Download Row-Level Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
Document related concepts

Microsoft Access wikipedia , lookup

Entity–attribute–value model wikipedia , lookup

Database wikipedia , lookup

SQL wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

SAP IQ wikipedia , lookup

Relational model wikipedia , lookup

Clusterpoint wikipedia , lookup

Database model wikipedia , lookup

Transcript 
SQL Server 2016
Mohit K. Gupta | Microsoft SQL Server PFE
About Me
Microsoft SQL Server PFE
5+ Years
Specialize in SQL Server Engine
[email protected]
http://www.sqlcan.com
http://blogs.msdn.com/b/sqlcan/
Mission-Critical Performance
Performance
Operational Analytics
Insights on operational data;
works with in-memory OLTP and
disk-based OLTP
In-Memory OLTP
Enhancements
Greater T-SQL surface area,
terabytes of memory supported,
and greater number of parallel
CPUs
Query Data Store
Monitor and optimize query plans
Native JSON
Expanded support for JSON data
Temporal Database
Support
Query data as points in time
Security
Availability
Always Encrypted
Enhanced AlwaysOn
Row-Level Security
Round-robin load balancing of
replicas
Sensitive data remains encrypted
at all times with ability to query
Apply fine-grained access control
to table rows
Dynamic Data Masking
Real-time obfuscation of data to
prevent unauthorized access
Three synchronous replicas for
automatic failover across domains
Automatic failover based on
database health
DTC for transactional integrity
across database instances with
AlwaysOn
Support for SSIS with AlwaysOn
Scalability
Enhanced Database
caching
Cache data with automatic,
multiple TempDB files per instance
in multicore environments
Performance /
Operational Analytics
Traditional Operational
Analytics Architecture

BI Analysts
Key Issues

Complex
Implementation

Requires two
servers (Total Cost
of Ownership)

Data Latency in
Analytics

High Demand;
Requires Real-Time
Analytics
IIS Server
Operational Analytics/
Goal


Goal/Challenges

Analytics Queries are resource intensive and can cause
blocking.

Minimal impact on operational workload.

Performance analytics for Operational Schema.
How?

Column Store Indexes

Available in disk based and memory optimized tables

Updateable indexes

No application changes

Column store indexes maintained just like any other index

Query optimizer will choose appropriate indexes.
Operational Analytics/
Summary

BI Analysts
Capability

Ability to run analytics queries
concurrently with operational workloads
using the same schema.

Data Warehouse queries can be run on InMemory OLTP workload with no
application changes.
IIS Server

Benefits

Minimal impact on OLTP workloads.

Best performance and scalability
available.

Offloading analytics workload to readable
secondary.
Performance/
In-Memory OLTP
Enhancements
In-Memory OLTP
Enhancements


Alter Support

Full Schema Change Support

Add/Drop Index Support
Surface Area Improvement


Improved Scaling


Improved T-SQL Coverage
Indexes size for durable tables.
Other Improvements

MARS

Lightweight Migration Reports
In-Memory OLTP Enhancements /
Improved Scaling /
Enhancements

Multi-threads to persist memory optimized tables.

Multi-thread recovery.

Merge operations.

TDE Support.

MARS Support.
In-Memory OLTP Enhancements /
SSMS Improvements

Lightweight Performance Analysis


Transaction Performance Analysis Overview report
Generating migration checklists
In-Memory OLTP
Enhancements / SSMS
Improvements
Demo
Performance/
Query Data Store
Problem with Query
Performance

Website is
down
Temporary
Perf Issues
DB
Upgrade
• Database is not
working
• Impossible to
predict / root
cause analysis
• Regression caused
by new bits
Fixing query plan choice
regressions is difficult



Query plan cache is not wellsuited for performance
troubleshooting.
Long time to detect the issue
(TTD)

Which query is slow? Why is it
slow?

What was the previous plan?
Long time to mitigate (TTM)

Can I modify the query?

How to use plan guide?
Solution: Query Data Store



Dedicated store for query workload performance data

Captures the history of plans for each query

Captures the performance of each plan over time

Persists the data to disk (works across restarts, upgrades,
and recompiles)
Significantly reduces TDD/TTM

Find regressions and other issues in seconds.

Allows you to force previous plans from history.
DBA is now in control
Query Store Architecture

Write-Behavior
Read-Behavior


Query Store captures data inmemory to minimize I/O overhead.

View merged in-memory and ondisk content.

Data is persisted to disk
asynchronously in the background.

Users always see ‘latest’ data.
Query Store
views
Compile
Query text and plan
Query and
Plan Store
async
Execute
Query Execution
Query exec. stats
Runtime
stats
store
Query Store
Internal
tables
Performance/
Query Data Store
Demo
Live Query Statistics

View CPU/Memory Usage,
Execution Time, Query
Progress, and More

Enable rapid identification of
potential bottlenecks for
troubleshooting query
performance issues.

