SlideShare a Scribd company logo

Data Modeling for Security, Privacy and Data Protection

Karen Lopez
Karen Lopez

The document discusses modern data modeling techniques focused on enhancing security, privacy, and compliance in database systems, particularly in response to regulatory frameworks like GDPR. It covers new features such as data masking, end-to-end encryption, and row-level security, and emphasizes hands-on learning through practical labs. Karen Lopez, a data evangelist with over 20 years of experience, also addresses the importance of data governance and the skills needed for data protection in contemporary environments.

Data & Analytics
1 of 74
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
Data Modeling for Security and Privacy Karen Lopez Data Evangelist InfoAdvisors www.datamodel.com 1
Abstract Modern database systems have introduced more support for security, privacy, and compliance over the last few years. We expect this to increase as compliance issues such as GDPR and other data compliance challenges arise. In this session, Karen will be discussing the newer features from a data modelers/database designers' point of view, including: Data Masking End-to-End encryption Row Level Security New Data Types Data Categorization and Classification We'll look at the new features, why you should consider them, where they work, where they don't. We will also discuss how to negotiate on behalf of data protection in a world of Agile, MVP, Lean and DevOps. This session is hands-on with demos and labs, so bring your own laptop to participate. 3
Karen Lopez • Karen has 20+ years of data and information architecture experience on large, multi-project programs. • She is a frequent speaker on data modeling, data- driven methodologies and pattern data models. • She wants you to love your data.
Why this topic? •Because •We •Love •Our •Data
POLL: Who Are You? 6
You’re Hired! Case Study Group introductions Lab .5 7
Launch Lab .5 8
About this session • Mostly transactional discussions • Variety of skills & experience in teams • Time limits • Inspire you to learn • Our style • “At another company” • Giving you tools & approaches • Some checklists items • Mostly analytical and practical learning • Tools are for examples 9
Outline OVERVIEW DISCOVER CATEGORIZE PROTECT MONITOR & ASSESS MORE THOUGHTFUL STUFF 10
Ready for 25 May? Callers asked me: • How can we get started? • Can you help us get certified? • Do you have software for this? • Do you have a couple of weeks to help us get this done?
Karen’s Governance Position Security at the data level Models capture security & privacy requirements Management reports of reviews Measurement In other words, Governance
Data Models • Karen’s Preference • Track all kinds of metadata • Advanced Compare features • Support DevOps and Iterative development • Support Conceptual, Logical and Physical design
14
Data Quality is Also Data Protection 15
16
ROI 17
Discovery What do we have? Where is it? How do we know? 18
Data Cataloging SCAN-BASED AI-BASED METADATA! DATA PROFILING
Data Classification /Categorization Syntax-based Sematic-based AI-based Data Profiling vs. Data Naming
Data Curation Related to Data Stewardship Covers more than Data Categorization Important part of Data Governance New-ish term going into GDPR and other protection concepts
One more time… Every Design Decision must be based on Cost, Benefit and Risk www.datamodel.com
C-I-A (confidentiality, integrity, and availability) method, classification of data 23
Catalog Data Assets Every compliance effort starts with inventory Capture the hard work of every project Build incrementally Start with what exists physically 24
Azure Data Catalog Azure Data Catalog is a fully managed cloud service whose users can discover the data sources they need and understand the data sources they find. At the same time, Data Catalog helps organizations get more value from their existing investments.
Azure Data Catalog
App
Microsoft Oracle Hadoop DB2 Teradata MySQL HANA Salesforce ..and more Data Source
29
Data Objects/Assets • A metadata representation in Data Catalog of a real-world data object. Examples include: tables, views, files, reports, and so on.
Categorization Sensitive, Confidential, PII and Special Data 31
Other Options Informatica IBM Watson Erwin Data Governance Data Modeling Tool Portal ??? 32
DEMO TIME Azure Data Catalog, More 33
But really, who? • End Users • Self-Serve BI Users • Machine Learning Users • AI Users • Reporting Users • DBAs • Devs • Data Architects
DEMO TIME Data Migration Assistant, SSMS, ERwin 35
36
37
Issues • Data Scientists spend 80% of their time sourcing, prepping and cleansing data • Likely everyone else has these issues • We are lousy at documenting data and meta data • This makes Karen sad
Lab 1 Discussion • When would you be “done” discovering? • How would you know you were done? • Would you be able to do all the datasets? • How would you prioritize the work? • What skills would you need? • What went right? Wrong? • What would make this easier? 39
Assess What sorts of data do we steward? How should we protect it? 40
Auditing and Threat Detection
Themes in Data Protection Thoughtful Discussions 42
