# Clasificación de datos sensibles

Esto se ha venido haciendo antes mediante SSMS y con guardado en metadatos de la BBDD. Ahora ya está integrado incluso en catalogos y el propio T-SQL

__IMPORTANTE:__ Esta demo trabaja contra el contenedor por defecto generado en https://github.com/enriquecatala/mssql-server-samplesdb

## Cleanup
Limpiamos ejecuciones pasadas


In [2]:
-- Step 1: In case you have run these demos before drop existing classifications
USE WideWorldImporters
GO
IF EXISTS (SELECT * FROM sys.sensitivity_classifications sc WHERE object_id('[Application].[PaymentMethods]') = sc.major_id)
BEGIN
	DROP SENSITIVITY CLASSIFICATION FROM [Application].[PaymentMethods].[PaymentMethodName]
END
GO
IF EXISTS (SELECT * FROM sys.sensitivity_classifications sc WHERE object_id('[Application].[People]') = sc.major_id)
BEGIN
	DROP SENSITIVITY CLASSIFICATION FROM [Application].[People].[FullName]
	DROP SENSITIVITY CLASSIFICATION FROM [Application].[People].[EmailAddress]
END
GO

## Entremos al menú Data Discovery and Classification
Y hagamos una primera revisión

![Launch Data Classification](./media/SilentDataTruncation/1.png)
![Launch Data Classification](./media/SilentDataTruncation/2.png)

Marca todas las opciones y acepta 

![Launch Data Classification](./media/SilentDataTruncation/3.png)

Al hacerlo, esto es lo que se lanzará:

![Launch Data Classification](./media/SilentDataTruncation/6.png)

Ahora, ves al report ![Launch Data Classification](./media/SilentDataTruncation/4.png) y mira el resultado

![Launch Data Classification](./media/SilentDataTruncation/5.png)


## Ver con T-SQL la misma información
En SQL Server 2019, ya tenemos la información almacenada en catálogo de la BBDD y no en propiedades extendidas como anteriormente en versiones inferiores. Gracias a esto podemos crear una consulta como esta para realizar la clasificación

In [3]:
USE WideWorldImporters
GO
SELECT o.name as table_name, c.name as column_name, sc.information_type, sc.information_type_id, sc.label, sc.label_id
FROM sys.sensitivity_classifications sc
JOIN sys.objects o ON o.object_id = sc.major_id
JOIN sys.columns c ON c.column_id = sc.minor_id
                    AND c.object_id = sc.major_id
ORDER BY sc.information_type, sc.label
GO

table_name,column_name,information_type,information_type_id,label,label_id
Suppliers,BankAccountBranch,Banking,8a462631-4130-0a31-9a52-c6a9ca125f92,Confidential,331f0b13-76b5-2f1b-a77b-def5a73c73c2
Suppliers,BankAccountCode,Banking,8a462631-4130-0a31-9a52-c6a9ca125f92,Confidential,331f0b13-76b5-2f1b-a77b-def5a73c73c2
Suppliers,BankAccountName,Banking,8a462631-4130-0a31-9a52-c6a9ca125f92,Confidential,331f0b13-76b5-2f1b-a77b-def5a73c73c2
Suppliers,BankAccountNumber,Banking,8a462631-4130-0a31-9a52-c6a9ca125f92,Confidential,331f0b13-76b5-2f1b-a77b-def5a73c73c2
Suppliers_Archive,BankAccountBranch,Banking,8a462631-4130-0a31-9a52-c6a9ca125f92,Confidential,331f0b13-76b5-2f1b-a77b-def5a73c73c2
Suppliers_Archive,BankAccountCode,Banking,8a462631-4130-0a31-9a52-c6a9ca125f92,Confidential,331f0b13-76b5-2f1b-a77b-def5a73c73c2
Suppliers_Archive,BankAccountName,Banking,8a462631-4130-0a31-9a52-c6a9ca125f92,Confidential,331f0b13-76b5-2f1b-a77b-def5a73c73c2
Suppliers_Archive,BankAccountNumber,Banking,8a462631-4130-0a31-9a52-c6a9ca125f92,Confidential,331f0b13-76b5-2f1b-a77b-def5a73c73c2
Suppliers_Archive,DeliveryAddressLine1,Contact Info,5c503e21-22c6-81fa-620b-f369b8ec38d1,Confidential,331f0b13-76b5-2f1b-a77b-def5a73c73c2
Suppliers_Archive,DeliveryAddressLine2,Contact Info,5c503e21-22c6-81fa-620b-f369b8ec38d1,Confidential,331f0b13-76b5-2f1b-a77b-def5a73c73c2