Allows drill down to live
operator level statistics.
Performance/
Live Query Statistics
Demo
Performance/
Native JavaScript Object
Notation (JSON)
JSON and Microsoft

Top feature requested on Microsoft Connect (1050 Votes)
Dynamics
Bing
OneDrive
Office
Yammer
TFS
Use Cases for JSON
Generate web service content
• Generate JSON that will be returned to clients
Flexible database schema
• Make reasonable trade-off to database schema design
Analyze JSON documents
• Parse, query, and analyze JSON documents
Service Integration
• Exchange information with various services
JSON in SQL Server

Easily transform table to JSON by using “FOR JSON
PATH” in select.

Built in functions to interact with JSON (ISJSON,
JSON_VALUE, JSON_MODIFY)

Stores in NVARCHAR.

Works with in-memory, row-level security, stretch, etc.

Different from DocumentDB.

Transform JSON with OPENJSON.
JSON Summary

Capabilities


Greatly enhances developer productivity.
Benefits

Added native JSON support in the core database engine
supports schema-free data. Tackle more diverse data
types right in SQL Server.

Support in DoucmentDB.
Performance/
Temporal Database Support
Why Temporal?

Data changes over time


Time travel
Data audit

Slowly changing
dimensions
Repair recordlevel
corruptions
Tracking and analyzing changes is
often important
Temporal in DB

Automatically track history of data
changes

Enables easy querying of historical
data states
Advantages over workarounds

Simplifies app development and
maintenance

Efficiently handles complex logic in
DB engine
Temporal Table Details

Uses system-versioning using two tables current +
history table.

No change in programming model.

New syntax introduced to query temporal data.

Time is stored in UTC.

Supports stretch database for history table.

Supports in-memory for current + on-disk for history
table.
Security /
Always Encrypted
Why Always Encrypted?
Prevent Data Disclosure
• Client-side encryption of sensitive data using keys that are never
given to the database system
Queries on Encrypted Data
• Support for equality comparison, including join, group by, and distinct
operators
Application Transparency
• Minimal application changes via server and client library
enhancements

Allows customers to securely store sensitive data
outside of their trust boundary Data remains protected
from high-privileged, yet unauthorized users.
Always Encrypted / How it
Works?

Protects Data


At Rest, In Motion, On-Prem and in the Cloud
Two methods supported

Randomized encryption


More secure
Deterministic encryption

Allows Grouping, Equality Filtering, and Joins.

Uses column collation with BIN2 sort order.
Key Provisioning
1. Generate CEKs and master key
Column
encryption key
(CEK)
Encrypted
CEK
2. Encrypt CEK
Security
Officer
3. Store master key securely
4. Upload encrypted CEK to DB
Security
Column
master key
(CMK)
CMK store:
Certificate store
HSM
Azure Key Vault
…
CMK
Encrypted CEK
Database
Security /
Row-Level Security
Row Level Security / Why do
we need it?

Protect data privacy by ensuring the right access across
rows.

Fine-grained access control over specific rows in a
database table

Help prevent unauthorized access when multiple users
share the same tables, or to implement connection
filtering in multitenant applications

Administer via SQL Server Management Studio or SQL
Server Data Tools

Enforcement logic inside the database and schema is
bound to the table
Benefits of Row-Level
Security (RLS)
Fine-Grained Access Control
• Keeping multitenant databases secure by limiting access by other users who share the
same tables
Application Transparency
• RLS works transparently at query time, no app changes needed
• Compatible with RLS in other leading products
Centralized Security Logic
• Enforcement logic resides inside database and is schema-bound to the table it protects
providing greater security. Reduced application maintenance and complexity

Store data intended for many consumers in a single
database/table while at the same time restricting rowlevel read and write access based on users’ execution
context.
Row Level Security /
Concepts

Create Security Policy Composed of …

Predicate function (iTVF) used to implement security logic

And Security Predicate

SQL Server will dynamic expand the query to include the
security function and predicate to minimize the rows
being exposed.

No application change or code change required.
Row Level Security /
Common Use Cases



Traditional RLS Workloads

Custom business logic to determine which rows each user can SELECT,
INSERT, UPDATE, and DELETE based on their role, department, and security
level

Target sectors: Finance, insurance, healthcare, energy, and government
Multitenant Databases

Ensuring tenants can only access their own rows of data in a shared
database, with enforcement logic in the database rather than in the app tier

For example: multitenant shards with elastic database tools in SQL Database
Reporting, Analytics, and Data Warehousing

Different users access same database through various reporting tools, and
work with different subsets of data based on their identity/role
Security /
Dynamic Data Masking
Dynamic Data Masking

Prevent the Abuse of
Sensitive data by hiding
it from users


Table.CreditCardNo
Configuration made
easy in the new Azure
portal
Policy-driven at the
table and column level,
for a defined set of
users