Dynamic Data Masking 43
Data Masking Exampes XXXX XXXX XXXX 1234 kxxxxxx@ixxxxx.com $99,9999 June, 99, 9999 KXXXXX Lopez 44
Privacy - Dynamic Data Masking CREATE TABLE Membership( MemberID int IDENTITY PRIMARY KEY, FirstName varchar(100) MASKED WITH (FUNCTION = 'partial(1,"XXXXXXX",0)') NULL, LastName varchar(100) NOT NULL, Phone# varchar(12) MASKED WITH (FUNCTION = 'default()') NULL, Email varchar(100) MASKED WITH (FUNCTION = 'email()') NULL); INSERT Membership (FirstName, LastName, Phone#, Email) VALUES ('Roberto', 'Tamburello', '555.123.4567', 'RTamburello@contoso.com'), ('Janice', 'Galvin', '555.123.4568', 'JGalvin@contoso.com.co'), ('Zheng', 'Mu', '555.123.4569', 'ZMu@contoso.net'); 45
Dynamic Data Masking COLUMN LEVEL DATA IN THE DATABASE, AT REST, IS NOT MASKED MEANT TO COMPLEMENT OTHER METHODS PERFORMED AT THE END OF A DATABASE QUERY RIGHT BEFORE DATA RETURNED PERFORMANCE IMPACT SMALL 46
Security – Dynamic Data Masking in SQL Server 4 functions available. today • Default • Email • Custom String • Random 47
DDM Functions Function Mask Example Default Based on Datatype String – XXX Numbers – 000000 Date & Times - 01.01.2000 00:00:00.0000000 Binary – Single Byte 0 xxxx 0 01.01.2000 00:00:00.0000000 0 Email First character of email, then Xs, then .com Always .com Kxxx@xxxx.com Custom First and last values, with Xs in the middle kxxxn Random For numeric types, with a range 12 48
Dynamic Data Masking Data in database is not changed 01 Ad-hoc queries *can* expose data 02 Does not aim to prevent users from exposing pieces of sensitive data 03 49
Dynamic Data Masking Cannot mask an encrypted column (AE) Cannot be configured on computed column But if computed column depends on a mask, then mask is returned Using SELECT INTO or INSERT INTO results in masked data being inserted into target (also for import/export) 50
Why would a DB Designer love it? • Allows central, reusable design for standard masking • Offers more reliable masking and more usable masking • Applies across applications • Removes whining about “we can do that later” 51
Security – Row Level Security 52
Security – Row Level Security Filtering result sets (predicate-based access) Predicates applied when reading data Can be used to block write access User defined policies tied to inline table functions 53
Row Level Security No indication that results have been filtered If all rows are filtered than NULL set returned For block predicates, an error returned Works even if you are dbo or db_owner role 54
Why would a DB Designer love it? • Allows a designer to do this sort of data protection IN THE DATABASE, not just rely on code. • Many, many pieces of code • Applies across applications 55
Always! Security – Always Encrypted 56
Security – Always Encrypted ENABLED AT COLUMN LEVEL PROTECTS DATA AT REST *AND* IN MEMORY USES COLUMN MASTER KEY (CLIENT) AND COLUMN ENCRYPTION KEY (SERVER) 57
Always Encrypted 58
Security – Always Encrypted Foreign keys must match encryption types Client code needs to support AE (currently this means .NET 4.x) 59
Security – Always Encrypted Wizard 60
Why would a DB Designer love it? • Always Encrypted, yeah. • Allows designers to not only specify which columns need to be protected, but how. • Parameters are encrypted as well • Built in to the engine, easier for Devs 61
What should we STOP doing? Nobody ever talks about this…. 62
SQL Injection • WE ARE STILL DOING THIS! • IT’S STILL THE #1 (but unsecured storage is getting more popular) • TEST. TEST SOME MORE • Automated Testing • Governance is important
Auto-incremental Data Access 65
Trusting good people Good people don’t always stay that way People mess up Monitoring Checking Automatic alerting
Karen’s Rant Topic for 2019 67
Test Data • Restoring Production to Development • Restoring Production, with Masking • Restoring Production, with Randomizing • Restoring Production…anywhere • Design Test Data • Lorem Ipsum for Data • Really, Design Test Data 68
What Skills Do Data Professionals Need for Data Protection? No one ever talks about this…. 69
Big Data and Analytics Level: Literacy and Hands On Why: These new technologies and techniques are making it mainstream in most shops, whether they are installed or software as a service. Plus, we need to use them on our own data Who: All IT roles, especially data stewarding ones. 70
Literacy with Deep Learning, AI, Machine Learning Level: Literacy +++ • How are they used? • What are the real life uses today? • Future uses • Privacy and Security requirements • Compliance trade-offs • Employee Monitoring 71
Data Quality & Reliability Level: Active Skills • Is the data right? • Is it current? • Should it be there at all? • Do we Know where it came from? • Do we know it was calculated correctly? • Are there any know anomalies? 72
How can we do all this? Cloud Services are a fantastic way to learn and get hands on skills. Online Tutorials are often free and self guided Learn from Experts & Case Studies Deprioritize tasks that are really just being done for tradition Hire help Automate away some tasks to make more time 73
74
Karen Lopez • Blogs at www.datamodel.com • She wants you to love your data.
Thank You • @DataChick • karenlopez@infoadvisors.com 76