## Añadir tus propias clasificaciones
Mediante la clásula _ADD SENSITIVTY CLASSIFICATION TO_, podemos crear nuestras propias clasificaciones

```sql
ADD SENSITIVITY CLASSIFICATION TO
    <object_name> [, ...n ]
    WITH ( <sensitivity_option> [, ...n ] )     

<object_name> ::=
{
    [schema_name.]table_name.column_name
}

<sensitivity_option> ::=  
{   
    LABEL = string |
    LABEL_ID = guidOrString |
    INFORMATION_TYPE = string |
    INFORMATION_TYPE_ID = guidOrString | 
    RANK = NONE | LOW | MEDIUM | HIGH | CRITICAL
}
``` 



In [4]:
-- Step 1: Add the classification
ADD SENSITIVITY CLASSIFICATION TO
[Application].[People].[EmailAddress]
WITH (LABEL='PII', INFORMATION_TYPE='Email')
GO

Ahora, veamos qué tenemos

In [5]:
-- Step 2: View the new classification
USE WideWorldImporters
GO
SELECT o.name as table_name, c.name as column_name, sc.information_type, sc.information_type_id, sc.label, sc.label_id
FROM sys.sensitivity_classifications sc
JOIN sys.objects o ON o.object_id = sc.major_id
JOIN sys.columns c ON c.column_id = sc.minor_id AND c.object_id = sc.major_id
WHERE o.name = 'People' and c.name = 'EmailAddress'
ORDER BY sc.information_type, sc.label
GO

table_name,column_name,information_type,information_type_id,label,label_id
People,EmailAddress,Email,,PII,


# Auditar información sensible clasificada
Una de las ventajas de tener la clasificación es precisamente aprovechar la auditoria nativa de SQL Server con ella

## Limpiar datos de ejecuciones pasadas

In [8]:
USE WideWorldImporters
GO
IF EXISTS (SELECT * FROM sys.database_audit_specifications WHERE name = 'People_Audit')
BEGIN
	ALTER DATABASE AUDIT SPECIFICATION People_Audit 
	WITH (STATE = OFF)
	DROP DATABASE AUDIT SPECIFICATION People_Audit
END
GO
USE master
GO
IF EXISTS (SELECT * FROM sys.server_audits WHERE name = 'GDPR_Audit')
BEGIN
	ALTER SERVER AUDIT GDPR_Audit
	WITH (STATE = OFF)
	DROP SERVER AUDIT GDPR_Audit
END
GO

-- Step 2: Remove the .audit files from default or your path
-- Note: Remember for Linux installations, the default path is /var/opt/mssql/data
-- del C:\program files\microsoft sql server\mssql15.mssqlserver\mssql\data\GDPR*.audit

## Setup auditoria para SELECT realizados a la tabla que queremos
De momento nada especial, ya que esto es nativo desde SQL Server 2012. Para mas información https://docs.microsoft.com/en-us/sql/relational-databases/security/auditing/sql-server-audit-database-engine?view=sql-server-ver15


In [9]:
USE master
GO  
CREATE SERVER AUDIT GDPR_Audit
    TO FILE (FILEPATH = '/var/opt/mssql/data')
GO  
-- Enable the server audit.   
ALTER SERVER AUDIT GDPR_Audit
WITH (STATE = ON)
GO
USE WideWorldImporters
GO  
-- Create the database audit specification.   
CREATE DATABASE AUDIT SPECIFICATION People_Audit
FOR SERVER AUDIT GDPR_Audit
ADD (SELECT ON Application.People BY public )   
WITH (STATE = ON) 
GO

