This is the first blog in a five-part series. Keep an eye out for upcoming posts, which will cover cutting cost and improving performance of storage, BI, and analytics; improving uptime and reliability; reaching data insights faster by running analytics at the point of creation; and maintaining a consistent data environment across on-premises, hybrid, and cloud environments.
Reason #1: Security
Wall, ditch, moat, palisades, watch towers, guards, highly trained soldiers: Even 2,000 years ago, when the Romans built their defenses, they deployed multiple layers of protection to deter invaders and keep intruders out. Today, on the electronic front, IT environments demand no less than a strong, layered approach to ensuring that data assets are protected from attacks such as stolen administrator credentials, unauthorized access, and pass-the-hash exploits.
You can see how important security is by examining the cost of data breaches, which is growing rapidly and represents a significant risk to business, as Figure 1 illustrates. To address this, Microsoft’s $1 billion annual investment in security demonstrates the company’s long-standing and proven commitment to building security capabilities into both its applications and operating systems. This means you can take advantage of layered security and mitigate risk.
Figure 1: Growing cost of data breach
Consider Windows Server 2016 and SQL Server 2016, for example: Security is built into both. Windows Server 2016 adds new OS-level security capabilities to existing security functionality. On top of Windows Server’s built-in security, SQL Server has consistently been the least vulnerable database, according to the National Institute of Standards and Technology (NIST). As a result, if you use both SQL Server 2016 and Windows Server 2016 together, you get enterprise-scale security that meets the strictest organizational and industry standards for your infrastructure and your data.
Figure 2: Independent findings show unparalleled security
Windows Server 2016 security
Windows Server 2016 includes built-in breach-resistance mechanisms to establish strong security layers to help thwart attacks. The Windows Server 2016 operating system is a strategic layer in your infrastructure and serves as the foundation for your SQL Server data security. To prevent data exposure, you need the most advanced protection you can get. By modernizing both your server platform and your data platform together, you can be assured you’re doing your best to protect your business. The security functionality in Windows Server 2016 includes:
- Device Guard helps lock down what runs on the server so that you are better protected from unauthorized software running on the same server as your SQL Server application.
- Credential Guard helps protect SQL Server admin credentials from being stolen by Pass-the-Hash and Pass-the-Ticket attacks. Using an entirely new isolated Local Security Authority (LSA) process, which is not accessible to the rest of the operating system, Credential Guard’s virtualization-based security isolates credential information to prevent interception of password hashes or Kerberos tickets.
- Control Flow Guard and Windows Defender protect against known and unknown vulnerabilities that malware can otherwise exploit. Control Flow tightly restricts what application code can be executed, especially indirect call instructions. Lightweight security checks identify the set of functions in the application that are valid targets for indirect calls. When an application runs, it verifies that these indirect call targets are valid. Windows Defender works hand in hand with Device Guard and Control Flow Guard to prevent malicious code of any kind from being installed on your servers.
SQL Server 2016 security
When you modernize your data platform to SQL Server 2016, you get access to innovative advanced security features of the least vulnerable database. Three key built-in features that keep unauthorized users from accessing SQL Server data are:
- Always Encrypted enables encryption inside client applications without revealing encryption keys to SQL Server. It allows changes to encrypted data without the need to decrypt it first, as shown in Figure 3. The combination of Transparent Data Encryption and Always Encrypted ensures that data is encrypted both at rest and in motion. To learn more please see “Always Encrypted in SQL Server & Azure SQL Database.”
Figure 3: Always Encrypted protection
- Row-Level Security (RLS), which Figure 4 illustrates, enables developers to centralize row-level access logic in the database and maintain a consistent data access policy to reduce the risk of accidental data leakage. For details please see, “Limiting access to data using Row-Level Security.”
Figure 4: Row-Level Security
- Dynamic Data Masking (DDM) lets you conceal your sensitive data or personally identifiable information (PII) such as customer information such as phone number, bank information, or Social Security number. DDM and Row-Level Security (RLS) help developers build applications that require restricted direct access to certain data as a means of preventing users from seeing specific information. Figure 5 illustrates. For deeper information please see, “Use Dynamic Data Masking to obfuscate your sensitive data.”
Figure 5: Dynamic Data Masking
1 National Institute of Standards and Technology Comprehensive Vulnerability Database, update 2016.
Thanks for reading our first blog in the series. For more info, check out this summary of five reasons to run SQL Server 2016 with Windows Server 2016.
Ready to give it a try? Check out our free evaluation options:
Don’t wait until you experience a data breach to get tougher on your security stance. Build your own layers of defense to protect your organization’s most important data and keep the bad guys out.