Security Implementation

The following constraints are imposed on the customer_credit_cards table.

A. Primary Key
This is imposed via the statement CONSTRAINT PK_customer_credit_cards PRIMARY
KEY(cc_id).
The primary key uniquely identifies each tuple/row and enforces integrity constraints to
the table.
It can only be one in a table.
It cannot accept duplicates or NULL values.
B. Foreign Key
This is imposed via the statement FOREIGN KEY(customer_id) REFERENCES
Sales.Customers(customer_id);
The foreign key is used to connect two tables by referencing a column from one table to
the other. The referenced table has a primary key that is then referenced in another table
called the child table.
In simple words the foreign key points to a value on another table on the primary key
column
You can have multiple foreign keys in a table, referencing external primary keys in
multiple tables.
The foreign key also accepts duplicated and the null value.
C. Unique Key
This is imposed via the statement UNIQUE(credit_card_number);
This key uniquely identifies a tuple in a relation or table.
You can have multiple unique keys in a table.
It accept duplicates or NULL values.
It can be used when someone wants to enforce unique constraints on a column and a
group of columns which is not a primary key.

PERMISSIONS AND ROLES.

Through these statements;
ALTER ROLE GeneralUser
ADD MEMBER Will;
GO
ALTER ROLE Salesperson
ADD MEMBER Vanessa;
GO
The user Will is added to the role GeneralUser, hence adopting the permissions belonging to that
specific role.
The Vanessa is added to the role SalesPerson that also means she will adopt all the permissions
for SalesPerson.

An error occurs when the user Will tries to view the contents of the table Sales.staffs. It occurs,
as the role GeneralUser does not have any permissions on the table and Will via inheritance,
does not either.

Data Masking
Let us discuss the first two alter statements applied on the database.
ALTER TABLE Sales.customer_credit_cards
ALTER COLUMN credit_card_number VARCHAR(50)
MASKED WITH (FUNCTION = 'partial(0,"XXXXXXXXXXXX",0)');
GO
The above statements applies a partial masking function to the column credit_card_number of
the table
Sales.customer_credit_cards. It applies a partial custom string mask, with the format prefix,
[padding],suffix Where the prefix and suffix specify how many letters will be exposed at the
start and at the end of the content. In this case the mask does not expose the first or last letter as
the prefix and suffix are zero (0,"XXXXXXXXXXXX",0)');
ALTER TABLE Sales.customers
ALTER COLUMN email VARCHAR(255)
MASKED WITH (FUNCTION = 'email()');
GO
The above statement applies an Email Masking function to the column email on the
Sales.customers table.
The Email masking method exposes the first letter of the emails and the constant suffix .com in
the form of an email address. dXXX@XXXX.com .
The following statement grants the role Salesperson the ability to unmask on the database.
GRANT UNMASK TO Salesperson;
GO
By this statement, the members of the role Salesperson are able to view the data of the columns
to which masking functions are defined.
This is shown as the user Vanessa is able to view the contents of the two masked columns as
compared to the user WILL, as shown below.
EXECUTE AS USER = 'Vanessa';
SELECT * FROM Sales.customer_credit_cards;
REVERT;
GO

EXECUTE AS USER = 'Will';

SELECT * FROM Sales.customer_credit_cards;
REVERT;
GO

EXECUTE AS USER = 'Vanessa';

SELECT * FROM Sales.customers;
REVERT;
GO

EXECUTE AS USER = 'Will';

SELECT * FROM Sales.customers;
REVERT;
GO

However, it should be noted that the UNMASK permission only works when the role or the user
has SELECT permissions on the columns. In this case, the role Salesperson has SELECT
permissions on the tables, therefore this works splendidly.

Column Encryption
Discuss what transpires with each command/statement. What is the difference between
symmetric and asymmetric keys? What are the challenges associated with each encryption key
type?

In the statements used a master is first created using the following statement.

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@$$w0rd';

The master key is a symmetric key used to protect the private keys of certificates and asymmetric
keys that are present in the database. It is encrypted using the AES_256 algorithm and a user-
supplied password, which in this case is P@$$w0rd.
In the following statement the certificate BileStores_Cert is created.

CREATE CERTIFICATE BikeStores_Cert

WITH SUBJECT = 'BikeStores data protection';
GO

The above certificate is then used to encrypt a symmetric key as shown below.
CREATE SYMMETRIC KEY BikeStores_SymKey
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE BikeStores_Cert;

In most cases an extra table where the encrypted data is to be inserted is created. In this case, as
shown in the statement below, the table is known as the Credit_card_number_encrypt with the
character type varbinary.
ALTER TABLE Sales.customer_credit_cards
ADD credit_card_number_encrypt varbinary(MAX);
GO

The symmetric key is the opened up and decrypted by the certificate so that it can be used to
encrypt a column and save that data in the new column.
OPEN SYMMETRIC KEY BikeStores_SymKey
DECRYPTION BY CERTIFICATE BikeStores_Cert;
GO

UPDATE Sales.customer_credit_cards
SET credit_card_number_encrypt = EncryptByKey (Key_GUID('BikeStores_SymKey'),
credit_card_number)
FROM Sales.customer_credit_cards;
GO

The above statement shows the addition of data to the new column credit_card_number_encrypt,
where the data derived from the credit_card_number column is used to populate the column after
encryption using the key in the function EncryptByKey.
After the task is complete the symmetric key is then closed using the statement below.
CLOSE SYMMETRIC KEY BikeStores_SymKey;
GO
The key is also opened at the end and a SELECT statement used to show the contents of both
columns in comparison with each other as shown below.
SELECT first_name, last_name, credit_card_number_encrypt AS 'Encrypted Data',
CONVERT(VARCHAR, DecryptByKey(credit_card_number_encrypt)) AS 'Decrypted Credit
Card Number'
FROM Sales.customers C INNER JOIN Sales.customer_credit_cards CCC
ON C.customer_id = CCC.customer_id;

The main difference between symmetric and asymmetric keys is where symmetric keys use the
same secret key to encrypt and decrypt data while asymmetric keys use mathematically linked
public and private key pairs to encrypt the data.
Symmetric keys pose a major security risk in that it is just one key used to encrypt and decrypt.
They can be viewed as a weak link for the database, such that in the case of a hacking attempt
where the hacker or malicious user is able to acquire the key they are able to perform unknown
and unmitigated data edits on the database.
Another disadvantage is that the key needs to be protected in transit and at rest since it might
need to be transmitted over the network.

As for asymmetric keys, the main disadvantage is speed and performance. Due to their longer
key lengths, not to mention that asymmetric encryption calculations tend to be much more
complex than their symmetric counterparts.