Organizational compliance and security in Microsoft SQL 2012-2016. This covers encryption at rest and in transit, securing data, application design considerations, Audit, and T-SQL to help you get compliant.
MySQL Indexes and Histograms - RMOUG Training Days 2022Dave Stokes
Nobody complains when the database is too fast. But they do gripe when it slows down. The two most popular ways to increase query speed are indexes and histograms. But there a dozens of options for indexes and a lot of lots of bad information on how to use them. Histograms are great but not for all types of data. This session covers the hows and whys of both approaches
A Novel methodology for handling Document Level Security in Search Based Appl...lucenerevolution
Presented by Rajini Maski, Senior Software Engineer, Happiest Minds Technologies
An important problem with document-search in any content management system (CMS) is the handling of permission-based search requests for each user. In this session, we present an algorithm and framework that allows the Search Engine to plainly index both public and privileged documents without any early binding overhead—thus enforcing document-level security policies only at the time of search. With our late-binding approach for ACL (access control lists) and some custom components, we have achieved reduction in search-time overhead. We will also discuss the order of complexity and execution time for the search overhead.
MySQL Indexes and Histograms - RMOUG Training Days 2022Dave Stokes
Nobody complains when the database is too fast. But they do gripe when it slows down. The two most popular ways to increase query speed are indexes and histograms. But there a dozens of options for indexes and a lot of lots of bad information on how to use them. Histograms are great but not for all types of data. This session covers the hows and whys of both approaches
A Novel methodology for handling Document Level Security in Search Based Appl...lucenerevolution
Presented by Rajini Maski, Senior Software Engineer, Happiest Minds Technologies
An important problem with document-search in any content management system (CMS) is the handling of permission-based search requests for each user. In this session, we present an algorithm and framework that allows the Search Engine to plainly index both public and privileged documents without any early binding overhead—thus enforcing document-level security policies only at the time of search. With our late-binding approach for ACL (access control lists) and some custom components, we have achieved reduction in search-time overhead. We will also discuss the order of complexity and execution time for the search overhead.
In today's modern world, security is a necessary fact of life. GreenSQL Security helps small to large organizations protect their sensitive information against internal and external threats. The rule-based engine offers database firewall, intrusion detection and prevention (IDS/IPS). GreenSQL Security Engine applies exception detection to prevent hacker attacks, end-user intrusion and unauthorized access by privileged insiders. The system provides a web based intuitive and flexible policy framework that enables users to create and edit their security rules quickly and easily. GreenSQL interfaces between your database and any source requiring a connection to it. This approach shields your database application and database operating system from direct, remote access. GreenSQL Database Security 1) Stops SQL Injection attacks on your web application 2) Blocks unauthorized database access and alerts you in real time about unwanted access 3) Separates your application database access privileges from administrator access 4) Gives you a complete event log for investigating database traffic and access 5) Ensures you achieve successful implementation with 24/7 support
The Document provides an overview of
the key security challenges in Big Data (Apache Hadoop)systems, and showcases the solutions used by Hortonworks Distribution to solve these security challenges.
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...Michael Noel
One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. Authenticating and authorizing users is a fairly straightforward task, and administration of security permissions is simplified. Too often, however, security for SharePoint stops there, and organizations don’t pay enough attention to all of the other considerations that are part of a SharePoint Security stack, and more often than not don’t properly build them into a deployment. This includes such diverse categories including Edge, Transport, Infrastructure, Data, and Rights Management Security, all areas that are often neglected but are nonetheless extremely important. This session discusses the entire stack of Security within SharePoint, from best practices around managing permissions and ACLs to comply with Role Based Access Control, to techniques to secure inbound access to externally-facing SharePoint sites. The session is designed to be comprehensive, and includes all major security topics in SharePoint and a discussion of various real-world designs that are built to be secure. • Understand how to use native technologies to secure all layers of a SharePoint environment, including Data, Transport, Infrastructure, Edge, and Rights Management. • Examine tools and technologies that can help secure SharePoint, including AD Rights Management Services, Forefront Unified Access Gateway, SQL Transparent Data Encryption, and more. • Understand a Role-Based Access Control (RBAC) permissions model and how it can be used to gain better control over authorization and access control to SharePoint files and data
A walkthrough on implementing Always Encrypted Encryption on sensitive information to reduce your attack surface area and develop an active data security posture.
