Bill Wilder, CTO, Finomial Corporation Azure SQL Database Not just a cloud version of SQL Server SQL Saturday 674 23-Sep-2017 2:15-3:15 – Room Washington Bill Wilder, CTO, Finomial Corporation HELLO my name is Bill Wilder Speaker: Bill Wilder Duration: 60 minutes Track: Cloud Application Development & Deployment SQL Server originally shipped in 1989. A full 20 years later, in 2009, Microsoft announced SQL Azure, currently known as Azure SQL Database. What is it? Is Azure SQL Database a hosted version of SQL Server? A subset? A superset? Actually, none of those simple explanations really capture it. Come join cloud computing veteran Bill Wilder to dig into the topic and go over the key differences between them, understand your cloud options, with a focus on how you would put Azure SQL Database to work today, including deploying, managing, securing, scaling, and DR enabling. By the end of this session you should have a feel for how your SQL Server skills transfer to Azure SQL Database, which aspects of management & control Microsoft takes on, and how to use the toolbox of goodies for encryption, threat detection, DR, and global scale. Unless otherwise noted, slide deck contents copyright (c) 2017, Bill Wilder, @codingoutloud

The Plan Azure? High Level Comparison to SQL Server Most Important Slide about the differences Drill into random interesting capabilities Securing Some demos (mixed in) Won’t cover everything (not even remotely close) @codingoutloud

Global Enterprise Cloud Platform https://azure.microsoft.com/en-us/regions/ 42 Azure regions, more than any cloud provider https://azure.microsoft.com/en-us/ 42 Azure regions

Preview Version 1.7 (2017-04-20) http://azureplatform.azurewebsites.net/ * Preview Services

Preview Version 1.7 (2017-04-20) http://azureplatform.azurewebsites.net/ * Preview Services

Azure SQL is SQL Server Except… Common SQL Server Azure SQL DB “Just change the connection string…” http://www.sqlsaturday.com/71/Sessions/Details.aspx?oldsessionid=3792 Innovation Additional information on Differences: https://azure.microsoft.com/en-us/documentation/articles/sql-database-transact-sql-information/

What’s the Same Team Core Code Base Transact-SQL Most of the features Yes, full support https://feedback.azure.com/ Most of the features Mature @codingoutloud

What’s Missing (or is it?) Category 1: Takes a Different Approach Example: SQL Agent Category 2: On the way Network Support But in the works… Category 3: No plan (?) https://feedback.azure.com/ @codingoutloud

CORE Intentional Differences Most Important Slide CORE Intentional Differences Azure SQL Database SQL Server Control Plane matters Storage ecosystem Limited vertical scale (4 TB max), can do horizontal License (pay) by hour Manageability over control Installed/Physical Security “The database” Unlimited* *Available hardware (Biggest VM?) Box License (or VM) Control over manageability https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-linux-sizes/ Standard_G5 = 32 cores + 448 GiB RAM + VMs support up to 16 TB of disk @codingoutloud

DEMO Create a Database Azure Portal Plans Monitoring AAD authentication Firewall DTU Pools DEMO

“Bring Your Own” ____ as a Service BYO Users BYO Applications BYO Virtual Machines SaaS PaaS IaaS

Manageability Server Management so easy - not available! You control schema, indexes, users, etc. as usual PaaS model 99.95% uptime SLA (one instance) Geo-DR/FO/BC (Active/Passive) Geo-Replication (Active/Active RO) Backups, PiTR @codingoutloud

Data Platform Ecosystem “feel free to scale horizontally” – or heterogeneously (polyglot) Data Lakes Pooled SQL Instances Data Warehouse Blob Storage – files, unstructured CosmosDB – NoSQL (graph, k/v, document) First party: PostgreSQL, MySQL; Third party: Mongo (Oracle) Tools: Hadoop Connector, Data Factory, Stretch, more @codingoutloud

Azure Data & Storage Services https://azure.microsoft.com/en-us/services/# @codingoutloud

Performance DMV Views DTU eDTU @codingoutloud

https://azure. microsoft https://azure.microsoft.com/en-us/documentation/articles/sql-database-monitoring-with-dmvs/ SQL Azure DMV views https://azure.microsoft.com/en-us/documentation/articles/sql-database-monitoring-with-dmvs/ @codingoutloud

Data Throughput Unit http://dtucalculator.azurewebsites.net/ Show: DTU definition https://azure.microsoft.com/en- us/documentation/articles/sql-database- service-tiers/#understanding-dtus @codingoutloud

