Fallos en Seguridad Cloud
Solo un mínimo porcentaje de
incidentes de seguridad
impactando a las organizaciones
fueron errores de la plataforma
cloud
Las preocupaciones sobre
seguridad son todavía la mayor
razón por la que las organizaciones
evitan la nube pública
Los proveedores de nube pública
deben tomar acciones para
ayudar a los clientes a conocer las
medidas correctas para securizar
sus despliegues
Sourc:e Gartner Reveals Top Predictions for IT Organizations and Users for 2016 and Beyond,
October 2015, http://www.gartner.com/newsroom/id/3143718
“Para el 2020, el 95 por ciento de los fallos de
seguridad cloud serán errores de los clientes” –
Gartner
La nube presenta retos únicos de seguridad
Los entornos cloud son más
dinámicos: los recursos se levantan
(y apagan) frecuentemente, no es
solo cuestión de MVs – también se
debe considerar PaaS
CIOs y CISOs no tienen visibilidad
y control: la gestión está cada vez
más distribuida y la red física ya no
define el perímetro
Las compañías llevan
problemas de seguridad on-
premises al cloud: soluciones
desconectadas, alertas y
amenazas avanzadas
Private or hosted third-party cloud,
Rackspace, etc.
WINDOWS
WINDOWS
WINDOWS
WINDOWS
Public cloud
Azure or AWS
Microsoft hybrid IT managementSimplified guest and workload management, both on-premises and in the cloud
MicrosoftOperations Management Suite
On-premises with System Center
WINDOWS
HYPER-VWINDOWS
VMWareWINDOWS
Microsoft Hybrid Management
System Center
On-premises
Any cloud
VisibilitySecurity
ControlProtection
Any platform
Key Scenarios
• Insight and Analytics
• Configuration and Automation
• Application Management
• Security
• Backup
• Disaster Recovery
Protección de cargas en la Nube Híbrida
Microsoft Operations Management SuiteAzure Security CenterOMS Security
Seguridad para OMS Log Analytics
Detección de amenazas utilizando analítica avanzada
Recogida de datos de seguridad d virtualmente
cualquier fuente (Azure o AWS, Windows Server o
Linux, VMware u OpenStack)
Visión de los estados de seguridad (antimalware,
actualizaciones de sistema)
Correlaciones para detectar actividades maliciosas y
búsqueda para investigación rápida
Integra gestión operacional y de seguridad
Seguridad para Azure
Detección de amenazas utilizando analítica avanzada
Descubrimiento de activos y evaluación contínua de
seguridad (configuraciones SO, actualizaciones de sistema,
configuraciones SQL Db, configuraciones de red virtual)
Recomendaciones de seguridad accionables con fácil
remediación
Políticas de seguridad para gobierno TI
Gestión y monitorización integrada de soluciones de
Partners de seguridad
&
Operations Management Suite PRICING AND LICENSING DATASHEET
Through Azure monetary commit or billed quarterly Pre-purchase included quantities at a discount. Unused amounts expire at the end of each month
SQL Server 2016: Everything built-in
The above graphics were published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. Gartner does not endorse any vendor, product or service depicted in its
research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all
warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Consistent experience from on-premises to cloud
Microsoft Tableau Oracle
$120
$480
$2,230
Self-service BI per user
In-memory across all workloads
built-inbuilt-in built-in built-in built-in
TPC-H 10TB non-clustered results as of 11/28/16, 07/11/16, and 06/27/16 respectively. http://www.tpc.org/tpch/results/tpch_perf_results.asp?resulttype=noncluster
at massive scaleTPC-H 10TB
#2
SQL Server
#1
SQL Server
#3
SQL Server
National Institute of Standards and Technology Comprehensive Vulnerability Database update October 2016
10
0 14
0 03
0
3429
22
15
5
22
16
6
43
20
69
18
49
74
3
0
10
20
30
40
50
60
70
80
2010 2011 2012 2013 2014 2015 2016
SQL Server Oracle MySQL2 SAP HANA
Performance Security Availability Scalability
In-Memory OLTP
enhancements
Greater T-SQL surface area, terabytes of memory supported, and higher number of parallel CPUs
Operational analyticsInsights on operational data; works with In-Memory OLTP and disk-based OLTP
Query Store Monitored, optimized query plans
Temporal TablesQuery data as points in time
Always EncryptedSensitive data remains encrypted at all times, with ability to query
Dynamic Data MaskingReal-time obfuscation of data to prevent unauthorized access
Row-Level SecurityFine-grained access control for table rows
Other enhancementsAudit success/failure of database operations
TDE support for storage ofIn-Memory OLTP tables
Enhanced auditing for OLTP with ability to track history of record changes
Basic Availability GroupsWith SQL 2016 Standard Edition
Enhanced AlwaysOnDistributed availability groups, automatic replica seeding, distributed transactions, automatic failover, load balancing, manageability
Backup enhancementsManaged backup to Azure, Database Recovery Advisor
Windows Server supportSupport for Windows Server Core and Windows Server ReFS
Live migrationFaster live migration, live migration for non-clustered VMs
Scalability enhancementsHardware acceleration for TDE, parallelized decryption, TempDB optimization, and more
Mission-critical performance
Data disclosure
prevention
Client-side encryption of
sensitive data using keys that
are never given to the
database system
Queries on
encrypted data
Support for equality
comparison, including join,
group by, and distinct
operators
Application
transparency
Minimal application changes
via server and client library
enhancements
Allows customers to securely store sensitive data outside of their trust boundary.
