Database Security

CT069-3-3-DBS (VE1.0)

Topic 3
Data Obfuscation – Part 1
 Learning
Outcomes

At the end of this topic, you should be able to:

• Do data classification
• Explain various data obfuscation techniques
• Implement data encryption, hashing, anonymization
and masking based on data classification

Module Code & Module Title Slide Title SLIDE 2

 Confidentiality

• Confidentiality is about preventing the disclosure of data to

unauthorized parties.
• It also means trying to keep the identity of authorized parties
involved in sharing and holding data private and anonymous.
• Standard measures to establish confidentiality include:
• Data encryption
• Data Masking
• Two-factor authentication / MFA
• Bio-metric verification
• Security tokens

Module Code & Module Title Slide Title SLIDE 3

 Confidentiality Thru Data Obfuscation

• Data obfuscation is a generic term that refers to a process or technique

that intentionally obscures or disguise sensitive or confidential information
to protect it from unauthorized access or unintended disclosure.
• It aims to make the data difficult to understand or interpret by
unauthorized individuals or systems while preserving its utility and
usability for authorized purposes.
• By applying data obfuscation, organizations can reduce the risk of data
leakage
• Techniques: Anonymization, Masking, Hashing, Encryption
• Techniques to be used depends on what we want to achieve

Module Code & Module Title Slide Title SLIDE 4

 Confidentiality Thru Data Obfuscation

• Data obfuscation is typically implemented in conjunction with :-

– Data classification
– Permission Management
• Authentication
• Authorization
• Access control
• Row level security

Module Code & Module Title Slide Title SLIDE 5

 Common data types that require some form of data protection

• Personally identifiable information (PII)

• Data that can be used to identify certain individuals. This includes information
like full name, passport number, driver’s license number, and social security
number.
• Protected health information (PHI)
• Data collected by healthcare service providers for the purpose of identifying
appropriate care. This includes insurance information, demographic
information, test and laboratory results, medical histories, and health
conditions.
• Payment card information
• Payment Card Industry Data Security Standard (PCI DSS) requires
merchants that handle credit and debit cards transactions to appropriately
secure cardholder data

Module Code & Module Title Slide Title SLIDE 6

 Data Classification

Private • Data Private to you only

Module Code & Module Title Slide Title SLIDE 7

 Data Classification
Level Classification Description Examples
0 Private Data private to 1 person only Password, password recovery questions/answers, ATM
PIN, MFA code
1 Restricted Highly sensitive data that is • Medical records
restricted to a very small number of • Unpublished research data
named individuals, roles, positions • Food recipe
and authorized parties
2 Confidential Sensitive information, intended for • Staff, student personal data such as ID card number,
internal use and authorized parties personal phone number and home address
• Product cost
3 Internal Non sensitive information, • University or company policies, staff names, work
intended for internal use and phone numbers, emails
authorized parties and not for • Student marks, grades
public release • Product manufacturing process
4 Public Information that has been approved • Job vacancy, academic calendar, news, promotional
for public access and public activities
disclosure • Product price
• Product ingredients

Module Code & Module Title Slide Title SLIDE 8

 Data Classification Matrix

Level Classification Technique

0 Private • Hashing (during storage), encryption (during transit)
• Removal (during development/analysis)
1 Restricted • Encryption (during storage and transit)
• Access control (during usage)
• Dynamic masking (during usage)
• Removal (during development/analysis)
• Anonymization (during development/analysis)
2 Confidential • Encryption (during storage and transit)
• Access control (during usage)
• Dynamic masking (during usage)
• Anonymization (during development/analysis)
3 Internal • Access control
• Anonymization (during development/analysis)
4 Public • Ensure data integrity and availability

Module Code & Module Title Slide Title SLIDE 9

 Sample Data for Discussion

ID Name Phone
Email Country Qualification Gender Passport Password
john@e
0192646 mail.co A1111111
C100 John 5476 m Indonesia B.Sc Male 11 JohnPwd
mary@
0142646 email.c A222222
C200 Mary 5476 om Malaysia Diploma Female 222 MaryPwd

Module Code & Module Title Slide Title SLIDE 10

 Data Protection Sample Scenarios
Scenario #1 – General Protection (Protecting live database ) - Your
organization is facing tough competition. Recently there is an attempt to break
into your system and steal your valuable data. How will you protect the
sensitive data even if they are stolen?

Scenario #2 – Research & Analysis: Let’s say you have been requested to
provide a copy of the database to the marketing department for their analysis.
How will you protect the sensitive data before passing them to the marketing
department ?

Scenario #3 – System Enhancement - Let’s say you have been requested

to provide a copy of the database to the software development team for their
enhancement work. How will you protect the sensitive data before passing
them to the dev team ?

Module Code & Module Title Slide Title SLIDE 11

 Cryptography

• Cryptography is a science of secret writing

• Cryptography is associated with the process of converting
ordinary plain text into unintelligible text and vice-versa.
• It is a method of storing and transmitting data in a particular
form so that only those for whom it is intended can read and
process it.
• Cryptography not only protects data from theft or alteration but
can also be used for user authentication and validation.