In today's modern world, security is a necessary fact of life. GreenSQL Security helps small to large organizations protect their sensitive information against internal and external threats. The rule-based engine offers database firewall, intrusion detection and prevention (IDS/IPS). GreenSQL Security Engine applies exception detection to prevent hacker attacks, end-user intrusion and unauthorized access by privileged insiders. The system provides a web based intuitive and flexible policy framework that enables users to create and edit their security rules quickly and easily. GreenSQL interfaces between your database and any source requiring a connection to it. This approach shields your database application and database operating system from direct, remote access. GreenSQL Database Security 1) Stops SQL Injection attacks on your web application 2) Blocks unauthorized database access and alerts you in real time about unwanted access 3) Separates your application database access privileges from administrator access 4) Gives you a complete event log for investigating database traffic and access 5) Ensures you achieve successful implementation with 24/7 support
The Document provides an overview of
the key security challenges in Big Data (Apache Hadoop)systems, and showcases the solutions used by Hortonworks Distribution to solve these security challenges.
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...Michael Noel
One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. Authenticating and authorizing users is a fairly straightforward task, and administration of security permissions is simplified. Too often, however, security for SharePoint stops there, and organizations don’t pay enough attention to all of the other considerations that are part of a SharePoint Security stack, and more often than not don’t properly build them into a deployment. This includes such diverse categories including Edge, Transport, Infrastructure, Data, and Rights Management Security, all areas that are often neglected but are nonetheless extremely important. This session discusses the entire stack of Security within SharePoint, from best practices around managing permissions and ACLs to comply with Role Based Access Control, to techniques to secure inbound access to externally-facing SharePoint sites. The session is designed to be comprehensive, and includes all major security topics in SharePoint and a discussion of various real-world designs that are built to be secure. • Understand how to use native technologies to secure all layers of a SharePoint environment, including Data, Transport, Infrastructure, Edge, and Rights Management. • Examine tools and technologies that can help secure SharePoint, including AD Rights Management Services, Forefront Unified Access Gateway, SQL Transparent Data Encryption, and more. • Understand a Role-Based Access Control (RBAC) permissions model and how it can be used to gain better control over authorization and access control to SharePoint files and data
A walkthrough on implementing Always Encrypted Encryption on sensitive information to reduce your attack surface area and develop an active data security posture.
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...Jürgen Ambrosi
L’obiettivo è quello di fare una panoramica dello stato dell’arte sulle tecnologie a supporto dei database. Alcuni esempi sono la tecnologia in-memory integrata con le funzionalità di analisi operative in tempo reale e della tecnologia Always Encrypted per la protezione dei dati utilizzati in locale o durante gli spostamenti. La tecnologia in-memory consente di migliorare di 30 volte le performance delle transazioni utilizzando hardware standard di settore. Inoltre i Big Data e l'analisi sono diventati un importante fattore di differenziazione competitivo, ma la gestione delle enormi quantità di dati correlate a un tempo di attività 24 ore su 24 continua a essere una sfida per l'IT. Oggi è più importante che mai soddisfare a livello aziendale l'esigenza di prestazioni, disponibilità e sicurezza efficace per gestire carichi di lavoro mission-critical a un costo contenuto. Le soluzioni Microsoft fissano un nuovo standard nelle performance mission-critical.
Secure and Efficient Skyline Queries on Encrypted Data
To buy this project in ONLINE, Contact:
Email: jpinfotechprojects@gmail.com,
Website: https://www.jpinfotech.org
Maginatics @ SDC 2013: Architecting An Enterprise Storage Platform Using Obje...Maginatics
How did Maginatics build a strongly consistent and secure distributed file system? Niraj Tolia, Chief Architect at Maginatics, gave this presentation on the design of MagFS at the Storage Developer Conference on September 16, 2013.
For more information about MagFS—The File System for the Cloud, visit maginatics.com or contact us directly at info@maginatics.com.
[Mustafa Toroman, Saša Kranjac] More and more services we use every day are moving to cloud. This creates many challenges, especially if we look at things from security point of view. Taking services out of our datacenter, opens our data and services to new kind of threats but fortunately new tools are available to protect us. See from both perspectives how attackers can try to exploit our journey to cloud and how can we detect threats and stop attacks before they occur. We will show examples how Red Team attacks our Cloud and how Blue Team can detect and stop Red Team.