Data masking applied
in real-time to query
results based on policy

Multiple masking
functions available
(e.g. full, partial) for
various sensitive data
categories (credit card
numbers, SSN, etc.)
4465-6571-7868-5796
4468-7746-3848-1978
4484-5434-6858-6550
SQL Database
SQL Server 2016
Real-time data masking;
partial masking
Title of Slide Here
Regulatory Compliance
• A strong demand for applications to meet privacy standards recommended by
regulating authorities
Sensitive Data Protection
• Protects against unauthorized access to sensitive data in the application, and
against exposure to developers or DBAs who need access to the production
database
Agility and Transparency
• Data is masked on the fly, with underlying data in the database remaining
intact. Transparent to the application and applied according to user privilege

Limit access to sensitive data by defining policies to obfuscate specific
database fields, without affecting the integrity of the database.
Data Masking / How It Works

Limit Sensitive Data Exposure by Obfuscating it to NonPrivileged Users

On-the-fly obfuscation of data in query results

Policy-driven on the table and column

Multiple masking functions available for various sensitive
data categories

Flexibility to define a set of privileged logins for unmasked data access

By default, database owner is unmasked
Availability /
AlwaysOn Enhancements
Enhanced AlwaysOn
Availability Groups


Unified HA solution
Great Scalability

Load balancing readable
Secondaries.

Increased number of
automatic failover targets

Log transport performance
AG Listener
AG
Improved Manageability

Partial DTC Support

Database-Level health
monitoring

Group managed service
accounts

Domain-independent
Availability Groups.
Asynchronous
data Movement
Hong Kong
(Secondary
)
AG
AG
New York
(Primary)
Synchronous data
Movement
New Jersey
(Secondary)
Load Balancing in Readable
Secondaries
DR site
READ_ONLY_ROUTING_LIST=
(('COMPUTER2', 'COMPUTER3', 'COMPUTER4'),
'COMPUTER5')
Computer2
Primary site
Computer1 (Primary)
Computer5
Computer3
Computer4
Deeper Insights Across Data
Access any data Scale and manage Powerful insights
PolyBase
Insights from data across SQL
Server and Hadoop with the
simplicity of T-SQL
Enhanced SSIS
Designer support for previous SSIS
versions
Enterprise-grade
Analysis Services
Enhanced performance and
scalability for Analysis Services
Single SSDT in Visual Studio
2015 (CTP3)
Build richer analytics solutions as
part of your development projects
in Visual Studio
Enhanced MDS
Excel add-in 15x faster; more
granular security roles; archival
options for transaction logs; and
reuse entities across models
Mobile BI
Business insights for your onpremises data through rich
visualization on mobile devices
with native apps for Windows, iOS,
and Android
Enhanced Reporting
Services
New modern reports with rich
visualizations
Advanced
analytics
R integration (CTP3)
Bringing predictive analytic
capabilities to your relational
database
Expand your “R” script library with
Microsoft Azure Marketplace
Hyperscale Cloud
Hybrid solutions
Stretch Database
Stretch operational tables in a secure manner
into Azure for cost-effective historic data
availability. Works with Always Encrypted and
row-level security
Power BI with on-premises data
New interactive query with Analysis Services.
Customer data stays behind your firewall
Enhanced backup to Azure
Faster restore times and 50% reduction in
storage. Supports larger DBs with block blobs
and custom backup schedule with local staging
SQL SATURDAY | 507 | EDMONTON 2016
Simplicity
Easy migration of on-premises SQL
Server
Simple point-and-click migration to Azure
Suite of advisors for upgrading to SQL
Server 2016
SQL Server 2016 Upgrade Advisor in the adoption
of new SQL Server features
Simplified Add Azure
Replica Wizard
Automatic listener configuration for AlwaysOn
in Azure VMs
Consistency
Common development,
management, and identity tools
Including Active Directory, Visual Studio, HyperV, and System Center
Consistent experience from SQL
Server on-premises to Microsoft
Azure IaaS and PaaS
Q&A
Related documents
Database Software
Database Software
Introduction to MS Access - San Francisco State University
Introduction to MS Access - San Francisco State University
Introduction to MS Access - San Francisco State University
Introduction to MS Access - San Francisco State University
Database Presentation
Database Presentation
Document
Document
The Gaian Database: a Dynamic Distributed Federated Database
The Gaian Database: a Dynamic Distributed Federated Database
PPT - ETH Systems Group
PPT - ETH Systems Group
SQL Server EvolutionSQL 2016 new innovations * Part 2
SQL Server EvolutionSQL 2016 new innovations * Part 2
Technology in Action, Seventh Edition Answer Key Chapter 11 Word
Technology in Action, Seventh Edition Answer Key Chapter 11 Word
CSE 510 Database Management System Implementation
CSE 510 Database Management System Implementation
Chapter 6 Concepts New 11e Edition
Chapter 6 Concepts New 11e Edition
Task #1
Task #1