{"id":6149,"date":"2021-02-03T17:19:30","date_gmt":"2021-02-03T22:19:30","guid":{"rendered":"http:\/\/andreas-wolter.com\/?p=6149"},"modified":"2025-07-28T17:29:27","modified_gmt":"2025-07-28T22:29:27","slug":"202103-need-to-know-security-principle","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/202103-need-to-know-security-principle\/","title":{"rendered":"The Need-to-know security principle"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-1n0mjjp-4d126583572ba895f6d0053e80e97c37\">\n.flex_column.av-1n0mjjp-4d126583572ba895f6d0053e80e97c37{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n<\/style>\n<div  class='flex_column av-1n0mjjp-4d126583572ba895f6d0053e80e97c37 av_one_full  avia-builder-el-0  el_before_av_one_full  avia-builder-el-first  first flex_column_div av-zero-column-padding  '     ><section  class='av_textblock_section av-1lf9fet-afcc2dfc1fff4ffdfaf8bdb9b0eee4d3 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h1>The Principle of Need-to-know in SQL Server and Azure SQL<\/h1>\n<p><em>(part 2 of my series of articles on <\/em><a href=\"https:\/\/andreas-wolter.com\/en\/202109_introduction-into-security-principles-in-the-context-of-database-systems\/\"><em>security principles in Microsoft SQL Servers &#038; Databases<\/em><\/a><em>)<\/em><\/p>\n<p>This principle states that <u>a user shall only have access to the information that their job function requires, regardless of their security clearance level or other approvals<\/u>.<br \/>\nIn other words: a User needs permissions AND a Need-to-know. And that Need-to-know is strictly bound to a real requirement for the User to fulfill its current role.<br \/>\nAs you might be able to tell by the choice of words the Need-to-know principle is typically enforced in military or governmental environments.<br \/>\nSometimes, in non-military scenarios, you will also find a slightly different description which states in\u00a0 weaker terms that access to data must be regularly <u>reviewed<\/u> to ensure that users only access data they strictly need for legitimate reasons. This is enforcement by regulation or rule rather than permissions and can be sufficient in the private sector.<br \/>\nIn information technology the Need-to-know can be implemented by using mandatory access control (MAC)* as well as discretionary access control (DAC)* in conjunction with a secondary control system.<\/p>\n<p><em>*links to further reading below this article<\/em><\/p>\n<p style=\"padding-left: 30px;\"><em>Background<\/em><br \/>\nSQL Server uses a discretionary access control, as owners of objects (and the highest \u201cowner\u201d is the sa-account) can pass permissions to individuals. A MAC-based system is traditionally based on a multilevel security (MLS) operating environment working with <strong><em>Classifications<\/em><\/strong> of assets and security-clearance of Users and can be extended to require other mandated factors such as a Need-to-know.<br \/>\nIn the Windows world a Multiple single-level (MSL) approach is often used: essentially keeping different levels of data (i.e. Secret and \u201cTop Secret\u201d on different servers or even within different environments.<\/p>\n<p>For the secondary control system there is no specific type that needs to be used. Anything that can enforce this principle is good.<br \/>\nIf no secondary control system is available, Auditing of access can be used to control adherence to the Need-to-Know protocols in place. Auditing does not prevent breach, but it can make sure it does not go undetected and without consequences, whichever those may be.<\/p>\n<p style=\"padding-left: 30px;\"><em>Note<\/em><br \/>\nThe Need-to-know principle may require much more diligence and particularly different procedures than the often used discretionary or role-based access control \u2013 as under Windows Server, the Azure RBAC system or SQL Server. This depends on the exact implementation of the Need-to-know factor within the system. When a user changes job roles it needs to be ensured that the Need-to-know is adjusted immediately.<\/p>\n<\/div><\/section><\/div>\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-1jb5sv9-4b8c10156343328239e03dc7e0f6f899\">\n.flex_column.av-1jb5sv9-4b8c10156343328239e03dc7e0f6f899{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n<\/style>\n<div  class='flex_column av-1jb5sv9-4b8c10156343328239e03dc7e0f6f899 av_one_full  avia-builder-el-2  el_after_av_one_full  el_before_av_one_full  first flex_column_div av-zero-column-padding  column-top-margin'     ><section  class='av_textblock_section av-1hzkmhh-54b2267566c80b0ca2385f82ec0a67b1 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h4>Generic example scenario<\/h4>\n<p>A database contains data of technical specifications of all products the company produces worldwide.<br \/>\nData can be classified as \u201cPublic ,\u201cInternal\u201d or \u201cRestricted\u201d.<br \/>\nA User, Hoang, has been granted read-permission to all tables that contain data for his job function. He has clearance for anything \u201cInternal\u201d \u2013 including anything below, which in this case is \u201cPublic\u201d. In effect, that way he cannot read tables which are classified \u201cRestricted\u201d.<br \/>\nIn addition to that, he has a Need-to-know for data only concerning Data of a certain project: \u201cKilimanjaro\u201d.<br \/>\nSo while many other project details are considered \u201cInternal\u201d, with the Need-to-know he can only see those belonging the project he is assigned to: \u201cKilimanjaro\u201d.<br \/>\nOther users with the same clearance may have a different Need-to-know, according to their specific job function. Like User Ricardo in the image below.