### Consultemos datos 
Para que entre en acción la auditoria

In [10]:
USE WideWorldImporters
GO
SELECT * FROM [Application].[People]
GO

PersonID,FullName,PreferredName,SearchName,IsPermittedToLogon,LogonName,IsExternalLogonProvider,HashedPassword,IsSystemUser,IsEmployee,IsSalesperson,UserPreferences,PhoneNumber,FaxNumber,EmailAddress,Photo,CustomFields,OtherLanguages,LastEditedBy,ValidFrom,ValidTo
1,Data Conversion Only,Data Conversion Only,Data Conversion Only Data Conversion Only,0,NO LOGON,0,,0,0,0,"{""theme"":""blitzer"",""dateFormat"":""yy-mm-dd"",""timeZone"": ""PST"",""table"":{""pagingType"":""full_numbers"",""pageLength"": 25},""favoritesOnDashboard"":true}",,,,,,,1,2016-05-31 23:14:00.0000000,9999-12-31 23:59:59.9999999
2,Kayla Woodcock,Kayla,Kayla Kayla Woodcock,1,kaylaw@wideworldimporters.com,0,0x616E9B558976525E7F14D780EBAE80C68586958DC97C506DB418E2E2C49E340E,1,1,1,"{""theme"":""humanity"",""dateFormat"":""dd/mm/yy"",""timeZone"": ""PST"",""table"":{""pagingType"":""full"",""pageLength"": 50},""favoritesOnDashboard"":true}",(415) 555-0102,(415) 555-0103,kaylaw@wideworldimporters.com,,"{ ""OtherLanguages"": [""Polish"",""Chinese"",""Japanese""] ,""HireDate"":""2008-04-19T00:00:00"",""Title"":""Team Member"",""PrimarySalesTerritory"":""Plains"",""CommissionRate"":""0.98""}","[""Polish"",""Chinese"",""Japanese""]",1,2016-05-31 23:14:00.0000000,9999-12-31 23:59:59.9999999
3,Hudson Onslow,Hudson,Hudson Hudson Onslow,1,hudsono@wideworldimporters.com,0,0x23668CCC579015EA934736C3D7B87E86360EB5EEE164C4368A7B103C11E3436E,1,1,1,"{""theme"":""dark-hive"",""dateFormat"":""DD, MM d, yy"",""timeZone"": ""PST"",""table"":{""pagingType"":""simple_numbers"",""pageLength"": 10},""favoritesOnDashboard"":true}",(415) 555-0102,(415) 555-0103,hudsono@wideworldimporters.com,,"{ ""OtherLanguages"": [] ,""HireDate"":""2012-03-05T00:00:00"",""Title"":""Team Member"",""PrimarySalesTerritory"":""New England"",""CommissionRate"":""3.62""}",[],1,2016-05-31 23:14:00.0000000,9999-12-31 23:59:59.9999999
4,Isabella Rupp,Isabella,Isabella Isabella Rupp,1,isabellar@wideworldimporters.com,0,0xB45E7C4E37C32FA9A5A3161B9DB1C9C1E787BB7DB424E7FD7A20895D4BFB5D31,1,1,0,"{""theme"":""ui-darkness"",""dateFormat"":""dd/mm/yy"",""timeZone"": ""PST"",""table"":{""pagingType"":""simple"",""pageLength"": 10},""favoritesOnDashboard"":true}",(415) 555-0102,(415) 555-0103,isabellar@wideworldimporters.com,,"{ ""OtherLanguages"": [""Turkish"",""Slovenian""] ,""HireDate"":""2010-08-24T00:00:00"",""Title"":""Team Member""}","[""Turkish"",""Slovenian""]",1,2016-05-31 23:14:00.0000000,9999-12-31 23:59:59.9999999
5,Eva Muirden,Eva,Eva Eva Muirden,0,evam@wideworldimporters.com,0,0xE682D36E43B6A3940ED6428B2DE3CEEDD1763C5E0EC02FFBDC35671F9B3E5F3A,1,1,0,"{""theme"":""le-frog"",""dateFormat"":""dd/mm/yy"",""timeZone"": ""PST"",""table"":{""pagingType"":""numbers"",""pageLength"": 10},""favoritesOnDashboard"":true}",(415) 555-0102,(415) 555-0103,evam@wideworldimporters.com,,"{ ""OtherLanguages"": [""Lithuanian""] ,""HireDate"":""2012-01-22T00:00:00"",""Title"":""Team Member""}","[""Lithuanian""]",1,2016-05-31 23:14:00.0000000,9999-12-31 23:59:59.9999999