An overview of the new features available in SQL Server 2016 including Stretch Database, Always Encrypted, Data Masking, In Memory Operational Analytics and more.
Similar to Organizational compliance and security in Microsoft SQL 2012-2016 (20)
Customer migration to Azure SQL database, December 2019George Walters
This is a real life story on how a software as a service application moved to the cloud, to azure, over a period of two years. We discuss migration, business drivers, technology, and how it got done. We talk through more modern ways to refactor or change code to get into the cloud nowadays.
Inclusion in language and action: What you can do to improve yourself with respect to: Mainsplaining, Ableism, disability, gender, and bias. You want to improve, and this can be a piece of that puzzle.
This presentation shows new features in SQL 2019, and a recap of features from SQL 2000 through 2017 as well. You would be wise to hear someone from Microsoft deliver this material.
Azure SQL Database now has a Managed Instance, for near 100% compatibility for lifting-and-shifting applications running on Microsoft SQL Server to Azure. Contact me for more information.
Customer migration to azure sql database from on-premises SQL, for a SaaS app...George Walters
Why would someone take a working on-premises SaaS infrastructure, and migrate it to Azure? We review the technology decisions behind this conversion, and business choices behind migrating to Azure. The SQL 2012 infrastructure and application was migrated to PaaS Services. Finally, how would we do this architecture in 2019.
Organizational compliance and security SQL 2012-2019 by George WaltersGeorge Walters
The compliance and security aspects of SQL Server, and the greater platform, are covered here. This goes through CTP 2.3 of SQL 2019. I start with the history of security in SQL Server, from the changes with SQL 2005, then into SQL 2008, 2008r2, 2012, 2014, 2016, 2017. We cover the requirement for installation, auditing, encryption, compliance, and so forth.
Microsoft SQL server 2017 Level 300 technical deckGeorge Walters
This deck covers new features in SQL Server 2017, as well as carryover features from 2012 onwards. This includes high availability, columnstore, alwayson, In-memory tables, and other enterprise features.
Show drafts
volume_up
Empowering the Data Analytics Ecosystem: A Laser Focus on Value
The data analytics ecosystem thrives when every component functions at its peak, unlocking the true potential of data. Here's a laser focus on key areas for an empowered ecosystem:
1. Democratize Access, Not Data:
Granular Access Controls: Provide users with self-service tools tailored to their specific needs, preventing data overload and misuse.
Data Catalogs: Implement robust data catalogs for easy discovery and understanding of available data sources.
2. Foster Collaboration with Clear Roles:
Data Mesh Architecture: Break down data silos by creating a distributed data ownership model with clear ownership and responsibilities.
Collaborative Workspaces: Utilize interactive platforms where data scientists, analysts, and domain experts can work seamlessly together.
3. Leverage Advanced Analytics Strategically:
AI-powered Automation: Automate repetitive tasks like data cleaning and feature engineering, freeing up data talent for higher-level analysis.
Right-Tool Selection: Strategically choose the most effective advanced analytics techniques (e.g., AI, ML) based on specific business problems.
4. Prioritize Data Quality with Automation:
Automated Data Validation: Implement automated data quality checks to identify and rectify errors at the source, minimizing downstream issues.
Data Lineage Tracking: Track the flow of data throughout the ecosystem, ensuring transparency and facilitating root cause analysis for errors.
5. Cultivate a Data-Driven Mindset:
Metrics-Driven Performance Management: Align KPIs and performance metrics with data-driven insights to ensure actionable decision making.
Data Storytelling Workshops: Equip stakeholders with the skills to translate complex data findings into compelling narratives that drive action.
Benefits of a Precise Ecosystem:
Sharpened Focus: Precise access and clear roles ensure everyone works with the most relevant data, maximizing efficiency.
Actionable Insights: Strategic analytics and automated quality checks lead to more reliable and actionable data insights.
Continuous Improvement: Data-driven performance management fosters a culture of learning and continuous improvement.
Sustainable Growth: Empowered by data, organizations can make informed decisions to drive sustainable growth and innovation.
By focusing on these precise actions, organizations can create an empowered data analytics ecosystem that delivers real value by driving data-driven decisions and maximizing the return on their data investment.