Module Code & Module Title Slide Title SLIDE 12

 Cryptography

Encryption

Hashing

Module Code & Module Title Slide Title SLIDE 13

 Data Encryption

• A process of converting plaintext

(unencrypted data) into
ciphertext (encrypted data) using
an encryption algorithm and a
cryptographic key.

Module Code & Module Title Slide Title SLIDE 14

 Data Encryption

• Encryption focuses on securing data during storage

or transmission. It is applied to protect sensitive
information by ensuring that it is unreadable and
unusable by unauthorized individuals or systems.
• Even if an attacker gains access to the encrypted
data, they won't be able to understand or use it
without the decryption key.

Module Code & Module Title Slide Title SLIDE 15

 Encryption Key Types

• One secret key to cipher and

decipher information.
• The sender and the recipient
should know the secret key that is
used to encrypt and decrypt all
the messages.

• A public key is made freely available

to anyone who might want to send
you a message.
• The private key is kept a secret so
that you can only know.

Module Code & Module Title Slide Title SLIDE 16

 Symmetric vs Asymmetric
Main Symmetric Key
Asymmetric Key Encryption
Differences Encryption
Size of cipher Smaller cipher text compares to Larger cipher text compares to
text original plain text file. original plain text file.
Asymmetric encryption
Resource Symmetric key encryption works
requires high consumption of
Utilization on low usage of resources.
resources.
Much safer as two keys are
Less secured due to use a single
Security involved in encryption and
key for encryption.
decryption.
Symmetric encryption is fast Asymmetric encryption is
Speed
technique slower in terms of speed.
Algorithms Blowfish, AES, RC4, DES RSA, DSS, ECC

Module Code & Module Title Slide Title SLIDE 17

 Certificates for Encryption

• Certificates can also be used to encrypt data

• A public key certificate, usually just called a certificate, is a digitally-signed
statement that binds the value of a public key to the identity of the person,
device, or service that holds the corresponding private key.
• Certificates are issued and signed by a certification authority (CA). The
entity that receives a certificate from a CA is the subject of that certificate.
• Typically, certificates contain the following information:
– The public key of the subject.
– The identifier information of the subject, such as the name and e-mail
address.
– The validity period. This is the length of time that the certificate is
considered valid.

Module Code & Module Title Slide Title SLIDE 18

 MS - Encryption Hierarchy

Module Code & Module Title Slide Title SLIDE 19

 SQL Objects That Can be Encrypted

• Encryption Keys

• Database Encryption
– What it does is encrypting the data files

• Column Level Encryption (CLE)

– Encrypt data before it is added / updated into the table

• Database Backup Encryption

– Discuss further in Backup/Restore class

Module Code & Module Title Slide Title SLIDE 20

 Database Level Encryption
a.k.a Transparent Data Encryption (TDE)

• TDE = database level encryption

• Transparent ?? Encryption is invisible (does NOT affect) to
user/developer, No schema / design / SQL code changes required
• Also known as Encryption “At Rest”
• This is a file level encryption. Data is encrypted before it is written
to disk and decrypted when read into memory.
• To protect the database device file on the drive.
• This is to prevent the database device file from being stolen and
compromised.

Module Code & Module Title Slide Title SLIDE 21

 Steps to Implement TDE – Sample Code

Step 1 - In master database

– Create master key in master database (do this only once per server)

USE master;
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'QWEqwe!@#123';

– Create certificate to protect the key to encrypt database

CREATE CERTIFICATE CertForTDE WITH SUBJECT = 'CertForTDE';

Module Code & Module Title Slide Title SLIDE 22

 Steps to Implement TDE – Sample Code

Step 2 - In the database that you want to perform TDE

– Create database encryption key (DEK)

USE SampleDB_DBS;
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE CertForTDE;

– Turn encryption database on

ALTER DATABASE SampleDB_DBS;
SET ENCRYPTION ON;

Module Code & Module Title Slide Title SLIDE 23

Module Code & Module Title Slide Title SLIDE 24
 Check the encryption details
Use master
SELECT * FROM sys.symmetric_keys
SELECT * FROM sys.certificates
SELECT * FROM sys.dm_database_encryption_keys

SELECT db_name(a.database_id) AS DBName , a.encryption_state_desc,

a.encryptor_type, b.name as 'DEK Encrypted By'
FROM sys.dm_database_encryption_keys a
INNER JOIN sys.certificates b ON a.encryptor_thumbprint = b.thumbprint

Module Code & Module Title Slide Title SLIDE 25

 Column Level Encryption (CLE)

• Column level encryption provides a more granular control on which

column to encrypt
• In CLE, values are encrypted before it is being stored in the table.
• Encryption is done when data is active and not just “at rest” (TDE)
• Encryption of data at the column level will be able to protect the data
even when the physical data file is compromised.
• Column level encryption is not a setting but a way to encrypt the data
before it is stored in the column/table. It requires changes in the
table structure and sql code.