6,Sophia Hinton,Sophia,Sophia Sophia Hinton,1,sophiah@wideworldimporters.com,0,0x451BB10A515F06331540DB392031F9D9BC4EF536A1F86D1CA6C7394556BAA3C0,1,1,1,"{""theme"":""black-tie"",""dateFormat"":""mm/dd/yy"",""timeZone"": ""PST"",""table"":{""pagingType"":""full_numbers"",""pageLength"": 25},""favoritesOnDashboard"":true}",(415) 555-0102,(415) 555-0103,sophiah@wideworldimporters.com,,"{ ""OtherLanguages"": [""Swedish""] ,""HireDate"":""2007-05-14T00:00:00"",""Title"":""Team Member"",""PrimarySalesTerritory"":""Southeast"",""CommissionRate"":""4.55""}","[""Swedish""]",1,2016-05-31 23:14:00.0000000,9999-12-31 23:59:59.9999999
7,Amy Trefl,Amy,Amy Amy Trefl,1,amyt@wideworldimporters.com,0,0x7A92BBEA830C5ED027DCC1D710130EED9EA50FB3E6D5F793DDEFC4B50215033F,1,1,1,"{""theme"":""ui-darkness"",""dateFormat"":""mm/dd/yy"",""timeZone"": ""PST"",""table"":{""pagingType"":""full"",""pageLength"": 50},""favoritesOnDashboard"":true}",(415) 555-0102,(415) 555-0103,amyt@wideworldimporters.com,,"{ ""OtherLanguages"": [""Slovak"",""Spanish"",""Polish""] ,""HireDate"":""2009-02-15T00:00:00"",""Title"":""Team Member"",""PrimarySalesTerritory"":""Southeast"",""CommissionRate"":""0.58""}","[""Slovak"",""Spanish"",""Polish""]",1,2016-05-31 23:14:00.0000000,9999-12-31 23:59:59.9999999
8,Anthony Grosse,Anthony,Anthony Anthony Grosse,1,anthonyg@wideworldimporters.com,0,0x2FD8B838A3C77778C990F464073AA23C0EEE019763ED6A99C77457E8691819DE,1,1,1,"{""theme"":""blitzer"",""dateFormat"":""mm/dd/yy"",""timeZone"": ""PST"",""table"":{""pagingType"":""simple_numbers"",""pageLength"": 10},""favoritesOnDashboard"":true}",(415) 555-0102,(415) 555-0103,anthonyg@wideworldimporters.com,,"{ ""OtherLanguages"": [""Croatian"",""Dutch"",""Bokmål""] ,""HireDate"":""2010-07-23T00:00:00"",""Title"":""Team Member"",""PrimarySalesTerritory"":""Mideast"",""CommissionRate"":""0.11""}","[""Croatian"",""Dutch"",""Bokmål""]",1,2016-05-31 23:14:00.0000000,9999-12-31 23:59:59.9999999
9,Alica Fatnowna,Alica,Alica Alica Fatnowna,1,alicaf@wideworldimporters.com,0,0x7DFAB08E9AC574C5B15CF19D18E5B3EB466EAC7392F4295815B08221E78EA790,1,1,0,"{""theme"":""humanity"",""dateFormat"":""mm/dd/yy"",""timeZone"": ""PST"",""table"":{""pagingType"":""simple"",""pageLength"": 10},""favoritesOnDashboard"":true}",(415) 555-0102,(415) 555-0103,alicaf@wideworldimporters.com,,"{ ""OtherLanguages"": [] ,""HireDate"":""2007-12-07T00:00:00"",""Title"":""General Manager""}",[],1,2016-05-31 23:14:00.0000000,9999-12-31 23:59:59.9999999
10,Stella Rosenhain,Stella,Stella Stella Rosenhain,1,stellar@wideworldimporters.com,0,0x1BA4B55887E2BDCB06087A20E1CC608ADDCA538BABEC0441D2D6704DCAFE2EA4,1,1,0,"{""theme"":""dark-hive"",""dateFormat"":""mm/dd/yy"",""timeZone"": ""PST"",""table"":{""pagingType"":""numbers"",""pageLength"": 10},""favoritesOnDashboard"":true}",(415) 555-0102,(415) 555-0103,stellar@wideworldimporters.com,,"{ ""OtherLanguages"": [""Dutch"",""Finnish"",""Lithuanian""] ,""HireDate"":""2007-11-17T00:00:00"",""Title"":""Warehouse Supervisor""}","[""Dutch"",""Finnish"",""Lithuanian""]",1,2016-05-31 23:14:00.0000000,9999-12-31 23:59:59.9999999