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Subhajit Sahu
Abstract — Levelwise PageRank is an alternative method of PageRank computation which decomposes the input graph into a directed acyclic block-graph of strongly connected components, and processes them in topological order, one level at a time. This enables calculation for ranks in a distributed fashion without per-iteration communication, unlike the standard method where all vertices are processed in each iteration. It however comes with a precondition of the absence of dead ends in the input graph. Here, the native non-distributed performance of Levelwise PageRank was compared against Monolithic PageRank on a CPU as well as a GPU. To ensure a fair comparison, Monolithic PageRank was also performed on a graph where vertices were split by components. Results indicate that Levelwise PageRank is about as fast as Monolithic PageRank on the CPU, but quite a bit slower on the GPU. Slowdown on the GPU is likely caused by a large submission of small workloads, and expected to be non-issue when the computation is performed on massive graphs.
As Europe's leading economic powerhouse and the fourth-largest hashtag#economy globally, Germany stands at the forefront of innovation and industrial might. Renowned for its precision engineering and high-tech sectors, Germany's economic structure is heavily supported by a robust service industry, accounting for approximately 68% of its GDP. This economic clout and strategic geopolitical stance position Germany as a focal point in the global cyber threat landscape.
In the face of escalating global tensions, particularly those emanating from geopolitical disputes with nations like hashtag#Russia and hashtag#China, hashtag#Germany has witnessed a significant uptick in targeted cyber operations. Our analysis indicates a marked increase in hashtag#cyberattack sophistication aimed at critical infrastructure and key industrial sectors. These attacks range from ransomware campaigns to hashtag#AdvancedPersistentThreats (hashtag#APTs), threatening national security and business integrity.
🔑 Key findings include:
🔍 Increased frequency and complexity of cyber threats.
🔍 Escalation of state-sponsored and criminally motivated cyber operations.
🔍 Active dark web exchanges of malicious tools and tactics.
Our comprehensive report delves into these challenges, using a blend of open-source and proprietary data collection techniques. By monitoring activity on critical networks and analyzing attack patterns, our team provides a detailed overview of the threats facing German entities.
This report aims to equip stakeholders across public and private sectors with the knowledge to enhance their defensive strategies, reduce exposure to cyber risks, and reinforce Germany's resilience against cyber threats.
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...John Andrews
SlideShare Description for "Chatty Kathy - UNC Bootcamp Final Project Presentation"
Title: Chatty Kathy: Enhancing Physical Activity Among Older Adults
Description:
Discover how Chatty Kathy, an innovative project developed at the UNC Bootcamp, aims to tackle the challenge of low physical activity among older adults. Our AI-driven solution uses peer interaction to boost and sustain exercise levels, significantly improving health outcomes. This presentation covers our problem statement, the rationale behind Chatty Kathy, synthetic data and persona creation, model performance metrics, a visual demonstration of the project, and potential future developments. Join us for an insightful Q&A session to explore the potential of this groundbreaking project.
Project Team: Jay Requarth, Jana Avery, John Andrews, Dr. Dick Davis II, Nee Buntoum, Nam Yeongjin & Mat Nicholas
Explore our comprehensive data analysis project presentation on predicting product ad campaign performance. Learn how data-driven insights can optimize your marketing strategies and enhance campaign effectiveness. Perfect for professionals and students looking to understand the power of data analysis in advertising. for more details visit: https://bostoninstituteofanalytics.org/data-science-and-artificial-intelligence/
Adjusting primitives for graph : SHORT REPORT / NOTESSubhajit Sahu
Graph algorithms, like PageRank Compressed Sparse Row (CSR) is an adjacency-list based graph representation that is
Multiply with different modes (map)
1. Performance of sequential execution based vs OpenMP based vector multiply.
2. Comparing various launch configs for CUDA based vector multiply.
Sum with different storage types (reduce)
1. Performance of vector element sum using float vs bfloat16 as the storage type.
Sum with different modes (reduce)
1. Performance of sequential execution based vs OpenMP based vector element sum.
2. Performance of memcpy vs in-place based CUDA based vector element sum.
3. Comparing various launch configs for CUDA based vector element sum (memcpy).
4. Comparing various launch configs for CUDA based vector element sum (in-place).
Sum with in-place strategies of CUDA mode (reduce)
1. Comparing various launch configs for CUDA based vector element sum (in-place).
Organizational compliance and security in Microsoft SQL 2012-2016
1. SQL 2012 - 2016
Organizational Security
& Compliance
George Walters
Senior Technology Solutions Professional
Data Platform
george.walters@microsoft.com
@gwalters69 on twitter
2.
