Model to SQL schema Data Definition Language Why use data definition language? Multiple database designers modifying DDL Version Control Build the database script from scratch (for unit testing) Examples Create table Alter table Drop table Create/drop view
SQL Security Secure Configuration Authentication login/password Authorization What you can access after you login Data Encryption Protectingsensitive data from internal and external hackers
SQL Security - Secure Configuration Physically secure the server behind firewall Enable only the minimum network protocols required Use Windows Update to apply patches Surface Area Configuration - turn off default SQL features CLR Integration Database mirroring Debugging Service broker E-Mail functions
SQL Security - Authentication Use simple connection strings containing user names and passwords during development Create SQL user for test-user (shows password in web.config & app.config) Use windows authentication in production with more security SQL 2008 uses encryption of the channel by default (avoid data sniffing) Windows Group Policy password complexity password history password age expiration lockout after failed attempts
SQL Security - Authorization After authentication, what can you access? Depends on your roles (owner, admin, operator, reader, etc) Principal Anyindividual, group, or process that can request access to a protected resource Securable object that you can secured by granting or denying of permissions
SQL Security - Principal Windows-level principals Domain, local, group SQL Server-level principals SQL login login mapped to a windows login login mapped to a certificate login mapped to a asymmetric key Database-level principals Database user user mapped to SQL server login user mapped to windows login, certificate, asymmetric key Database role Application role etc...
SQL Security – Dynamical SQL Execute(@sql) @sql is a dynamically generate SQL statement @sql = ‘select * from course where name = ‘’‘ + @search + ‘’’’ Open for SQL injection attack @search = ‘cse’’’; delete from users‘ Use sp_executesql (@sql, @search_text)
SQL Security – Encryption Built-in SQL encryption methods: EncryptByPassPhrase(), DecryptByPassPhrase() EncryptByCertificate(), DecryptByCertificate() Encryption side-effects: Storage(encrypted values are larger size) Performance Create Index on encrypted data Create Index on hash value
Review question Difference between db logic design and physical design? Difference between deny vs revoke? Can you think of a generalization scenario for your project? How many entities will you have in your db design? Can you identify where you would need indexes in your db? What db objects would you want to provide more security in your db design?
Enterprise DB – availability & load Availability = (Total Units of Time – Downtime) / Total Units of Time 8,760 hours (365 days 24 hours) in a calendar year 100 hours of downtime during the year (8760 – 100) / 8,760 (98.9% uptime) Fail-over When one db fails, another becomes active DB Load Balance Distribute data across different servers (multiple active databases)
DB for Continuous Integration Database needs to be built locally For individual C# developers coding locally For running unit tests locally Database code needs to be in the source control (version control) Nightly builds on the server Solution: Database Solution in VS 2010 (cse 136) Database build script (*.sql) Command shell (CreateDB.cmd)
Review question Difference between fail-over and load balance? What are the pros and cons of clustering? What scenario would you recommend logging shipping instead of mirroring? What scenario would you recommend mirroring instead of replication?
Demo SQL Mixed mode Create SQL user Show Day 2 tutorial Run .cmd to generate db
Assignment Due Day 4 Create a database in SQL 2008 Create a database diagram Create SQL Stored Procedures based on your activity diagram(s) for your entire project’s features. Create a database solution using VS 2010 (see day 2 tutorial) Run the db command script
References Database Modeling and Design Pro SQL Server 2008 Failover Clustering