## Revisemos auditoria
Comprobemos qué ha capturado


In [17]:
SELECT event_time, session_id, server_principal_name,
database_name, object_name, 
cast(data_sensitivity_information as XML) as data_sensitivity_information, 
response_rows, affected_rows,
client_ip, application_name, host_name,statement
FROM sys.fn_get_audit_file ('/var/opt/mssql/data/*.sqlaudit',default,default)
GO

event_time,session_id,server_principal_name,database_name,object_name,data_sensitivity_information,response_rows,affected_rows,client_ip,application_name,host_name,statement
2019-11-21 10:14:48.2170126,62,sa,,,,0,0,192.168.100.1,azdata-Query,LAPTOPSOLIDQ,
2019-11-21 10:14:53.5277786,62,sa,WideWorldImporters,People,"<sensitivity_attributes><sensitivity_attribute label=""Confidential - GDPR"" label_id=""989adc05-3f3f-0588-a635-f475b994915b"" information_type=""Name"" information_type_id=""57845286-7598-22f5-9659-15b24aeb125e"" /><sensitivity_attribute label=""Confidential"" label_id=""331f0b13-76b5-2f1b-a77b-def5a73c73c2"" information_type=""Credentials"" information_type_id=""c64aba7b-3a3e-95b6-535d-3bc535da5a59"" /><sensitivity_attribute label=""Confidential"" label_id=""331f0b13-76b5-2f1b-a77b-def5a73c73c2"" information_type=""Contact Info"" information_type_id=""5c503e21-22c6-81fa-620b-f369b8ec38d1"" /><sensitivity_attribute label=""PII"" information_type=""Email"" /></sensitivity_attributes>",0,0,192.168.100.1,azdata-Query,LAPTOPSOLIDQ,SELECT * FROM [Application].[People]
2019-11-21 10:15:47.0655047,62,sa,WideWorldImporters,People,,0,0,192.168.100.1,azdata-Query,LAPTOPSOLIDQ,SELECT PreferredName FROM [Application].[People] WHERE EmailAddress LIKE '%microsoft%'


Como podemos ver, somos capaces de ver un XML con la información relativa a lo que hemos consultado, porque al poner * hemos tocado columnas sensibles

```xml
<sensitivity_attributes>
  <sensitivity_attribute label="Confidential - GDPR" label_id="989adc05-3f3f-0588-a635-f475b994915b" information_type="Name" information_type_id="57845286-7598-22f5-9659-15b24aeb125e" />
  <sensitivity_attribute label="Confidential" label_id="331f0b13-76b5-2f1b-a77b-def5a73c73c2" information_type="Credentials" information_type_id="c64aba7b-3a3e-95b6-535d-3bc535da5a59" />
  <sensitivity_attribute label="Confidential" label_id="331f0b13-76b5-2f1b-a77b-def5a73c73c2" information_type="Contact Info" information_type_id="5c503e21-22c6-81fa-620b-f369b8ec38d1" />
  <sensitivity_attribute label="PII" information_type="Email" />
</sensitivity_attributes>
```
## Consultas no sensibles
Vamos ahora a lanzar una query a la misma tabla, pero vamos a filtrar únicamente y __no devolver nada__...a ver qué pasa