Data remains protected from high-privileged, yet unauthorized, users.
The need for Always Encrypted
Security
Protect your data at rest and in motionwithout impacting database performance
Mo
st secu
re d
ata
base
Always Encrypted
Query
TrustedApps
SELECT Name FROM
Patients WHERE SSN=@SSN
@SSN='198-33-0987'
Result Set
SELECT Name FROM
Patients WHERE SSN=@SSN
@SSN=0x7ff654ae6d
Column Encryption
Key
Enhanced
ADO.NET
Library
ColumnMasterKey
Client side
ciphertext
Name
243-24-9812
SSN Country
Denny Usher 198-33-0987 USA
Alicia Hodge 123-82-1095 USA
Philip Wegner USA
dbo.Patients
SQL Server
dbo.Patients
Philip Wegner
Name SSN
USA
Denny Usher 0x7ff654ae6d USA
Alicia Hodge 0y8fj754ea2c USA
1x7fg655se2e
Country
NEW
Philip Wegner
Name
1x7fg655se2e
SSN
USA
Country
Denny Usher 0x7ff654ae6d USA
Alicia Hodge 0y8fj754ea2c USA
dbo.Patients
Result Set
Denny Usher
Name
0x7ff654ae6d
SSN
USA
Country
198-33-0987
Configuration made easy in new Azure portal
Policy-driven at table and column level, for
defined set of users
Data masking applied in real time to query
results based on policy
Multiple masking functions available, such as full
or partial, for various sensitive data categories
(credit card numbers, SSN)
SQL Database
SQL Server 2016
Table.CreditCardNo
4465-6571-7868-5796
4468-7746-3848-1978
4484-5434-6858-6550
Real-time data masking,
partial masking
Prevent abuse of sensitive data
by hiding it from users
Security
Dynamic Data Masking
Regulatory
compliance
Sensitive data
protection
Agility and
transparency
Data is masked on the fly, with
underlying data in database
remaining intact (transparent to
application and applied
according to user privilege)
Limit access to sensitive data by defining policies to obfuscate specific database fields, without
affecting database integrity
Security
Benefits of Dynamic Data Masking
Protect data privacy by ensuring
appropriate access across rows
Fine-grained access control over specific rows in
database table
Blocking of unauthorized access when multiple
users share tables, or connection filtering in multi-
tenant applications
Administration via SQL Server Management Studio
or SQL Server Data Tools
Enforcement logic inside database, with schema
bound to table
SQL Database
Customer 1
Customer 2
Customer 3
Security
The need for Row-Level Security
Fine-grained
access control
Keeping multi-tenant
databases secure by limiting
access by other users who
share same tables
Application
transparency
RLS works transparently at
query time, without requiring
app changes
Compatible with RLS in other
leading products
Centralized
security logic
Enforcement logic inside
database that is schema-
bound to protect table
Reduced application
maintenance and complexity
Store data intended for many consumers in a single database/table while also restricting
row-level read-and-write access based on user execution context
Security
Benefits of Row-Level Security
Manage SQL Encryption Keys in Azure Key Vault
Scalable, Central
Key Management
High Security &
Redundancy
Separation of Data
and Keys
SQL Server-in-a-VM and SQL Server users can use Azure Key Vault
for encryption key management
Available to keys for Transparent Data Encryption, Column Level Encryption,
and Backup Encryption
SQL Server Connector
SQL Security blog
SQL Server
TDE (encryption at rest)
Column Level Encryption
Backup Encryption
SQL Database Threat Detection
Configurable threat detection policy via Azure portal or standard API.
Multiple set of algorithms, which detect potential SQL injections and unusual access and usage activities.
Investigate and mitigate threats as they occur
using Azure portal
Detects suspicious database activities indicating possible malicious
intent to access, breach or exploit data in the database
SQL
Database
SQL
Threat
Detection
Web
App
Malicious insiderExternal Attacker