SQL 2005 Security Best Practices - database

What is the best way to encrypt a SQL 2005 database?
I have found things about the with SQL 2008, and I've seen how to do column encryption in SQL 2005 - but it seems more difficult to access the table values then because you need to create a function or a view/stored procedure.
I also tried doing the file level security by using windows encryption (via a certificate) to encrypt the folder which held the database files, but then SQL Server Management Studio gave me errors on permissions (even after I gave it permissions).
I need to secure client data on our servers and I need to do it in a way that will not slow down our server too much, though I know it's inevitable due to the extra layer that encryption poses.
Am I missing something, or am I wrong? Please advise.

Upgrade to SQL Server 2008 and use Transparent Database Encryption. Unlike column level encryption of SQL Server 2005, the 2008 TDE is, as the name implies, transparent. Requires no application changes. Also, the data is searchable, something which is always desirable but very difficult to achieve with column encryption or with client side encryption.
File level encryption does not really work with SQL Server. However, BitLocker does work with SQL Server so encrypting the entire volume with BitLocker is another viable alternative.

If you don't want to slow down the server, you could encrypt and decrypt data on the fly using the client side to process it. Store data in the database in a serialized and/or encrypted fashion. There are many examples of this kind of thing on the net.
Create a wrapper for your data , like so :
Wrap(
Zip (
Base64 Encode (
Encrypt (
Serialize(
DATA
)
)
)
)
)
Then,
StoreInDB(
WrappedData
)

Related

Always Encryption in Azure SQL ( Client Side Encryption)

I've Implemented Always Encryption method in my Project, after knowing that it encrypts's the data in Client Side Code and Never reveals the Data to DataBase Engine.
I've gone through here and here and got a Clear Idea that Encryption/Decryption is done in Client Level(Driver).
Also, I've already posted a Question on this site too and got the Same Answers.
Although, I've needed to prove it to my Officials that between the Database Call and Client Code the data's will be encrypted.They simply ignore the Documentation.
How should I've able to prove them that during the network between the client and SQL server the Data in Encrypted and not Decrypted?
I tried with Process monitor. But it does not seem to work, it listing all the process behind the Visual Studio Execution(mostly DLL Calls)
Can i use Fiddler to Monitor ?
You can use SQL profiler that can be accessed through SSMS.
You can find it in SSMS menu as Tools -> Sql Server Profiler.
With some google search, you can find resources on how to use it.
I would create two tables having the same schema. Encrypt a couple of columns of one of the tables using Always Encrypted.
Run select, insert and point lookup queries for each table. You will see that for table with Always Encrypted columns, you will see encrypted values being sent to SQL Server for the encrypted columns whereas for plaintext table all the values sent to the server will be in plain text.
SQL-Profiler is a good way to Prove the Data is Encrypted through-out the Network.I've tried with Fiddler as well as SQL Profile. Both Proved my data were encrypted through out the Channel between Client and SQL Server. I would like to Show Images on this. (May be helpful for others)
Fiddler (Client Network Traffic)
SQL-Profiler (Data's from Client to SQL Server as Encrypted)

SQL Server : using SQL Proxy application\instance to indirectly query a database

I am using Microsoft SQL Server (2008-2012)
I would like to avoid directly querying the database, and instead, use some kind of a proxy (ODBC-Like) which I will query via my application, and it will query the actual database, and return me the results.
The idea is to manually encrypt some columns and have a barrier which will make encryption / decryption transparent to the application connecting the database.
Is there an off the shelf solution for this? Or do I actually need to write my own custom odbc driver?

SQL Server 2005 Data Encryption

My requirement is that we have an Application "FinApp" which handles all Finance Related data of the Company.Current Audit Team has asked us to Encrypt data on production to enhance security.
I already have knowledge about standard SQL encryption with keys and all. Also we created a CLR Based Function so that the enc. keys are in application server and passed while calling, so that the DB Team cannot access data as well.
The thing is when we will run this on Production with close to 10-12 crores records will this kind of SQL work? Already using function calls in select query is working slow if a CLR Based Function or for that matter SQL Encryption is used. Has anyone done it?
"select encrypt(columna), encrypt(columnb), encrypt(columnc), encrypt(columnd) from mytableofhughnumbers"
We are of the view that performance would be severely hit. What alternative do we have if the data is huge and encryption is required? Database is sql server 2005.
There is an article for this
http://www.kodyaz.com/articles/sql-server-2005-database-encryption-step-by-step.aspx

How to assure that certain data in SQL Server 2008 can only be accessed with my software?

I’m distributing an SQL 2008 database with my c# application (only the data, which I restore in the client’s local SQL server).
Is there a way to assure that the client can only access my data by using my application? (and not, for instance, using Management Studio, SQLCMD, etc)
Thanks, Nestor
Yet another form of the same ethernal quesiton that comes up about SQL Encryption... see Who needs encryption? at the DRM section:
"I would like to package my database
application in a form that would allow
a customer to use it, but without him
ever being capable to access the
actual data stored in it. I think
encrypting the database should help".
The answer is always the same: what you ask for is DRM, not encryption, and SQL Server does not offer any DRM solution. If you your application can access the data, so can the user from any tool of his choice. You are wasting your time trying to find a solution based on SQL encryption and all the claims to the contrary are snake oil. All 'solutions' will have a key management fault that will allow an administrator to retrieve the decryption key, always.

Tools to encrypt sql server database

I don't want customers to be able to make backups of my sql server database and access the tables data etc.
I know there are some products that will encrypt the data in the tables, and their product will decrypt it when displaying in my application.
What products do you guys know of? What options do I have?
(This is a business requirement, however silly it might seem to some hehe).
Update
This is for sql server 2008 express
The problem with encrypting data inside the database is that as long as the database lives on the client's machine (as you indicated, they're running SQL 2008 Express, so I'm betting it lives on the client's desktops or laptops) then they can get into the data. They can set up security on the instance so that they have SA privileges, and from there, they can get the data, period. There's no way around that.
What you have to do is encrypt the data before it hits the database: encrypt it in your application. Inside the app, encrypt the data that you want to store in each sensitive field. As another poster indicated, you don't want to encrypt ID fields because those are used for indexing.
There is the 3rd party xp_crypt. It's been around for years.
It's an extended stored proc (that is, DLL)
SQL Server 2008 supports database encryption natively. Check the documentation for Transparent Data Encryption (TDE).
You can encrypt stored procedures, which can protect your logic.
TDE is available only Enterprise edition.
I can't find if it supports native sql encryption - but you could find this out with a little searching. But if it did you could probably set the database master key with your application and keep all of the decryption/encryption code in your application.
If it doesn't support native encryption, you might want to creat/find your own encryption functions in your application language and lock away the keys in your code.
Transparent Data Encryption will encrypt the database on disk, but is unencrypted in memory, so appropriate security would also be necessary to ensure unauthorised users cannot access the table. As it's an Enterprise-only feature, you can safely move away from it.
SQL Server 2005 and above have built-in encryption features - have a look at Books Online, and especially Chapter 5 - Encryption of Adam Machanic's Expert SQL Server 2005 Development book (technically, Lara Rubbelke wrote chapter 5 though).
Note that you'll only want to encrypt some columns - those that you'll never try to look up, as encrypted columns are pretty much useless for indexing. Adam Machanic's book suggests ways to solve this problem.
Another solution for transparent SQL Server encryption is DbDefence
Free for databases less than 77 MBs.

Resources