Pricing SQL Pools Geo Repl @codingoutloud

Pricing in Tiers and Pools Show: Pricing options https://azure.microsoft.com/en-us/pricing/ https://azure.microsoft.com/en-us/documentation/articles/sql-database-service- tiers/ @codingoutloud

the HARRENHAL fortress http://gameofthrones.wikia.com/wiki/Harrenhal?file=Harrenhal.jpg Harrenhal Threats Change Over Time "The largest and greatest fortress ever built in Westeros.. Harren thought the walls of his massive castle could withstand any assault, but he did not realize that dragons could simply fly over them.” http://gameofthrones.wikia.com/wiki/Harrenhal Threat models CHANGE over time! "The largest and greatest fortress ever built in Westeros.. Harren thought the walls of his massive castle could withstand any assault, but he did not realize that dragons could simply fly over them.” http://gameofthrones.wikia.com/wiki/Harrenhal http://gameofthrones.wikia.com/wiki/Harrenhal?file=Harrenhal.jpg Threats Change Over Time The architecture of Harrenhal did not anticipate a world where they would need to defend airborne attack from fire-breathing dragons. The architecture of most legacy enterprise infrastructure did not anticipate a world where there is no longer a security perimeter. Architect is fundamental. Hard to change. @codingoutloud

Mark Russinovich, Microsoft Azure CTO “[Cloud security] is a shared responsibility between the customer and the cloud vendor.” Mark Russinovich, Microsoft Azure CTO Securing SQL Azure Cloud Spaces; Dropbox; Top Azure Risks; Shadow IT; Cloud Outages @codingoutloud https://www.rsaconference.com/writable/presentations/file_upload/exp-w01_assume-breach-an-inside-look-at-cloud-service-provider-security.pdf

A Cautionary Tale: Code SpaceS Can I restore a deleted Azure SQL Database? Can I restore a deleted Azure SQL Database? “If the database is deleted but the logical server has not been deleted, you can restore the deleted database to the point at which it was deleted.” https://docs.microsoft.com/en-us/azure/sql-database/sql-database-business-continuity DDoS Ransom demand Security breach noticed Fighting back Malicious destruction of assets Security & Business #fail https://aws.amazon.com/iam/details/mfa/ A Cautionary Tale: Code SpaceS ELAPSED TIME: 12 HOURS “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.” Data plane (data access) vs. mgmt/control plane (Portal, APIs, PowerShell) Azure Backup Vault RBAC permissions Open a support ticket @codingoutloud http://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/

Top Azure Risks Leading to Tenant Breach (Slide from Mark Russinovich’s talk at RSA 2015) Top Azure Risks Leading to Tenant Breach Risk Mitigation Internet Exposed RDP or SSH Endpoints Network ACLs or Host-based Firewall; Strong passwords; VPN or SSH Tunnels Virtual Machine Missing Security Patches Keep Automatic Updates Enabled; Web Application Vulnerability Securing Azure Web Applications; Vulnerability scan/penetration test Weak Admin/Co-Admin Credentials Azure Multi-Factor Authentication; Subscription Management Certificate Unrestricted SQL Endpoint Azure SQL Firewall Storage Key Disclosure Manage Access to Storage Resources Insufficient Security Monitoring Azure Security and Log Management; Cloud is not magic – but it can help A LOT iCloud, Dropbox, encryption, MFA, … ShellShock help https://www.rsaconference.com/writable/presentations/file_upload/exp-w01_assume-breach-an-inside-look-at-cloud-service-provider-security.pdf

SSO for Microsoft Cloud Services Use same AAD where makes sense across Azure Office 365 Visual Studio Team Services Windows 10 (Intune) Azure SQL Database (including 2FA) @codingoutloud

Logging In with AAD Credentials AAD / Office 365 2FA Universal Authentication DEMO

Manage Control Plane Access: RBAC Classic Portal artifact: Co-Admin RBAC only available on portal.azure.com Activity Log in portal Resources: https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in- roles/ https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control- configure/ Manage MEMBERSHIP within AAD http://dev-esign2.azurewebsites.net/ Demo: Add a Reader to Azure SQL DB Server @codingoutloud

1. Portal 2. PowerShell 3. SDKs (C#) Managing the Control Plane https://blogs.msdn.microsoft.com/sqlsecurity/2015/05/12/recommendations-for-using-cell-level-encryption-in-azure-sql-database/ @codingoutloud

Logical constructs Physical ($) Azure Account contains… Azure Subscription contains… Azure Resource Group contains… SQL Database Server contains… Anchored in single region SQL Database Physical construct nesting Logical constructs Physical ($) http://legomenon.com/russian-matryoshka-nesting-dolls-meaning.html @codingoutloud

DEMO PowerShell & CLI Create Resources – show up in portal Auth & 2FA outside portal Auto-login with “portal command shell” DEMO

1. Always Encrypted 2. TDE, CLE 3. Data Masking 4. Auditing Protecting Your SQL Database https://blogs.msdn.microsoft.com/sqlsecurity/2015/05/12/recommendations-for-using-cell-level-encryption-in-azure-sql-database/ @codingoutloud