More Related Content

Similar to Data Modeling for Security, Privacy and Data Protection (20)

PPTX
Designer's Favorite New Features in SQLServer
Karen Lopez
 
PPTX
Geek Sync | Avoid the Seven Mistakes Data Modelers Make in Aiding Data Govern...
IDERA Software
 
PPTX
Protect your Database with Data Masking & Enforced Version Control
DBmaestro - Database DevOps
 
PDF
Wolfgang Epting – IT-Tage 2015 – Testdaten – versteckte Geschäftschance oder ...
Informatik Aktuell
 
PPTX
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
Karen Lopez
 
PPT
Database auditing essentials
Craig Mullins
 
PPTX
Privacy by design
Lars Albertsson
 
PPTX
Real world data engineering practices for GDPR
Ching-Yu Wu
 
PDF
BIG DATA ANALYTICS MEANS “IN-DATABASE” ANALYTICS
TIBCO Spotfire
 
PDF
The Data Architect Manifesto
Mahesh Vallampati
 
PDF
White Paper: The Age of Data
Kim Cook
 
DOCX
Database Security – Issues and Best PracticesOutline
OllieShoresna
 
PPTX
Data and database administration(database)
welcometofacebook
 
PDF
Big Data LDN 2017: Data Governance Reimagined
Matt Stubbs
 
PDF
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
IDERA Software
 
PDF
Unit 5 v2
ShubhraGoyal4
 
PDF
Privacy by Design - Lars Albertsson, Mapflat
Evention
 
PPTX
Data protection and privacy in the world of database DevOps
Red Gate Software
 
PDF
Data masking a developer's guide
Sriramachandra Murthy
 
PDF
General Data Protection Regulation, a developer's story
Michelangelo van Dam
 
Designer's Favorite New Features in SQLServer
Karen Lopez
 
Geek Sync | Avoid the Seven Mistakes Data Modelers Make in Aiding Data Govern...
IDERA Software
 
Protect your Database with Data Masking & Enforced Version Control
DBmaestro - Database DevOps
 
Wolfgang Epting – IT-Tage 2015 – Testdaten – versteckte Geschäftschance oder ...
Informatik Aktuell
 
A Designer's Favourite Security and Privacy Features in SQL Server and Azure ...
Karen Lopez
 
