing, encrypted, data right, so.

That's That's, what the Enclave is. From. From the end-user point, of view or or somebody who is trying to attack and compromise. The. Other thing I want to mention is that with. The introduction, the, introduction. Of the Enclave. It. Comes with some. Complexities. It brings some complexities. Namely. Now so, I just told you we have this unsafe component, within sequel server process, which, is like the supposed. To be like the agent behind enemy, lines or or, a foreign. Office, in in. A given country representing. The client right and being the client, it trusted, representative. Of the client, within the sequel server process, but, how the client actually knows it will trust. This Enclave right and that's, the problem that is solved, by introducing a concept of not a station protocol, in another station service, in. Sequel, server 2019. We, support, virtualization. Based, security enclaves. That require using, hosts Guardian services, which is a Windows component, as an attestation solution. I'm not going to talk about the details of attestation, last. Year we. Did a deep, dive and - always encrypted including, attestation, with my colleagues from Windows you, can find, a recording, of that session if you if, you're interested in that, challenging. And interesting problem. Of attestation. One. Thing I want to add is throughout. Sequel. Server 2019. Early access preview program we've, worked, with several customers, who have. Become early. Adopters, of this technology, one, of the mistakes caused Hiscox is an insurance company with about 100, years of history, so. Obviously, any. Any, leak. Leakage. Of sensitive. Customer data of, the, company, would be devastating. For their business and their reputation, but. On the other hand they, cannot, just. Encrypt. And store the data in the encrypted form, without. Being, able, to analyze. It to perform computations. On the data so, always, encrypted with secure Enclave solve, this problem by allowing them, to protect. The data from, powerful adversaries. Like their, own DBS, and hypervisor users and at the same time to preserve sequel, server's ability, to. Perform. Computations. On that sensitive, customer data. So. With that I'll. Switch to the demo again. And. I'll try, to show you a. Quick. Demo of always encrypted. Again. This. Is going to be a short demo because we don't have a lot of time but. We, have some other recordings. That, provide, more. Elaborate. A longer, version of of the, same demonstration so. I'm going to start with showing, you my sample database, my sample database, has, just, one table, right here, and let. Me run this query. You can see that this table contains fairly sensitive information including. Social Security numbers and seller figures, of employees, okay. And, right, now if, I'm a database, administrator, and let's assume I'm wearing a hat of the database, administrator, I can of course run this query without. Launching. Sophisticated. Memory scanning, attacks or taking memory dumps, I can just run this query and see that data in plain text no problem right and that's, the problem we want to address in.

Addition, To that I have, this simple. Web application that, shows me the same data and it. Allows me also to filter, the data by. Salary range by a portion of the social security number right. So. Now if you go to. SMS. Window again one. Thing I want to show you is that, whenever. I use this UI this, application, triggers a query right, and this, is how this query looks like from, sequel server point. Of view so, it's a it's, a select statement. With. Like. Predicates, and the world clause on. The SSN, column, and range. Comparison, on the salary column so, you could say that, this, court contains fairly, rich filtering. Criteria goal. Of the demo the goal of the demo is to protect the data in use from, high provision, but I'm, authorized, users by encrypting that data but. We want to do them in such a way that sequel. Server is still able to perform, these. Computations and. Process these queries alright so. Let's do that. So. To. Do that I, will, switch to another instance, of sequel server management, studio to. Emphasize. The point that now I'm wearing, I'm. Assuming, a different role I mean data owner who. Has access, to cryptographic. Keys, and I, will be encrypting, that data that. I want to protect and. What's. Always incredibly, secure on place I can, do that by running a simple alter table statement, if. You. Ever try, that with. The previous version of although it's encrypted you know that at this point you would have to use one, of our tools like always encrypted, wizard or PowerShell, that moves all the data from the database encrypted, uploaded, back and. This can take very very long time and it's prone. To network errors, and other problems, with. This. Simple command that completed. Whether in a fraction, of a second my, data, was. Encrypted in, place inside. The secure Enclave on, the server side right how, do I know the data is encrypted if I go back to the other window. SSMS. Window, or i'm assuming, the role of of. A, DBA so, this is the outcome of the previous. Execution, of the Select statement on, the table, if, I run it one more time I can. See that my SSN, and salary columns, are now encrypted, so if I'm a DBA. And I am a DBA in this moment of the demo I cannot, see the data in plaintext anymore. Right. So, now let's. Switch back to, the. Application, let's. Refresh, this view and. Let's. See what changed. Here. All. Right so. Nothing, has changed, there is one little trick that I quickly, can show you which. Is I literally, have, not made, no changes, to the application code, to make it work with now columns, that are encrypted. Other. Than, changing, slightly. The database, connection strength in which I enabled. Column. Always. Encrypted this transparent. Encryption, and decryption of, query parameters. And query. Results, and I, also specified. My. Attestation, endpoint. Because. Before. This cloud application, agrees. To use the Enclave for query processing, it needs to verify that the Enclave is really secure and trustworthy, okay, so. I mentioned that that's the problem the, attestation. Protocol. Solves. Okay, so. So, again back, to the application this. Just works as before, and confer, turbine. Salary. And social. Security number let. Me just, close. By going. Again. To, this. Query, monitor, window and let's. See if anything, has, changed if, there, is. Anything. Different, and how these queries, look like they. Should be slightly different sometimes there is a lock and delay. Here. Okay. Now it is. So. First. I want to point out one thing that has not changed this. Is still the same query, statement. Right select, statement, containing they're like predicates, on this.