3. SQL Server 2016: Everything built-in
The above graphics were published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner
document is available upon request from Microsoft. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise
technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research
organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any
warranties of merchantability or fitness for a particular purpose.
Consistent experience from on-premises to cloud
Microsoft Tableau Oracle
$120
$480
$2,230
Self-service BI per user
In-memoryacrossall workloads
built-inbuilt-in built-in built-in built-in
TPC-H 10TB non-clustered results as of 04/06/15, 5/04/15, 4/15/14 and 11/25/13, respectively. http://www.tpc.org/tpch/results/tpch_perf_results.asp?resulttype=noncluster
at massive scale
0 1
4
0 0
3
34
29
22
15
5
22
6
43
20
69
18
49
3
0
10
20
30
40
50
60
70
80
2010 2011 2012 2013 2014 2015
SQL Server Oracle MySQL SAP HANA TPC-H
Oracle
is #5#2
SQL Server
#1
SQL Server
#3
SQL Server
National Institute of Standards and Technology Comprehensive Vulnerability Database update 10/2015 3
6. ASE256 for backup keys
SHA512 for password hashes
Built-in cryptography hierarchy
Transparent data encryption
Extensible key management
Sign code modules
Encrypted connection on-premises and in
Azure SQL database
Audit, TDE, Always Encrypted in Azure SQL database
7.
8. USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD =
'<UseStrongPasswordHere>';
Go
CREATE CERTIFICATE MyServerCert WITH SUBJECT = 'My DEK Certificate';
go
USE AdventureWorks2012;
GO
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE MyServerCert;
GO
ALTER DATABASE AdventureWorks2012
SET ENCRYPTION ON;
GO
11. Performance Security Availability Scalability
Operational analytics
Insights on operational data;
Works with in-memory OLTP and
disk-based OLTP
In-memory OLTP
enhancements
Greater T-SQL surface area,
terabytes of memory supported,
and greater number of parallel
CPUs
Query data store
Monitor and optimize query plans
Native JSON
Expanded support for JSON data
Temporal database support
Query data as points in time
Always encrypted
Sensitive data remains encrypted at
all times with ability to query
Row-level security
Apply fine-grained access control
to table rows
Dynamic data masking
Real-time obfuscation of data to
prevent unauthorized access
Other enhancements
Audit success/failure of database
operations
TDE support for storage of in-
memory OLTP tables
Enhanced auditing for OLTP with
ability to track history of record
changes
Enhanced AlwaysOn
Three synchronous replicas for auto
failover across domains
Round robin load balancing of
replicas
Automatic failover based on
database health
DTC for transactional integrity
across database instances with
AlwaysOn
Support for SSIS with AlwaysOn
Enhanced database caching
Cache data with automatic, multiple
TempDB files per instance in multi-
core environments
Mission-critical performance
13. Prevents Data
Disclosure
Client-side encryption of
sensitive data using keys that
are never given to the
database system.
Queries on
Encrypted Data
Support for equality
comparison, incl. join, group
by and distinct operators.
Application
Transparency
Minimal application changes
via server and client library
enhancements.
Allows customers to securely store sensitive data outside
of their trust boundary.
Data remains protected from high-privileged, yet
unauthorized users.
