Solved

Hide data in MS SQL Server 2012 table

Posted on 2014-02-21
3
962 Views
Last Modified: 2014-02-21
Hello. I have a table in my SQL Server 2012 database that contains some sensitive data.  I have always just relied on the Windows Authentication to control who can access the data in the database. Someone mentioned to me that it was possible to encrypt the data in the table. I have never heard of this. Is this possible?
0
Comment
Question by:Lorrec
3 Comments
 
LVL 10

Accepted Solution

by:
PadawanDBA earned 250 total points
ID: 39878233
Encryption is a pretty in depth topic!  It is indeed possible and there are several ways to do it.  I would refer you to this article for exhaustive details on the various methods: http://technet.microsoft.com/en-us/library/bb510663.aspx.  My largest problem with using SQL Server's mechanisms for encryption are that there's very little lock/key separation.  I work in a PCI regulated environment where we have dedicated hardware encryption appliances that encrypt the data before it is ever persisted into our databases.  You can additionally create views atop the tables and really lock down access to the tables by only giving access to people on the views that don't reference your sensitive data at all as an additional layer of securing the access to it.
0
 
LVL 23

Assisted Solution

by:Michael74
Michael74 earned 250 total points
ID: 39878511
As noted by PadawaDBA this is very complex and involved subject.

If you would like to have a go in your test environment here are a couple of articles that can get you started

http://technet.microsoft.com/en-us/library/ms179331.aspx
http://blogs.msdn.com/b/lcris/archive/2005/06/09/simple-demo-for-how-to-encrypt-and-decrypt-a-table-column-in-sql-server-2005.aspx

Some questions you need to ask are

1/ What is the risk (impact and likelihood). For the effort involved is it really worth it? As noted above you could use views to further limit access

2/ How secure does it need to be? There are many methods with varying levels of security and levels of difficulty to implement, with the easiest often being the least secure

3/ Don't just look at the database if you have control of the system inputting the data it may be better to encrypt outside of the database

Michael
0
 

Author Closing Comment

by:Lorrec
ID: 39878781
Thank you for the information. This is what I needed.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Let's review the features of new SQL Server 2012 (Denali CTP3). It listed as below: PERCENT_RANK(): PERCENT_RANK() function will returns the percentage value of rank of the values among its group. PERCENT_RANK() function value always in be…
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now