<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-1gdlflh-b2597a17d43022f88dd8ad13d28290d6\">\n.avia-image-container.av-1gdlflh-b2597a17d43022f88dd8ad13d28290d6 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-1gdlflh-b2597a17d43022f88dd8ad13d28290d6 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-1gdlflh-b2597a17d43022f88dd8ad13d28290d6 av-styling- avia-align-center  avia-builder-el-4  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6133 avia-img-lazy-loading-not-6133 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example1_DatabaseTables-1030x876.png\" alt='NeedToKnow_Example1_DatabaseTables' title='202102_NeedToKnow_Example1_DatabaseTables'  height=\"876\" width=\"1030\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example1_DatabaseTables-1030x876.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example1_DatabaseTables-600x510.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example1_DatabaseTables-300x255.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example1_DatabaseTables-768x653.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example1_DatabaseTables-1500x1276.png 1500w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example1_DatabaseTables-705x600.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example1_DatabaseTables-450x383.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example1_DatabaseTables.png 1527w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-1emxcgl-3749f0cd82d0a8b3f2dcc287f1b309b7 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p style=\"padding-left: 30px;\"><em>Tip<\/em><br \/>\nA simple way to depict the Need-to-know principle is thinking about it adding basically a filter on a secondary axis, in addition to the existing access-control-system. The exact mechanics are subject to implementation.<\/p>\n<p>This simple example assumes that individual data objects within a database are classified differently.<\/p>\n<p style=\"padding-left: 30px;\"><em>Note<\/em><br \/>\nThe additional control via a Need-to-know on data which is classified \u201cpublic\u201d, or some equivalent does not make sense.<\/p>\n<\/div><\/section><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-1cird1h-79680da324cc452e9e58e1da9cb2a801\">\n.flex_column.av-1cird1h-79680da324cc452e9e58e1da9cb2a801{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n<\/style>\n<div  class='flex_column av-1cird1h-79680da324cc452e9e58e1da9cb2a801 av_one_full  avia-builder-el-6  el_after_av_one_full  el_before_av_one_full  first flex_column_div av-zero-column-padding  column-top-margin'     ><section  class='av_textblock_section av-1bg61lx-2e15d09d8d30ad8d2e486cd57e133f5c '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h4>Example scenario military use case<\/h4>\n<p>The above example may look strange if you are familiar with for example military environments. In such, \u201cTop Secret\u201d Data will never be located even within the same environment even as \u201cSecret\u201d data, let alone \u201cUnclassified\u201d data.<\/p>\n<p>A simplified scenario which is somewhat more realistic in such environments is depicted below. A given user Nathan may have \u201cTop Secret\u201d Clearance, but according to his Need-to-know would only ever get to see data concerning \u201cAlpha\u201d.<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-1a2y511-111fd84c8fed5f5a8241ec96affb1031\">\n.avia-image-container.av-1a2y511-111fd84c8fed5f5a8241ec96affb1031 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-1a2y511-111fd84c8fed5f5a8241ec96affb1031 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-1a2y511-111fd84c8fed5f5a8241ec96affb1031 av-styling- avia-align-center  avia-builder-el-8  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6135 avia-img-lazy-loading-not-6135 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example2_Datacenters-1030x647.png\" alt='NeedToKnow_Example2_Datacenters' title='202102_NeedToKnow_Example2_Datacenters'  height=\"647\" width=\"1030\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example2_Datacenters-1030x647.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example2_Datacenters-600x377.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example2_Datacenters-300x188.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example2_Datacenters-768x483.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example2_Datacenters-705x443.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example2_Datacenters-450x283.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Example2_Datacenters.png 1485w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-17t73yd-c385e3363962fc15113962df62977f99 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Or, in other words: just because Nathan has a Top Secret clearance, does not mean he can see Top Secret data. He must have a Need-to-know (and in fact additional add-on\u2019s). Otherwise, all such data would be redacted.<\/p>\n<\/div><\/section><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-15jvxv9-1f96c25c2c0ea79ea3b5151c1aa9c7fe\">\n.flex_column.av-15jvxv9-1f96c25c2c0ea79ea3b5151c1aa9c7fe{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n<\/style>\n<div  class='flex_column av-15jvxv9-1f96c25c2c0ea79ea3b5151c1aa9c7fe av_one_full  avia-builder-el-10  el_after_av_one_full  el_before_av_one_full  first flex_column_div av-zero-column-padding  column-top-margin'     ><section  class='av_textblock_section av-14g598l-ff07645cb17e4f25c00ee30407cd5e33 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h4><a name=\"_Toc58433750\"><\/a>Need-to-know in the SQL realm<\/h4>\n<p>SQL Server does not have a native security feature strictly built to enforce a Need-to-know concept. The SQL engine does not have a MAC system integrated at this time. The permission system of SQL Server is based on user identities and owners who can grant permissions and thus considered a DAC system (discretionary access control).