In [12]:
SELECT PreferredName FROM [Application].[People]
WHERE EmailAddress LIKE '%microsoft%'
GO

PreferredName


# Veamos la auditoria

In [16]:
SELECT event_time, session_id, server_principal_name,
database_name, object_name, 
cast(data_sensitivity_information as XML) as data_sensitivity_information, 
response_rows, affected_rows,
client_ip, application_name, host_name,statement
FROM sys.fn_get_audit_file ('/var/opt/mssql/data/*.sqlaudit',default,default)
GO

event_time,session_id,server_principal_name,database_name,object_name,data_sensitivity_information,response_rows,affected_rows,client_ip,application_name,host_name,statement
2019-11-21 10:14:48.2170126,62,sa,,,,0,0,192.168.100.1,azdata-Query,LAPTOPSOLIDQ,
2019-11-21 10:14:53.5277786,62,sa,WideWorldImporters,People,"<sensitivity_attributes><sensitivity_attribute label=""Confidential - GDPR"" label_id=""989adc05-3f3f-0588-a635-f475b994915b"" information_type=""Name"" information_type_id=""57845286-7598-22f5-9659-15b24aeb125e"" /><sensitivity_attribute label=""Confidential"" label_id=""331f0b13-76b5-2f1b-a77b-def5a73c73c2"" information_type=""Credentials"" information_type_id=""c64aba7b-3a3e-95b6-535d-3bc535da5a59"" /><sensitivity_attribute label=""Confidential"" label_id=""331f0b13-76b5-2f1b-a77b-def5a73c73c2"" information_type=""Contact Info"" information_type_id=""5c503e21-22c6-81fa-620b-f369b8ec38d1"" /><sensitivity_attribute label=""PII"" information_type=""Email"" /></sensitivity_attributes>",0,0,192.168.100.1,azdata-Query,LAPTOPSOLIDQ,SELECT * FROM [Application].[People]
2019-11-21 10:15:47.0655047,62,sa,WideWorldImporters,People,,0,0,192.168.100.1,azdata-Query,LAPTOPSOLIDQ,SELECT PreferredName FROM [Application].[People] WHERE EmailAddress LIKE '%microsoft%'


Como vemos, al no haber devuelto información, no tenemos información sensible detectada ya que no ha sido devuelta al usuario

# Limpiar entorno

In [18]:
USE WideWorldImporters
GO
IF EXISTS (SELECT * FROM sys.database_audit_specifications WHERE name = 'People_Audit')
BEGIN
	ALTER DATABASE AUDIT SPECIFICATION People_Audit 
	WITH (STATE = OFF)
	DROP DATABASE AUDIT SPECIFICATION People_Audit
END
GO
USE master
GO
IF EXISTS (SELECT * FROM sys.server_audits WHERE name = 'GDPR_Audit')
BEGIN
	ALTER SERVER AUDIT GDPR_Audit
	WITH (STATE = OFF)
	DROP SERVER AUDIT GDPR_Audit
END
GO


ALTER DATABASE WideWorldImporters SET COMPATIBILITY_LEVEL = 130
GO

USE WideWorldImporters
GO
IF EXISTS (SELECT * FROM sys.sensitivity_classifications sc WHERE object_id('[Application].[PaymentMethods]') = sc.major_id)
	DROP SENSITIVITY CLASSIFICATION FROM [Application].[PaymentMethods].[PaymentMethodName]
GO
IF EXISTS (SELECT * FROM sys.sensitivity_classifications sc WHERE object_id('[Application].[People]') = sc.major_id)
	DROP SENSITIVITY CLASSIFICATION FROM [Application].[People].[FullName]
	DROP SENSITIVITY CLASSIFICATION FROM [Application].[People].[EmailAddress]
GO