Module Code & Module Title Slide Title SLIDE 26

 Encrypted Data Storage Requirements
• To store an encrypted value in a column, that relevant columns must be created as
varbinary(max) data type as shown below
Create Table Customer
(ID varchar(10) primary key,
[Name] varchar(100),
Phone varchar(15),
Email varchar(200),
Country varchar(200), Note: Declaring a column as
varbinary doesn’t equal to
Qualification varchar(200), encrypting the data. It only means
Gender varchar(6), that the column is capable of
Passport varchar(20), storing cryptic data. The actual
must be encrypted or hashed
[Password] varbinary(max)) before it is stored in this column.

Module Code & Module Title Slide Title SLIDE 27

 Steps to Implement Column Level Encryption

• Identify the data that requires high level security (need to be

encrypted) – data classification matrix
• Create/Add a column with binary data type varbinary(max)
to store the encrypted value
• Remove the plain text column if you have created one
• Create encryption keys based on the hierarchy in that specific
database
• Encrypt data before it is stored into the table

Module Code & Module Title Slide Title SLIDE 28

 Steps to create encryption keys for CLE – Sample Code

In the database that you want to perform CLE

Step 1 - Create the master key encryption key (DEK)

USE SampleDB_DBS;
Create master key encryption by password = 'QwErTy12345!@#$%’

Step 2 - Create an asymmetric key

CREATE ASYMMETRIC KEY MyAsymKey

WITH ALGORITHM = RSA_2048

Module Code & Module Title Slide Title SLIDE 29

 Encrypt and store data for CLE – Sample Code

Step 3 – Insert data using EncryptByAsymKey function

insert into Customer (ID , [Name] , Phone , Email , Country , Qualification ,

Gender , Passport, [Password])
Values ('C100','John','01926465476','[email protected]', 'Indonesia','B.Sc',
'Male','A111111111',EncryptByAsymKey(AsymKey_ID(‘MyAsymKey'),'JohnPwd'))

insert into Customer (ID , [Name] , Phone , Email , Country , Qualification ,

Gender , Passport, [Password])
Values ('C200','Mary','01426465476','[email protected]', 'Malaysia','Diploma',
'Female','A222222222',EncryptByAsymKey(AsymKey_ID(MyAsymKey '),'MaryPwd'))

Module Code & Module Title Slide Title SLIDE 30

 Table data after CLE encryption

Note: If the encryption column shows NULL after you

perform encryption, then it means that you have done
something wrong or you don’t have permission to the
encryption key

Module Code & Module Title Slide Title SLIDE 31

 Decrypt and store data for CLE – Sample Code

Note: If the decrypted column shows NULL after you

perform decryption, then it means that you have done
something wrong or you don’t have permission to the
decryption key

Module Code & Module Title Slide Title SLIDE 32

 Steps to create encryption keys for CLE – another sample

In the database that you want to perform CLE

Step 1 - Create the master key encryption key (DEK)
USE SampleDB_DBS;
Create master key encryption by password = 'QwErTy12345!@#$%’

Step 2 - Create a certificate

CREATE CERTIFICATE CertForCLE WITH SUBJECT = 'CertForCLE’;

Step 3 - Create a symmetric key protected by the certificate or asymmetric key

CREATE SYMMETRIC KEY SimKey1 CREATE SYMMETRIC KEY SimKey2

WITH ALGORITHM = AES_256 WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE CertForCLE ENCRYPTION BY Asymmetric Key MyAsymKey

Module Code & Module Title Slide Title SLIDE 33

 Encrypt and store data for CLE – Sample Code 2

Step 4 – Insert data using EncryptByKey function

OPEN SYMMETRIC KEY SimKey1

DECRYPTION BY CERTIFICATE CertForCLE

Insert into Customer (ID , [Name] , Phone , Email , Country , Qualification ,

Gender , Passport, [Password])
Values ('C300','Sam','01926465476','[email protected]', 'Thailand','M.Sc’,
'Male','A111111111',EncryptByKey(Key_GUID('SimKey1'),'SamPwd'))

CLOSE SYMMETRIC KEY SimKey1

Module Code & Module Title Slide Title SLIDE 34

 Decrypt and store data for CLE – Sample Code 2

Note: If the encrypted or decrypted column shows NULL after you perform encryption/decryption, then it means
that you have done something wrong or you did not open the symmetric key for encryption/decryption or you
don’t have permission to the key

Module Code & Module Title Slide Title SLIDE 35

 Encryption in SQL

SQL Server Instance

Encryption = TLS
SQL Server Memory
Communication Link
(the wire)
Client
Encryption = Column Level
Encryption

Backup
SQL Server data
files
files
Client file system
Encryption
Backups can be = TDE
encrypted as well
Module Code & Module Title Slide Title SLIDE 36
 What To Expect Next Week

In Class Preparation for Class

• More on data obfuscation techniques • Read about how to perform
anonymization, masking and hashing

Module Code & Module Title Slide Title SLIDE 37