Database auditing essentials
Craig Mullins
 
Privacy by design
Lars Albertsson
 
Real world data engineering practices for GDPR
Ching-Yu Wu
 
BIG DATA ANALYTICS MEANS “IN-DATABASE” ANALYTICS
TIBCO Spotfire
 
The Data Architect Manifesto
Mahesh Vallampati
 
White Paper: The Age of Data
Kim Cook
 
Database Security – Issues and Best PracticesOutline
OllieShoresna
 
Data and database administration(database)
welcometofacebook
 
Big Data LDN 2017: Data Governance Reimagined
Matt Stubbs
 
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
IDERA Software
 
Unit 5 v2
ShubhraGoyal4
 
Privacy by Design - Lars Albertsson, Mapflat
Evention
 
Data protection and privacy in the world of database DevOps
Red Gate Software
 
Data masking a developer's guide
Sriramachandra Murthy
 
General Data Protection Regulation, a developer's story
Michelangelo van Dam
 

More from Karen Lopez (15)

PPTX
DGIQ East 2023 AI Ethics SIG
Karen Lopez
 
PPTX
Data in the Stars
Karen Lopez
 
PDF
WhoseTinklingInYourDataLake - DAMA Chicago.pdf
Karen Lopez
 
PPTX
Expert Cloud Data Backup and Recovery Best Practice.pptx
Karen Lopez
 
PPTX
Manage Your Time So It Doesn't Manage You
Karen Lopez
 
PPTX
Migrating Data and Databases to Azure
Karen Lopez
 
PPTX
Blockchain for the DBA and Data Professional
Karen Lopez
 
PPTX
Blockchain for the DBA and Data Professional
Karen Lopez
 
PPTX
Fast Focus: SQL Server Graph Database & Processing
Karen Lopez
 
PPTX
The Key to Keys - Database Design
Karen Lopez
 
PPTX
How to Survive as a Data Architect in a Polyglot Database World
Karen Lopez
 
PPTX
Karen's Favourite Features of SQL Server 2016
Karen Lopez
 
PPTX
7 Databases in 70 minutes
Karen Lopez
 
PPTX
Karen Lopez 10 Physical Data Modeling Blunders
Karen Lopez
 
PPTX
NoSQL and Data Modeling for Data Modelers
Karen Lopez
 
DGIQ East 2023 AI Ethics SIG
Karen Lopez
 
Data in the Stars
Karen Lopez
 
WhoseTinklingInYourDataLake - DAMA Chicago.pdf
Karen Lopez
 
Expert Cloud Data Backup and Recovery Best Practice.pptx
Karen Lopez
 
Manage Your Time So It Doesn't Manage You
Karen Lopez
 
Migrating Data and Databases to Azure
Karen Lopez
 
Blockchain for the DBA and Data Professional
Karen Lopez
 
Blockchain for the DBA and Data Professional
Karen Lopez
 
Fast Focus: SQL Server Graph Database & Processing
Karen Lopez
 
The Key to Keys - Database Design
Karen Lopez
 
How to Survive as a Data Architect in a Polyglot Database World
Karen Lopez
 
Karen's Favourite Features of SQL Server 2016
Karen Lopez
 
7 Databases in 70 minutes
Karen Lopez
 
Karen Lopez 10 Physical Data Modeling Blunders
Karen Lopez
 
NoSQL and Data Modeling for Data Modelers
Karen Lopez
 
Ad

Recently uploaded (20)

PDF
R Cookbook - Processing and Manipulating Geological spatial data with R.pdf
OtnielSimopiaref2
 
PPTX
Aict presentation on dpplppp sjdhfh.pptx
vabaso5932
 
PDF
Copia de Strategic Roadmap Infographics by Slidesgo.pptx (1).pdf
ssuserd4c6911
 
PDF
apidays Helsinki & North 2025 - How (not) to run a Graphql Stewardship Group,...
apidays
 
PDF
Web Scraping with Google Gemini 2.0 .pdf
Tamanna
 
PPTX
apidays Helsinki & North 2025 - From Chaos to Clarity: Designing (AI-Ready) A...
apidays
 
PDF
Avatar for apidays apidays PRO June 07, 2025 0 5 apidays Helsinki & North 2...
apidays
 
PPTX
Dr djdjjdsjsjsjsjsjsjjsjdjdjdjdjjd1.pptx
Nandy31
 
PPTX
apidays Munich 2025 - Building Telco-Aware Apps with Open Gateway APIs, Subhr...
apidays
 