<\/p>\n<p>But this is not the end of the line. There are ways to extend this to a Need-to-know system.<\/p>\n<h5>Using encryption<\/h5>\n<p>One technique is to use <strong><em>Cell-Level encryption<\/em><\/strong>: One can encrypt values in specific cells either on columns and or row-axis (using custom logic), and the Decryption key can be made accessible for multiple personae and exclude others.<\/p>\n<p>In the code-snippets below we can see that 2 doctors are assigned the same minimal privileges on a table named \u201cPatients\u201d \u2013 simply by putting them into the same database role (as a general best practice).<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-137ue45-4b44126fe2204de9e77438f68632426c\">\n.avia-image-container.av-137ue45-4b44126fe2204de9e77438f68632426c img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-137ue45-4b44126fe2204de9e77438f68632426c .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-137ue45-4b44126fe2204de9e77438f68632426c av-styling- avia-align-center  avia-builder-el-12  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6168 avia-img-lazy-loading-not-6168 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_1-2.png\" alt='NeedToKnow_Encryption_1' title='202102_NeedToKnow_Encryption_1'  height=\"642\" width=\"900\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_1-2.png 900w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_1-2-600x428.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_1-2-300x214.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_1-2-768x548.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_1-2-260x185.png 260w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_1-2-705x503.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_1-2-450x321.png 450w\" sizes=\"(max-width: 900px) 100vw, 900px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-11khwj9-47ef56844082095201f047f2c61f54f5 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>In the next step we can see that each doctor will have one Certificate, which is the protector of one symmetric key \u2013 one distinct key per certificate.<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-10d4otx-fd1d63fd473b2d70d41b6205adfd6f54\">\n.avia-image-container.av-10d4otx-fd1d63fd473b2d70d41b6205adfd6f54 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-10d4otx-fd1d63fd473b2d70d41b6205adfd6f54 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-10d4otx-fd1d63fd473b2d70d41b6205adfd6f54 av-styling- avia-align-center  avia-builder-el-14  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6121 avia-img-lazy-loading-not-6121 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_2-1030x829.png\" alt='' title='202102_NeedToKnow_Encryption_2'  height=\"829\" width=\"1030\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_2-1030x829.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_2-600x483.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_2-300x242.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_2-768x618.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_2-705x568.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_2-450x362.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_2.png 1464w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-xkt5ed-fb3a635782f7be4cccb49dc40b3b209f '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>This is what the system then contains:<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-3a3w0l-499074c60e955d8bf982d653367ce016\">\n.avia-image-container.av-3a3w0l-499074c60e955d8bf982d653367ce016 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-3a3w0l-499074c60e955d8bf982d653367ce016 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-3a3w0l-499074c60e955d8bf982d653367ce016 av-styling- avia-align-center  avia-builder-el-16  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6173 avia-img-lazy-loading-not-6173 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_3-1-1030x343.png\" alt='' title='202102_NeedToKnow_Encryption_3'  height=\"343\" width=\"1030\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_3-1-1030x343.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_3-1-600x200.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_3-1-300x100.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_3-1-768x256.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_3-1-705x235.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_3-1-450x150.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_3-1.png 1380w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-ujotn9-681b98859c3f27258d52f23e64046194 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Now each doctor needs to have access to just \u201chis\u201d personal key. For this the VIEW DEFINITION permission is sufficient.<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-td1rat-a58643639d6fbdea2cfbb0c36f0da3a3\">\n.avia-image-container.av-td1rat-a58643639d6fbdea2cfbb0c36f0da3a3 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-td1rat-a58643639d6fbdea2cfbb0c36f0da3a3 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-td1rat-a58643639d6fbdea2cfbb0c36f0da3a3 av-styling- avia-align-center  avia-builder-el-18  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6171 avia-img-lazy-loading-not-6171 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_4-1.png\" alt='NeedToKnow_Encryption_4' title='202102_NeedToKnow_Encryption_4'  height=\"372\" width=\"800\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_4-1.png 800w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_4-1-600x279.