SSN. Column, which, is now encrypted and the range comparison. On the salary column that is now encrypted, the. Difference is that now the parameters. Search, filtering. Criteria get. Encrypted, by the client, driver inside the application. So sequel server gets, both the. Query parameters. Which are encrypted, and already has the, data in a column that is encrypted, and to process this query it needs to engage the Enclave sent all the data to the Enclave, the Enclave decrypt, the data and, query parameters. Performs. Calm comparisons. Or, evaluates. Like predicate, returns, partial results of sequel server process, and the, filter results results. Are returned back to the client application so. I achieved, protection, of data and use from high privilege but, on all unauthorized, users, while, preserving, a. Sequel. Server ability. To to perform rich computations. And I also was. Able to encrypt my data in place. All. Right so, with that let. Me go back to. The. Slide deck again. And hopefully we have enough. Time to. Quickly. Talk. About threat, protection and vulnerability. Assessment. So. How. Many of you are familiar with. Advanced. Data. Security. Vulnerability. Assessment, and threat, protection you, probably. Some of you have been using these features for quite some time for. Example in Azure sequel, they today's so, the. Main development. The main new enhancement. Here is that we have enabled the same capability. In. For, other sequel, virtual. Machines. Right. Sorry. I skipped. One, slide, too. Quickly so there are two things here threat protection, and vulnerability, assessment, with threat protection. The, idea is that. There. Are sequel server instance, in, this with, this new, enhancement. Running inside our virtual machine, and. This. Virtual machine is. Equipped, with a component, called, OMS. Agent. Operations. Management, studio. Agent. Which. Is basically. Constitute. The instrumentation. Layer of this monitoring, system, it harvests, the outted, locks and sends. Them to the cloud to other where, these, other logs, get analyzed, right and, alerts. Get automatically. Generated. And appear. As you will see hopefully, in a demo in a couple. Of minutes they. Appear next to alerts that threat. Protection generates. For other other. Assets, you might have in your subscriptions. Okay so. With that you can detect things like. Unusual. Access, patterns, people log into your database from, unusual, locations, or. Sequel. Injection attempts. Vulnerability. Assessment, is it's. A similar feature and. What, a very similar architecture again. We have extended, it to support other sequel. Virtual. Machines so now, you, can have again the same OMS. Agent, that, now harvests, the, configuration. Data for, your sequel, server environment. And sense. That configuration, data to. The cloud or, the data. Gets analyzed, and based on that you. Get not, occasions you get reports. About. Potential. Security. Vulnerabilities. About holes in your configuration okay. So. Again the main value probe the main change here is that now you. Can apply. Threat, protection you can apply for mobility assessment not. Only to other sequel, database. The path environment but, also in. Your Aya's. Infrastructure. As a service environment and sequel. Server running in virtual. Machines so again. Let's do a demo, of, threat. Protection and. VA. Vulnerability. Assessment, for. That let me exit, my. AE. Demo. Environment, so. One, thing I want to start with is. How. Easy it is to enable, threat. Protection and, vulnerability. Assessment, for your. Sequel. VN is. Environment, probably, the easiest ways to start. First, of all you go to either. Security. Center you go to pricing. And setting, stop and then. You can traverse the. The. Management, groups containing. Your subscriptions. You can find your subscription. You can click on it and then. With. A simple. Click of a button you, can enable. A. Both. Threat, protection and, vulnerability, assessment, for, a specific asset, or resource, type, so. Before you could do that for, pass. Sequel. Server instances. Or. Managed, instances, and, now you can also do, that for. For. Sequel. Server running and virtual, machines so if this is disabled, initially, when, you enable, it. Multiple. Things will happen first, this, OMS, agent, gets deployed, to. Your sequel server virtual, machines and then. Configuration. Files component. So-called, solution. Files. Will, be deployed to the DOE Emmas agent and will start monitoring, your sequel, server instance, okay it's it's as simple. As that. So, let's say you have enabled everything, is up and running so, threat. Protection the vulnerability, assessment, is up and running you. Can start viewing. Vulnerability. Assessment, data and you can, start viewing. Security. Alerts there are multiple entry points in, the portal to access this information, and. I'm, going to pick. One of them for, the demo so.