Benefits of Always Encrypted
14. dbo.Patients
Jane Doe
Name
243-24-9812
SSN
USA
Country
Jim Gray 198-33-0987 USA
John Smith 123-82-1095 USA
dbo.Patients
Jane Doe
Name
1x7fg655se2e
SSN
USA
Jim Gray 0x7ff654ae6d USA
John Smith 0y8fj754ea2c USA
Country
Result Set
Jim Gray
Name
Jane Doe
Name
1x7fg655se2e
SSN
USA
Country
Jim Gray 0x7ff654ae6d USA
John Smith 0y8fj754ea2c USA
dbo.Patients
SQL Server
Query
TrustedApps
SELECT Name FROM
Patients WHERE SSN=@SSN
@SSN='198-33-0987'
Result Set
Jim Gray
Name
SELECT Name FROM
Patients WHERE SSN=@SSN
@SSN=0x7ff654ae6d
Column
Encryption
Key
Enhanced
ADO.NET
Library
Column
Master
Key
Client side
Always Encrypted
Help protect data at rest and in motion, on-premises & cloud
ciphertext
15. Randomized encryption
Encrypt('123-45-6789') = 0x17cfd50a
Repeat: Encrypt('123-45-6789') = 0x9b1fcf32
Allows for transparent retrieval of encrypted
data but NO operations
More secure
Deterministic encryption
Encrypt('123-45-6789') = 0x85a55d3f
Repeat: Encrypt('123-45-6789') = 0x85a55d3f
Allows for transparent retrieval of encrypted
data AND equality comparison
E.g. in WHERE clauses and joins, distinct,
group by
Two types of
encryption available
Randomized encryption uses a
method that encrypts data in a less
predictable manner
Deterministic encryption uses a
method which always generates the
same encrypted value for any given
plain text value
Types of Encryption for Always Encrypted
16. Security
Officer
1. Generate CEKs and Master Key
2. Encrypt CEK
3. Store Master Key Securely
4. Upload Encrypted CEK to DB
CMK Store:
Certificate Store
HSM
Azure Key Vault
…
Encrypted
CEK
Column
Encryption Key
(CEK)
Column
Master Key
(CMK)
Key Provisioning
CMK
Database
Encrypted CEK
17. Param
Encryption
Type/
Algorithm
Encrypted
CEK Value
CMK Store
Provider
Name CMK Path
@Name Non-DET/
AES 256
CERTIFICATE
_STORE
Current User/
My/f2260…
EXEC sp_execute_sql
N'SELECT * FROM Customers WHERE SSN = @SSN'
, @params = N'@SSN VARCHAR(11)', @SSN=0x7ff654ae6d
Param
Encryption
Type/
Algorithm
Encrypted
CEK Value
CMK Store
Provider
Name CMK Path
@SSN DET/ AES
256
CERTIFICATE
_STORE
Current User/
My/f2260…
Enhanced
ADO.NET
Plaintext
CEK
Cache
exec sp_describe_parameter_encryption
@params = N'@SSN VARCHAR(11)'
, @tsql = N'SELECT * FROM Customers WHERE SSN = @SSN'
Result set (ciphertext)
Name
Jim Gray
Result set (plaintext)
using (SqlCommand cmd = new
SqlCommand(
"SELECT Name FROM Customers WHERE SSN
= @SSN“
, conn))
{
cmd.Parameters.Add(new SqlParameter(
"@SSN", SqlDbType.VarChar, 11).Value
=
"111-22-3333");
SqlDataReader reader =
cmd.ExecuteReader();
Client - Trusted SQL Server - Untrusted
Encryptionmetadata
Name
0x19ca706fbd9
Encryptionmetadata
CMK Store
Example
18. Select columns to
be encrypted
Analyze schema
and application
queries to detect
conflicts (build
time)Set up the keys:
master & CEK
Static schema
analysis tool
(SSDT only)
UI for selecting columns (no
automated data classification)
Key setup tool to automate
selecting CMK, generating and
encrypting CEK and uploading
key metadata to the database
Setup (SSMS or SSDT)
User Experience: SSMS or SSDT (Visual Studio)
19. Existing App – Setup
User Experience: SSMS or SSDT (Visual Studio)
UI for selecting columns
(no automated data
classification)
Select candidate
columns to be
encrypted
Analyze schema and
application queries to
detect conflicts and
identify optimal
encryption settings
Set up the keys
Encrypt selected
columns while
migrating the
database to a target
server (e.g. in Azure
SQL Database
Key Setup tool to
streamline selecting CMK,
generating and encrypting
CEK and uploading key
metadata to the database
Encryption tool creating
new (encrypted) columns,
copying data from old
(plain text) columns,
swapping columns and re-
creating dependencies
Select desired
encryption settings
for selected columns
UI for configuring
encryption settings on
selected columns
(accepting/editing
recommendations from
the analysis tool)
Schema/workload analysis
tool analyzing the schema
and profiler logs
20. Data remains encrypted
during query
Summary: Always encrypted
Protect data at rest and in motion, on-premises & cloud
Capability
ADO.Net client library provides
transparent client-side encryption, while
SQL Server executes T-SQL queries on
encrypted data
Benefits
Apps TCE-enabled
ADO .NET library
SQL ServerEncrypted
query
Columnar
key
No app
changes
Master
key
22. Fine-grained access control over specific
rows in a database table
Help prevent unauthorized access when
multiple users share the same tables, or to
implement connection filtering in
multitenant applications
Administer via SQL Server Management
Studio or SQL Server Data Tools
Enforcement logic inside the database and
schema bound to the table.