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_4-1-300x140.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_4-1-768x357.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_4-1-705x328.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_4-1-450x209.png 450w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-s1a5fp-631c02996a9dd9c8e21c611df61a2f81 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>As a result, each doctor can only decrypt the data that has been encrypted with his own key.<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-pp6o8l-9ef2a8304960969a15ed1088eed09c39\">\n.avia-image-container.av-pp6o8l-9ef2a8304960969a15ed1088eed09c39 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-pp6o8l-9ef2a8304960969a15ed1088eed09c39 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-pp6o8l-9ef2a8304960969a15ed1088eed09c39 av-styling- avia-align-center  avia-builder-el-20  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6127 avia-img-lazy-loading-not-6127 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_5-1030x741.png\" alt='' title='202102_NeedToKnow_Encryption_5'  height=\"741\" width=\"1030\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_5-1030x741.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_5-600x432.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_5-300x216.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_5-768x553.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_5-1500x1080.png 1500w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_5-705x508.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_5-450x324.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_5.png 1974w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-nh0vcl-d3db64e27dda46aa24fbacb8598111bc '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p style=\"padding-left: 30px;\"><em>Note<\/em><br \/>\nThe NULL-values in the \u201cSymptoms\u201d-column are returned for those columns where the DecryptByKey-Function cannot decrypt the data with the currently loaded key(s).<br \/>\nThis columns data essentially is only accessible on a <strong><em>Need-to-know<\/em><\/strong> basis.<\/p>\n<\/div><\/section><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-myskt1-f894974b73ef56d144e87187e66562d8\">\n.flex_column.av-myskt1-f894974b73ef56d144e87187e66562d8{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n<\/style>\n<div  class='flex_column av-myskt1-f894974b73ef56d144e87187e66562d8 av_one_full  avia-builder-el-22  el_after_av_one_full  el_before_av_one_full  first flex_column_div av-zero-column-padding  column-top-margin'     ><section  class='av_textblock_section av-kiuur9-460a224900126d7eac1703f73df7dab2 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>It is also possible to enable multiple personae to use the same keys. This can be done by adding encryption by additional certificates to the same symmetric key as shown here.<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-jf5gf9-5af5e66735f721d0daeebf42f7acfb00\">\n.avia-image-container.av-jf5gf9-5af5e66735f721d0daeebf42f7acfb00 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-jf5gf9-5af5e66735f721d0daeebf42f7acfb00 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-jf5gf9-5af5e66735f721d0daeebf42f7acfb00 av-styling- avia-align-center  avia-builder-el-24  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6129 avia-img-lazy-loading-not-6129 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_6-1030x946.png\" alt='' title='202102_NeedToKnow_Encryption_6'  height=\"946\" width=\"1030\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_6-1030x946.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_6-600x551.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_6-300x275.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_6-768x705.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_6-1500x1377.png 1500w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_6-705x647.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_6-450x413.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_Encryption_6.png 1737w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-hxc31x-d2405faf37f9bb5a86c93ac791fdbe3e '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>In theory also the <strong><em>Always Encrypted<\/em><\/strong> feature can be used to enforce a Need-to-know system, by assigning different keys for different columns. The principle is that different users can be granted the same permissions (SELECT, INSERT, UPDATE and or DELETE) on the table while accessing the tables via different applications with access to different keys. Since the keys are cached within the process though, this separation cannot be implemented in a straightforward way and would only work in scenarios where different application-processes can be separated, like on different machines.<\/p>\n<p style=\"padding-left: 30px;\"><em>Security-Note<br \/>\n<\/em>Can\u2019t say this enough: more often than one may wish for I see examples of Credit Cards or Social Security Numbers being stored in a way that leaves the last 4 digits in clear-text. (Famous question for call-center Agents but also bad actors!) Do not do that. Those last digits are the random pieces of those important numbers. The first blocks are fairly static and not personalized.