Under, Resource, security hygiene. You can go to data storage, and what. This now shows you basically is is, a single, pane of glass view. In. Which you can access the, summary, information about. Vulnerabilities. Security, vulnerabilities. Found. Across, all your, data assets and that. Includes, as, before. Again. Your, path, environment. Sequel. Databases. In. In, Azure sequel, database, and in manage instances, but. The new addition, the, new enhancement. Is the ability to view vulnerabilities. In, a sequel server inside, virtual. Machines so we, can, potentially. Drill down to to, any of to. Any of these entries, in this case into vulnerabilities. For. Virtual. Machines you can we can pick one of the servers and we can drill down to the, database and, we. Could see. Vulnerabilities. Within, that specific database. Like for example this one, it. Tells. Me that well TLS. Protocol, is not enabled, for. My database, which is a pretty, big deal so that's something that I should probably address as soon as possible, and I'm provided, with recommendations. On what's, the best way, to do, that. So, typically. You get very, actionable, recommendations. On. How to address all, these miss configurations. So that's how, you, get. Your vulnerability. Assessment. Reports. And recommendations. The. Other thing that you can access through the portal, are. Alerts. So. That's that's, the threat protection component. Of the solution, so, once you enable. Threat. Protection, for your sequel, server, virtual, machines these, others may start flowing, right so for example, if. Somebody, tries. To brute, force password. In, your sequel, server environment. You. Will get alert if somebody, tries to launch a sequel. Injection attack. Again. You will get another. That we can actually quickly. Take, a look how an alert. Indicating. A potential sequel, injection, attacks. Looks like again, this is one, of the virtual, machines, containing. Sequel in my environment. Apparently. Multiple. Sequel, injection, attempts. Have, been executed against, it and I, can view. The details of this alert which. Includes the exact, query that is that. Is likely. A vulnerable, sequel, query that somebody. Used to. Exploit. This. To, launch the sequel injection attack, in this case. All. Right. So. Wow, the 45, minute session is really super. Short so we will. Be wrapping up very soon but I can take maybe a question or two now. Right. Right. So the question is is, it available only in, a sequel. VM in outer versus. Another. VM, also, in other. But. Configured. Manually, the. Answer is yes the, answer is yes it's not available on premises. Outside. Of Azure at least that's the current current, state. So. With that let me quickly. Wrap, up again, we talked about privately, confidential. Computing, and the new and enhancements, to threat, protection vulnerability. Assessment, there, is a bunch of resources, in, various places including, our documentation. Site that you can, you. Might want to check out one, thing I want to highlight is the session your Hema and I are having tomorrow, it's. It, will, be related to one of the topics that we discussed today mainly. Confidential, computing, and encryption, and we'll, be talking about. Central. Policy management, and managing, encryption, centrally, that. There is a new initiative that you. Probably will find very, exciting it will want to learn, about so. With that I will wrap, up with, 40, seconds left in case there, are any questions. Thank. You. Yeah.

