SQL Server Security RRS feed

  • Question

  • Hi,

    My company wants to implement Security in SQL server databases. We have already implemented security in Oracle databases.
    In oracle we have implemented Database vault, Audit Vault, TDE, Database masking. 

    Please let me know what are security features available in SQL Server.


    Sunday, May 5, 2019 5:31 AM

All replies

  •  What version you are using? Edition? TDE Enterprise Edition, Database masking are available

    Following are the features in SQL Server that support GDPR compliance:

    1. Row-Level Security (RLS)
    2. Dynamic Data Masking (DDM)
    3. Transparent Data Encryption (TDE)
    4. Transport Layer Encryption (TLS)
    5. SQL Server Audit
    6. Temporal Tables
    7. Always Encrypted (AE)
    8. Authentication
    9. Azure vault
    10. Azure Active Directory
    11. SQL Threat detection

    Best Regards,Uri Dimant SQL Server MVP,

    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Consulting: Large scale of database and data cleansing
    Remote DBA Services: Improves MS SQL Database Performance
    SQL Server Integration Services: Business Intelligence

    Sunday, May 5, 2019 7:19 AM
  • Good day Arif,

    If you can describe specific vault you want to implement then we can advise what is the best option.

    For Azure SQL Database you can start here:

    For SQL Server on-premises you can start here:

    In general, these are the levels of control which you can implement (there are some more which are not here - this is a list of what I cover in specific one-day-event):

    1. Securing the physical environment
    2. Securing the Operating System
    3. Secure Access Control (connecting the server)
      • External
        • Firewall and firewall rules (IP rules for example)
        • Network Security Groups rules
        • Virtual network
          • Virtual network rules
          • firewall rules
        • Control endpoints
        • Dynamic Proxy (like DataSunrise, GreenSQL, HexaTier-formaly GreenSQL, etc’)
      • Internal
        • Authentication (SQL authentication, Windows authentication, Azure Active Directory authentication)
        • Contained Databases
        • Contained Database Users
    1. Limit the Authorization (Control using the server entities)
      Server Level Roles, Database Level Roles, Database Schema Level Permissions, Application Roles, and Object Level Access.
      • Logins
      • users
      • Control GRANT and REVOKE permissions per entities (object-level permissions)
      • Row-level security – expose data in the row level
      • Application Roles
    2. Secure SQL Server instance Surface Area (sp_configure)
      • Disable un-needed features like: Ad Hoc Distributed Queries, clr enabled, cross db ownership chaining, Database Mail XPs, Ole Automation Procedures, scan for startup procs, xp_cmdshell
    3. Information protection and encryption (Database level, column level)
      • Encrypt the file system/disk with "Encrypting File System" and "BitLocker Drive Encryption"
      • Encryption-at-rest
        • Transparent Data Encryption
      • Encryption-in-transit
        • Encrypted connections (SSL/TLS).
          * Enforced in the Azure Database always!
          * using the ADO.NET driver this is accomplished via Encrypt=True and TrustServerCertificate=False.
        • Column’s Encryption (1)
        • Always Encrypted

    * Flexible Key (Azure Key Vault, Local Key in the client side or in the server side)

    1. data exposure
      • Dynamic Data Masking
      • Static Data Masking
    2. Threat protection
    3. Auditing and Threat Detection (find issues after occurred)
      • (Azure)Define server-level auditing policy
      • (Azure Define database-level auditing policy
      • Advanced data security (ADS)
        • Vulnerability assessment
        • Data discovery & classification
        • Advanced Threat Protection
    1. Secure your Application

    signature   Ronen Ariely
     [Personal Site]    [Blog]    [Facebook]    [Linkedin]

    Sunday, May 5, 2019 10:44 AM