Protect data privacy by ensuring the right access across rows
SQL Database
Customer 1
Customer 2
Customer 3
Row-level security
23. Fine-grained
access control
Keeping multi-tenant
databases secure by limiting
access by other users who
share the same tables.
Application
transparency
RLS works transparently at
query time, no app changes
needed.
Compatible with RLS in other
leading products.
Centralized
security logic
Enforcement logic resides
inside database and is
schema-bound to the table it
protects providing greater
security. Reduced application
maintenance and complexity.
Store data intended for many consumers in a single database/table while at the same time restricting
row-level read & write access based on users’ execution context.
Benefits of row-level security
24. CREATE SECURITY POLICY mySecurityPolicy
ADD FILTER PREDICATE dbo.fn_securitypredicate(wing, startTime,
endTime)
ON dbo.patients
Predicate function
User-defined inline table-valued function (iTVF) implementing security logic
Can be arbitrarily complicated, containing joins with other tables
Security predicate
Applies a predicate function to a particular table (SEMIJOIN APPLY)
Two types: filter predicates and blocking predicates
Security policy
Collection of security predicates for managing security across multiple tables
Row Level Security Concepts
25. CREATE FUNCTION dbo.fn_securitypredicate(@wing int)
RETURNS TABLE WITH SCHEMABINDING AS
return SELECT 1 as [fn_securitypredicate_result]
FROM
StaffDuties d INNER JOIN Employees e
ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID()
AND @wing = d.Wing;
CREATE SECURITY POLICY dbo.SecPol
ADD FILTER PREDICATE
dbo.fn_securitypredicate(Wing)
ON Patients
WITH (STATE = ON)
Fine-grained access
control over rows in a
table based on one or
more pre-defined filtering
criteria, e.g., user’s role or
clearance level in
organization.
Concepts:
Predicate function
Security policy
Example
26. Two
App user (e.g., nurse) selects from Patients table
Three
Security Policy transparently rewrites query to apply filter predicate
Database
Policy Manager
CREATE FUNCTION dbo.fn_securitypredicate(@wing int)
RETURNS TABLE WITH SCHEMABINDING AS
return SELECT 1 as [fn_securitypredicate_result] FROM
StaffDuties d INNER JOIN Employees e
ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID() AND @wing = d.Wing;
CREATE SECURITY POLICY dbo.SecPol
ADD FILTER PREDICATE dbo.fn_securitypredicate(Wing) ON
Patients
WITH (STATE = ON)
Filter
Predicate:
INNER
JOIN…
Security
Policy
Application
Patients
One
Policy manager creates filter predicate and security policy in T-SQL, binding the
predicate to the Patients table
Nurse
SELECT * FROM Patients
SELECT * FROM Patients
SEMIJOIN APPLY dbo.fn_securitypredicate(patients.Wing);
SELECT Patients.* FROM Patients,
StaffDuties d INNER JOIN Employees e ON (d.EmpId = e.EmpId)
WHERE e.UserSID = SUSER_SID() AND Patients.wing = d.Wing;
RLS in Three Steps
27. Creates a security policy for row
level security.
The following examples
demonstrate the use of the
CREATE SECURITY POLICY
syntax.
For an example of a complete
security policy scenario, see Row
Level Security.
Create Security Policy
-- The following syntax creates a security policy with a filter
predicate for the Customer table, and leaves the security
policy disabled
CREATE SECURITY POLICY [FederatedSecurityPolicy]
ADD FILTER PREDICATE
[rls].[fn_securitypredicate]([CustomerId])
ON [dbo].[Customer];
-- Create a new schema and predicate function, which will use
the application user ID stored in CONTEXT_INFO to filter rows.
CREATE FUNCTION rls.fn_securitypredicate (@AppUserId
int)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN (
SELECT 1 AS fn_securitypredicate_result
WHERE
DATABASE_PRINCIPAL_ID() =
DATABASE_PRINCIPAL_ID('dbo')
-- application context
AND CONTEXT_INFO() = CONVERT(VARBINARY(128),
@AppUserId);
GO
29. Configuration made easy in the new
Azure portal
Policy-driven at the table and column
level, for a defined set of users
Data masking applied in real-time to
query results based on policy
Multiple masking functions available
(e.g. full, partial) for various sensitive
data categories (e.g. Credit Card
Numbers, SSN, etc.)