Yeah. You can use the mic that would be perfect, that will save us time I won't have to repeat your question. Yeah. Hello. Yeah so. Would enclose, right. How. Does caching, work with, the data right so pretty much I mean. The the, point right and. Inequality. Searching, is, to unencrypted, data and be. Able to use binary searching, and unencrypted. Data so. Does it mean that you, know if I have let's say. 200. Million. Rows. Table, with, sensitive. Data mm-hmm, right and, I want to run queries, that can. Use. Binary searching, and that doesn't, mean that it's gonna pretty. Much get cached and stay in memory inside of the anyways right. So. So no we do not do, caching, of plaintext. Data that, gets encrypted, inside, the anklet today which. Means that in the absolute, worst case scenario, you have 200, million rows in your table in the absolute. Worst case scenario, all of them would have to be decrypted. For each query, however. It doesn't usually happen, if, you use. For example an, index, on that encrypted, column which we, should do and maybe I apologize, if, I haven't made that clear and maybe it's not it's, it's actually not obvious, is the, fact that we do support indexing, on encrypted, columns with enclaves, where. Index, related, operations are also done inside, enclaves, so, with indexing. Of. Course you will not be scanning typically, all the rows if. You properly. Configure, your indexes, but, again if you run the same query again yes some decryption, operations, will be repeated, inside in Enclave today so, we, do lots of different caching. In different places but, we don't do that yet, at least there, are lots of perform provements, we have in mind. Right. I'm. Happy to go, ahead. Your. Encryption, in okay. How. Can we follow what's, the current, status. Of encryption, in the databases, you're. Working, on and there's. Any. Specific. Right. So. The question is how can you follow the development, the innovation, that is happening inside sequel. So. Yeah. Well that there is a sequel, server security blog, that we do have and, and we, try to maintain and, communicate, any any new. Development, and exciting, news, there. Is documentation that keeps, updated. There. Is you know on every major conference, we have a session like this, including. Sequel, pass and ignite and build so. There's another way to get. Familiar with what we're, working on, and what we are up to. And tomorrow, is another session so - yeah. - tomorrow. Is the. Topic of tomorrow's session is probably something we we, will not necessarily be. Aggressively. Blogging, or documenting. About. So that is a good good. Reason to come and join us. 915. Right. Here yep. Yes. It's deterministic. Encryption and. Always. Always, encrypted support. Authenticators. And if not. So. We yes, we support age mark we. Just append it to ciphertext, so this is a mechanism that we used to detect and corruption, of ciphertext, yes. We, do that both for deterministic. And randomized, encryption by. The way randomized. Encryption is the way to go going, forward with enclaves, we, kind of look at the turistic encryption, as. Well, rather. Should say we use at uncrate, combined, with randomized, encryption as a. Successor. Of deterministic. Encryption computations. Using deterministic. Encryption outside, of the. Using. Nothing. Would be discontinued, you. Can you can do to, be using deterministic. Encryption without. Our case with indexing, there. Is no no, danger, that will discontinue. We just give you more options and, with. An clades deterministic. Encryption doesn't, support as much of functionality. Inside the Enclave as a randomized, encryption at least that's the current state so, for that reason you might want to use randomized. Encryption with enclaves, and maybe, deterministic. Encryption if you want to outside, of the enclaves thank, you. All. Right you can I guess it's getting cozy. So we can maybe, turn microphones. Off at, some point. Yeah. Sure. The. First if I run an explained plan, over. A over, a query that's using, encrypted. If. You around what I'm using an explained plan an explained, plan yeah. Okay. What's a question, well, the explained plan was the same. With. Or without the, encrypted column, if I don't have. I. Think. It will be the same I haven't checked it personally, I think it doesn't, impact, the query plan, is. A high level. Great. Question, to be honest I haven't, experimented, where that I would need to ask my engineers, to give you the precise answer if you don't. Mind leaving your contact information I will be more than happy to close. On than to reach out to you question. I. Think.

2020-01-18 05:44

Show Video

Other news