PDF
apidays Helsinki & North 2025 - API-Powered Journeys: Mobility in an API-Driv...
apidays
 
PPTX
AI Presentation Tool Pitch Deck Presentation.pptx
ShyamPanthavoor1
 
PDF
How to Connect Your On-Premises Site to AWS Using Site-to-Site VPN.pdf
Tamanna
 
PDF
Data Chunking Strategies for RAG in 2025.pdf
Tamanna
 
PDF
AUDITABILITY & COMPLIANCE OF AI SYSTEMS IN HEALTHCARE
GAHI Youssef
 
PPTX
apidays Helsinki & North 2025 - APIs at Scale: Designing for Alignment, Trust...
apidays
 
PPTX
apidays Helsinki & North 2025 - Vero APIs - Experiences of API development in...
apidays
 
PDF
OOPs with Java_unit2.pdf. sarthak bookkk
Sarthak964187
 
PPTX
Module-5-Measures-of-Central-Tendency-Grouped-Data-1.pptx
lacsonjhoma0407
 
PDF
Early_Diabetes_Detection_using_Machine_L.pdf
maria879693
 
PDF
Context Engineering for AI Agents, approaches, memories.pdf
Tamanna
 
R Cookbook - Processing and Manipulating Geological spatial data with R.pdf
OtnielSimopiaref2
 
Aict presentation on dpplppp sjdhfh.pptx
vabaso5932
 
Copia de Strategic Roadmap Infographics by Slidesgo.pptx (1).pdf
ssuserd4c6911
 
apidays Helsinki & North 2025 - How (not) to run a Graphql Stewardship Group,...
apidays
 
Web Scraping with Google Gemini 2.0 .pdf
Tamanna
 
apidays Helsinki & North 2025 - From Chaos to Clarity: Designing (AI-Ready) A...
apidays
 
Avatar for apidays apidays PRO June 07, 2025 0 5 apidays Helsinki & North 2...
apidays
 
Dr djdjjdsjsjsjsjsjsjjsjdjdjdjdjjd1.pptx
Nandy31
 
apidays Munich 2025 - Building Telco-Aware Apps with Open Gateway APIs, Subhr...
apidays
 
apidays Helsinki & North 2025 - API-Powered Journeys: Mobility in an API-Driv...
apidays
 
AI Presentation Tool Pitch Deck Presentation.pptx
ShyamPanthavoor1
 
How to Connect Your On-Premises Site to AWS Using Site-to-Site VPN.pdf
Tamanna
 
Data Chunking Strategies for RAG in 2025.pdf
Tamanna
 
AUDITABILITY & COMPLIANCE OF AI SYSTEMS IN HEALTHCARE
GAHI Youssef
 
apidays Helsinki & North 2025 - APIs at Scale: Designing for Alignment, Trust...
apidays
 
apidays Helsinki & North 2025 - Vero APIs - Experiences of API development in...
apidays
 