<br \/>\nHere you can read more on how those can be abused: <a href=\"https:\/\/www.wired.com\/2012\/08\/apple-amazon-mat-honan-hacking\/\" target=\"_blank\" rel=\"noopener\">How Apple and Amazon Security Flaws Led to My Epic Hacking | WIRED<\/a>, <a href=\"https:\/\/consumerboomer.com\/what-can-a-scammer-do-with-the-last-4-digits-of-your-social\/\" target=\"_blank\" rel=\"noopener\">What Can A Scammer Do With the Last 4 Digits of Your Social Security Number? | Consumer Boomer<\/a><\/p>\n<\/div><\/section><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-g45jqt-2ffbb35fa62db7b29e82111f88288412\">\n.flex_column.av-g45jqt-2ffbb35fa62db7b29e82111f88288412{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n<\/style>\n<div  class='flex_column av-g45jqt-2ffbb35fa62db7b29e82111f88288412 av_one_full  avia-builder-el-26  el_after_av_one_full  el_before_av_textblock  first flex_column_div av-zero-column-padding  column-top-margin'     ><section  class='av_textblock_section av-ehy7n9-340f52a275e2a964ab4f21fd1205c919 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h5>Using Row level security for the Application<\/h5>\n<p>There is another feature within SQL that can help implementing a Need-to-know system: When access can be restricted to use certain Applications (and users cannot directly connect to the database), <strong><em>Row Level Security<\/em><\/strong> (RLS) can be used to implement such a system.<br \/>\nThe concept here is to store information in the database that can be looked up by a special table valued function and uses information from the currents\u2019 user context to apply a filter on the query. This is all done without requiring a rewrite of the calling statement as this function is bound to the table that requires the filtering, by the means of a security function.<\/p>\n<p style=\"padding-left: 30px;\"><em>Security-Note<\/em><br \/>\n<em>Row Level Security<\/em> is not a security feature but a programmability feature which can be used to implement security mechanisms when it can be ensured that users cannot query the database directly. It is important to enforce this. Also, it cannot be used to protect against Database Administrators or even Developers on the same database.<\/p>\n<p>Here is how such a function and security policy can look like:<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-d3qxx1-c73c1d17d3697a7af242e6e309372a96\">\n.avia-image-container.av-d3qxx1-c73c1d17d3697a7af242e6e309372a96 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-d3qxx1-c73c1d17d3697a7af242e6e309372a96 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-d3qxx1-c73c1d17d3697a7af242e6e309372a96 av-styling- avia-align-center  avia-builder-el-28  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6137 avia-img-lazy-loading-not-6137 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS1-1030x570.png\" alt='' title='202102_NeedToKnow_RLS1'  height=\"570\" width=\"1030\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS1-1030x570.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS1-600x332.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS1-300x166.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS1-768x425.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS1-705x390.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS1-450x249.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS1.png 1276w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-a7il1h-82e75ffcef9160e08c4869a87b4af5ab '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>When querying the table, in this case \u201cPatients\u201d, SQL Server will change the query plan and join the function and apply the filtering in this case based on the current users\u2019 SID, which is stored in a table \u201cStaffDuties\u201d.<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-99gl8l-8544a959afe1555794d2cac23ab9e6cd\">\n.avia-image-container.av-99gl8l-8544a959afe1555794d2cac23ab9e6cd img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-99gl8l-8544a959afe1555794d2cac23ab9e6cd .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-99gl8l-8544a959afe1555794d2cac23ab9e6cd av-styling- avia-align-center  avia-builder-el-30  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6139 avia-img-lazy-loading-not-6139 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS2-1030x582.png\" alt='' title='202102_NeedToKnow_RLS2'  height=\"582\" width=\"1030\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS2-1030x582.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS2-600x339.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS2-300x169.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS2-768x434.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS2-705x398.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS2-450x254.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS2.png 1321w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-77ic6t-a20df679843102a288aa7afe41e606cb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>This means that only staff that is working in the same wing as the patient is residing, can access the patient\u2019s data \u2013 no matter the overall access-permissions again as depicted below.<\/p>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-5xx6ed-f3c85aad1040f4f2001834d7183e4eb0\">\n.avia-image-container.av-5xx6ed-f3c85aad1040f4f2001834d7183e4eb0 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-5xx6ed-f3c85aad1040f4f2001834d7183e4eb0 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-5xx6ed-f3c85aad1040f4f2001834d7183e4eb0 av-styling- avia-align-center  avia-builder-el-32  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-6141 avia-img-lazy-loading-not-6141 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS3-1030x464.png\" alt='' title='202102_NeedToKnow_RLS3'  height=\"464\" width=\"1030\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS3-1030x464.png 1030w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS3-600x270.