Azure SQL Database
SQL Server 2016
CTP2+
Table.CreditCardNo
4465-6571-7868-5796
4468-7746-3848-1978
4484-5434-6858-6550
Real-time data masking;
partial masking
Dynamic Data Masking
Prevent the abuse of sensitive data by hiding it from users
30. Audit success/failure
of database
operations
Enhanced auditing
for OLTP with ability
to track history of
record changes
Transparent Data
Encryption support
for storage of In-
memory OLTP
Tables
Backup encryption
now supported with
compression
Other security enhancements
31. MSDN Documentation
https://msdn.microsoft.com/en-us/library/dn765131.aspx
Security Center for SQL Server Database & SQL
Database
https://msdn.microsoft.com/en-us/bb510589.aspx
SQL Server Security Blog
Additional examples, useful tips and tricks
http://blogs.msdn.com/b/sqlsecurity/
SQL Server Label Security Toolkit
Updated version to take advantage of RLS
http://sqlserverlst.codeplex.com/
Security resources
32. PolyBase
SQL Server Hadoop
T-SQL query
• Manage structured & unstructured data
• Simple T-SQL to query Hadoop (HDFS)
• JSON support
Quote:
$658.39
Stretch database
App
Microsoft
Azure
Query
Customer data
Product data
Order History
Stretch to cloud
• Data is encrypted & queryable
• Save money & improve
customer experience
• No application changes
Learn more!
www.microsoft.com/
SQLServer2016
Order history
Name SSN Date
Philip Wenger cm61ba906fd 2/28/2005
Denny Usher ox7ff654ae6d 3/18/2005
Alicia Hodge i2y36cg776rg 4/10/2005
Alta Levy nx290pldo90l 4/27/2005
Dionne Hardin ypo85ba616rj 5/12/2005
Kristy Flowers bns51ra806fd 5/22/2005
Sara Wiley mci12hh906fj 6/07/2005
Whitney Lang utb76b916gi 6/18/2014
Lorenzo Olds px61hi9306fj 7/1/2014
Sophie Cook ol43bi506gd 7/12/2014
Aida Durham tx83hal916fi 7/29/2014
Name DOB State
Denny Usher 11/13/58 WA
Gina Burch 04/29/76 WA
Real-time
operational analytics
0100101010110
ETL
In-memory
ColumnStore
In-memory
OLTP
Real-time business
problem detection
2-24
hrs
• Up to 30x faster transactions with
in-memory OLTP
• Queries from minutes to seconds
In-database
Advanced Analytics
R built-in to SQL Server
Mission critical OLTP
• R built-in to your T-SQL
• Real-time operational analytics
without moving the data
• Open source R with in-memory &
massive scale – multi-threading and
massive parallel processing
End-to-end mobile BI
• In-memory built-in
• Real-time with direct query capabilities
• Powerful modeling with 250+ built-in
analytical functions
• Mobile reports with online
& offline access
• Modern data visualizations with
Reporting Services or Power BI
Highest performing
data warehouse
SMP MPP
Petabyte-
scale
Data marts
Azure SQL Data Warehouse
MPP
SQL Server SQL Server +
Analytics Platform System
Data marts Petabyte-
scale
SMP
• Scale to MPP on-premises &
in the cloud
• Simple T-SQL to manage structured
and unstructured data
• ½ the cost of Oracle Exadata
SQL Server in Azure VM
Always Encrypted
App
SELECT Name FROM Patients
WHERE SSN=@SSN
@SSN='198-33-0987'
SQL Server
Column
Master
Key
Query
Column
Encryption
Key
Enhanced
ADO.NET
Library
Denny Usher
Name
198-33-0987
SSN
USA
Country
Result Set
Philip Wegner
Name
1x7fg655se2e
SSN
USA
Country
Denny Usher 0x7ff654ae6d USA
Alicia Hodge 0y8fj754ea2c USA
dbo.Patients
Denny Usher
Name
0x7ff654ae6d
SSN
USA
Country
Result Set
SELECT Name FROM
Patients WHERE
SSN=@SSN
@SSN=0x7ff654ae6d
• Protect data at rest and in motion
• Without impacting
database performance
Trusted
On-premises
Cloud