OOPs with Java_unit2.pdf. sarthak bookkk
Sarthak964187
 
Module-5-Measures-of-Central-Tendency-Grouped-Data-1.pptx
lacsonjhoma0407
 
Early_Diabetes_Detection_using_Machine_L.pdf
maria879693
 
Context Engineering for AI Agents, approaches, memories.pdf
Tamanna
 
Ad

Data Modeling for Security, Privacy and Data Protection

  • 1. Data Modeling for Security and Privacy Karen Lopez Data Evangelist InfoAdvisors www.datamodel.com 1
  • 2. Abstract Modern database systems have introduced more support for security, privacy, and compliance over the last few years. We expect this to increase as compliance issues such as GDPR and other data compliance challenges arise. In this session, Karen will be discussing the newer features from a data modelers/database designers' point of view, including: Data Masking End-to-End encryption Row Level Security New Data Types Data Categorization and Classification We'll look at the new features, why you should consider them, where they work, where they don't. We will also discuss how to negotiate on behalf of data protection in a world of Agile, MVP, Lean and DevOps. This session is hands-on with demos and labs, so bring your own laptop to participate. 3
  • 3. Karen Lopez • Karen has 20+ years of data and information architecture experience on large, multi-project programs. • She is a frequent speaker on data modeling, data- driven methodologies and pattern data models. • She wants you to love your data.
  • 6. You’re Hired! Case Study Group introductions Lab .5 7
  • 8. About this session • Mostly transactional discussions • Variety of skills & experience in teams • Time limits • Inspire you to learn • Our style • “At another company” • Giving you tools & approaches • Some checklists items • Mostly analytical and practical learning • Tools are for examples 9
  • 9. Outline OVERVIEW DISCOVER CATEGORIZE PROTECT MONITOR & ASSESS MORE THOUGHTFUL STUFF 10
  • 10. Ready for 25 May? Callers asked me: • How can we get started? • Can you help us get certified? • Do you have software for this? • Do you have a couple of weeks to help us get this done?
  • 11. Karen’s Governance Position Security at the data level Models capture security & privacy requirements Management reports of reviews Measurement In other words, Governance
  • 12. Data Models • Karen’s Preference • Track all kinds of metadata • Advanced Compare features • Support DevOps and Iterative development • Support Conceptual, Logical and Physical design
  • 13. 14
  • 14. Data Quality is Also Data Protection 15
  • 15. 16
  • 17. Discovery What do we have? Where is it? How do we know? 18
  • 20. Data Curation Related to Data Stewardship Covers more than Data Categorization Important part of Data Governance New-ish term going into GDPR and other protection concepts
  • 21. One more time… Every Design Decision must be based on Cost, Benefit and Risk www.datamodel.com
  • 22. C-I-A (confidentiality, integrity, and availability) method, classification of data 23
  • 23. Catalog Data Assets Every compliance effort starts with inventory Capture the hard work of every project Build incrementally Start with what exists physically 24
  • 24. Azure Data Catalog Azure Data Catalog is a fully managed cloud service whose users can discover the data sources they need and understand the data sources they find. At the same time, Data Catalog helps organizations get more value from their existing investments.
  • 26. App
  • 28. 29
  • 29. Data Objects/Assets • A metadata representation in Data Catalog of a real-world data object. Examples include: tables, views, files, reports, and so on.
  • 31. Other Options Informatica IBM Watson Erwin Data Governance Data Modeling Tool Portal ??? 32
  • 32. DEMO TIME Azure Data Catalog, More 33
  • 33. But really, who? • End Users • Self-Serve BI Users • Machine Learning Users • AI Users • Reporting Users • DBAs • Devs • Data Architects
  • 34. DEMO TIME Data Migration Assistant, SSMS, ERwin 35
  • 35. 36
  • 36. 37
  • 37. Issues • Data Scientists spend 80% of their time sourcing, prepping and cleansing data • Likely everyone else has these issues • We are lousy at documenting data and meta data • This makes Karen sad
  • 38. Lab 1 Discussion • When would you be “done” discovering? • How would you know you were done? • Would you be able to do all the datasets? • How would you prioritize the work? • What skills would you need? • What went right? Wrong? • What would make this easier? 39
  • 39. Assess What sorts of data do we steward? How should we protect it? 40
  • 41. Themes in Data Protection Thoughtful Discussions 42
  • 43. Data Masking Exampes XXXX XXXX XXXX 1234 [email protected] $99,9999 June, 99, 9999 KXXXXX Lopez 44