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS3-300x135.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS3-768x346.png 768w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS3-1500x676.png 1500w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS3-705x318.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS3-450x203.png 450w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2021\/03\/202102_NeedToKnow_RLS3.png 1844w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/div><\/div><\/div>\n<section  class='av_textblock_section av-4jhrgl-3fd850477a7040f4933d232e4f4c6cf6 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>You can find code-examples in the online-documentation: <a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/security\/row-level-security?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener\">Row-Level Security &#8211; SQL Server | Microsoft Docs<\/a>.<\/p>\n<p>Similar can be done by using custom stored procedures with respective logic inside. Here the same applies: it can only be seen as an application-level convenience but not as the foundation of a Need-to-know system.<\/p>\n<p>It can perfectly make sense to combine RLS and Always encrypted to enforce Need-to-know even in case of Admin-access.<\/p>\n<p>Again, these are just some examples on how the Need-to-Know principle can be implemented. As I said, there is no one golden rule about this.<\/p>\n<p>Happy securing<\/p>\n<p>Andreas<\/p>\n<\/div><\/section><\/div>\r\n\r\n<section  class='av_textblock_section av-2k2lqd-08bfe9c41358d202a795d9ca8c3428a7 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p><strong>Thank you to my Reviewers:<\/strong><br \/>\nAdrian Rupp, Senior Program Manager in SQL Security with special knowledge in military scenarios<br \/>\nJakub Szymaszek, Principal Program Manager in SQL Security on the encryption parts<br \/>\nRohit Nayak, Senior Program Manager in SQL Security<br \/>\nDilli Dorai Minnal Arumugam, Principal Software Engineer in Data-Governance<\/p>\n<h4><a name=\"_Toc58433751\"><\/a>Resources<\/h4>\n<ul>\n<li>Wikipedia: <a href=\"https:\/\/en.wikipedia.org\/wiki\/Need_to_know\" target=\"_blank\" rel=\"noopener\">https:\/\/en.wikipedia.org\/wiki\/Need_to_know<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Mandatory_access_control\" target=\"_blank\" rel=\"noopener\">Mandatory access control &#8211; Wikipedia<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Multilevel_security\" target=\"_blank\" rel=\"noopener\">Multilevel security &#8211; Wikipedia<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Multiple_single-level\" target=\"_blank\" rel=\"noopener\">Multiple single-level &#8211; Wikipedia<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthz\/mandatory-integrity-control\" target=\"_blank\" rel=\"noopener\">Mandatory Integrity Control &#8211; Win32 apps | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Classified_information\" target=\"_blank\" rel=\"noopener\">Classified information &#8211; Wikipedia<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Discretionary_access_control\" target=\"_blank\" rel=\"noopener\">Discretionary access control &#8211; Wikipedia<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Sanitization_(classified_information)\" target=\"_blank\" rel=\"noopener\">Sanitization (classified information) &#8211; Wikipedia<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/role-based-access-control\/overview\" target=\"_blank\" rel=\"noopener\">What is Azure role-based access control (Azure RBAC)? | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/security\/encryption\/always-encrypted-database-engine?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener\">Always Encrypted &#8211; SQL Server | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/security\/encryption\/always-encrypted-enclaves?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener\">Always Encrypted with secure enclaves &#8211; SQL Server | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/security\/encryption\/encrypt-a-column-of-data?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener\">Encrypt a Column of Data &#8211; SQL Server &#038; Azure Synapse Analytics &#038; Azure SQL Database &#038; SQL Managed Instance | Microsoft Docs<\/a><\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/relational-databases\/security\/row-level-security\" target=\"_blank\" rel=\"noopener\">Row-Level Security in SQL Server<\/a><\/li>\n<\/ul>\n<\/div><\/section>","protected":false},"excerpt":{"rendered":"","protected":false},"author":4,"featured_media":6133,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[337,57],"tags":[27,232],"class_list":["post-6149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-encryption-en","category-security-en","tag-security-en","tag-sicherheit-en"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=6149"}],"version-history":[{"count":6,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6149\/revisions"}],"predecessor-version":[{"id":6922,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/6149\/revisions\/6922"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/6133"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=6149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=6149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=6149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}