  • 44. Privacy - Dynamic Data Masking CREATE TABLE Membership( MemberID int IDENTITY PRIMARY KEY, FirstName varchar(100) MASKED WITH (FUNCTION = 'partial(1,"XXXXXXX",0)') NULL, LastName varchar(100) NOT NULL, Phone# varchar(12) MASKED WITH (FUNCTION = 'default()') NULL, Email varchar(100) MASKED WITH (FUNCTION = 'email()') NULL); INSERT Membership (FirstName, LastName, Phone#, Email) VALUES ('Roberto', 'Tamburello', '555.123.4567', '[email protected]'), ('Janice', 'Galvin', '555.123.4568', '[email protected]'), ('Zheng', 'Mu', '555.123.4569', '[email protected]'); 45
  • 45. Dynamic Data Masking COLUMN LEVEL DATA IN THE DATABASE, AT REST, IS NOT MASKED MEANT TO COMPLEMENT OTHER METHODS PERFORMED AT THE END OF A DATABASE QUERY RIGHT BEFORE DATA RETURNED PERFORMANCE IMPACT SMALL 46
  • 46. Security – Dynamic Data Masking in SQL Server 4 functions available. today • Default • Email • Custom String • Random 47
  • 47. DDM Functions Function Mask Example Default Based on Datatype String – XXX Numbers – 000000 Date & Times - 01.01.2000 00:00:00.0000000 Binary – Single Byte 0 xxxx 0 01.01.2000 00:00:00.0000000 0 Email First character of email, then Xs, then .com Always .com [email protected] Custom First and last values, with Xs in the middle kxxxn Random For numeric types, with a range 12 48
  • 48. Dynamic Data Masking Data in database is not changed 01 Ad-hoc queries *can* expose data 02 Does not aim to prevent users from exposing pieces of sensitive data 03 49
  • 49. Dynamic Data Masking Cannot mask an encrypted column (AE) Cannot be configured on computed column But if computed column depends on a mask, then mask is returned Using SELECT INTO or INSERT INTO results in masked data being inserted into target (also for import/export) 50
  • 50. Why would a DB Designer love it? • Allows central, reusable design for standard masking • Offers more reliable masking and more usable masking • Applies across applications • Removes whining about “we can do that later” 51
  • 51. Security – Row Level Security 52
  • 52. Security – Row Level Security Filtering result sets (predicate-based access) Predicates applied when reading data Can be used to block write access User defined policies tied to inline table functions 53
  • 53. Row Level Security No indication that results have been filtered If all rows are filtered than NULL set returned For block predicates, an error returned Works even if you are dbo or db_owner role 54
  • 54. Why would a DB Designer love it? • Allows a designer to do this sort of data protection IN THE DATABASE, not just rely on code. • Many, many pieces of code • Applies across applications 55
  • 56. Security – Always Encrypted ENABLED AT COLUMN LEVEL PROTECTS DATA AT REST *AND* IN MEMORY USES COLUMN MASTER KEY (CLIENT) AND COLUMN ENCRYPTION KEY (SERVER) 57
  • 58. Security – Always Encrypted Foreign keys must match encryption types Client code needs to support AE (currently this means .NET 4.x) 59
  • 60. Why would a DB Designer love it? • Always Encrypted, yeah. • Allows designers to not only specify which columns need to be protected, but how. • Parameters are encrypted as well • Built in to the engine, easier for Devs 61
  • 61. What should we STOP doing? Nobody ever talks about this…. 62
  • 62. SQL Injection • WE ARE STILL DOING THIS! • IT’S STILL THE #1 (but unsecured storage is getting more popular) • TEST. TEST SOME MORE • Automated Testing • Governance is important
  • 64. Trusting good people Good people don’t always stay that way People mess up Monitoring Checking Automatic alerting
  • 65. Karen’s Rant Topic for 2019 67
  • 66. Test Data • Restoring Production to Development • Restoring Production, with Masking • Restoring Production, with Randomizing • Restoring Production…anywhere • Design Test Data • Lorem Ipsum for Data • Really, Design Test Data 68
  • 67. What Skills Do Data Professionals Need for Data Protection? No one ever talks about this…. 69
  • 68. Big Data and Analytics Level: Literacy and Hands On Why: These new technologies and techniques are making it mainstream in most shops, whether they are installed or software as a service. Plus, we need to use them on our own data Who: All IT roles, especially data stewarding ones. 70
  • 69. Literacy with Deep Learning, AI, Machine Learning Level: Literacy +++ • How are they used? • What are the real life uses today? • Future uses • Privacy and Security requirements • Compliance trade-offs • Employee Monitoring 71
  • 70. Data Quality & Reliability Level: Active Skills • Is the data right? • Is it current? • Should it be there at all? • Do we Know where it came from? • Do we know it was calculated correctly? • Are there any know anomalies? 72
  • 71. How can we do all this? Cloud Services are a fantastic way to learn and get hands on skills. Online Tutorials are often free and self guided Learn from Experts & Case Studies Deprioritize tasks that are really just being done for tradition Hire help Automate away some tasks to make more time 73
  • 72. 74
  • 73. Karen Lopez • Blogs at www.datamodel.com • She wants you to love your data.