Data Masking Dynamic Data Masking: https://azure.microsoft.com/en- us/documentation/articles/sql-database-dynamic-data-masking-get-started/ Server-side @codingoutloud

SQL DB Data Encryption Always Encrypted Demo: Transparent Data Encryption Server-side Always Encrypted: https://azure.microsoft.com/en- us/updates/public-preview-always-encrypted-for-azure-sql-database/ Client-side @codingoutloud

GEO-REPL PITR BackupS (long-term) RTO, RPO with Geo-Replicas Disaster Recovery and Business Continuity GEO-REPL PITR BackupS (long-term) RTO, RPO with Geo-Replicas https://docs.microsoft.com/en-us/azure/sql-database/sql-database-business-continuity @codingoutloud

https://docs. microsoft https://docs.microsoft.com/en-us/azure/sql- database/sql-database-business-continuity https://docs.microsoft.com/en-us/azure/sql-database/sql-database-business-continuity @codingoutloud

PITR @codingoutloud

AZURE SQL DB Long-Term BACKUps Up to 10 Years TDE okay Geo-replicating DB okay https://docs.microsoft.com/en-us/azure/sql- database/sql-database-long-term-retention @codingoutloud

Networking & Perimeter Security @codingoutloud

Firewalls & VNETS Database Level: sp_set_firewall_rule VNET lockdown (defense in depth) @codingoutloud

Compliance (wow!) Court Battle Avoiding Future Court Battle Privacy & Compliance Compliance (wow!) Court Battle Avoiding Future Court Battle @codingoutloud

Compliance & Privacy Security vs. Compliance Microsoft, Azure, Azure Government strong compliance story https://www.microsoft.com/en- us/TrustCenter/Compliance/ Dublin Email Microsoft (+10 amicus briefs) fighting a US Gov’t SCA extra-territorial subpoena for customer email data in Dublin (since 2013) Data Trustee Model “German data trustee, Deutsche Telekom, will control and oversee all access to customer data” for Microsoft Encryption *between* data centers since Snowden FBI vs. Apple (San Bernadino) http://blogs.microsoft.com/on-the-issues/2016/03/03/our-legal-brief-in-support-of-apple/ http://www.csmonitor.com/World/Passcode/2014/1216/How-Microsoft-s-battle-with-the-Justice-Department-could-reshape-privacy-laws-video, http://business.financialpost.com/fp-tech-desk/as-microsoft-takes-on-the-feds-in-privacy-fight-apple-and-amazon-watch-nervously, http://www.theguardian.com/technology/2014/dec/14/privacy-is-not-dead-microsoft-lawyer-brad-smith-us-government, http://www.irishtimes.com/business/microsoft-warns-of-risks-to-irish-operation-in-us-search-warrant-case-1.2548718 By Brad Smith: http://www.wsj.com/articles/brad-smith-were-fighting-the-feds-over-your-email-1406674616 https://news.microsoft.com/europe/2015/11/11/45283/ @codingoutloud

@codingoutloud

Scope and Depth (and Partners) Azure Security Center is a Service – “Azure Security Center, now in private preview, works with companies like Barracuda, Checkpoint, Cisco Systems Inc., CloudFlare, F5 Networks, Fortinet, Imperva, Incapsula, and Trend Micro Inc. to offer advanced, analytics-driven threat detection that helps you protect, detect and respond to security threats in real-time.” Alert: “VM X and DB Y are not secure” Alert: “Asset Z has been compromised” Services are UPDATED ALL THE TIME w/o you having to do anything @codingoutloud http://blogs.microsoft.com/blog/2015/11/17/enterprise-security-for-our-mobile-first-cloud-first-world/

Scope and Depth (and Partners) Azure Security Center Service – “Azure Security Center, now in private preview, works with companies like Barracuda, Checkpoint, Cisco Systems Inc., CloudFlare, F5 Networks, Fortinet, Imperva, Incapsula, and Trend Micro Inc. to offer advanced, analytics-driven threat detection that helps you protect, detect and respond to security threats in real- time.” Alert: “VM X and DB Y are not secure” Alert: “Asset Z has been compromised” Services are UPDATED ALL THE TIME w/o you having to do anything @codingoutloud http://blogs.microsoft.com/blog/2015/11/17/enterprise-security-for-our-mobile-first-cloud-first-world/

Where’s My Azure? Retail EA BizSpark, DreamSpark MSDN Account Free Trial http://aka.ms/iaas @codingoutloud

Subliminal  … 0.25

Find this slide deck here Questions? See you at Boston Azure bostonazure.org Find this slide deck here Bill Wilder @codingoutloud codingoutloud@gmail.com blog.codingoutloud.com linkedin.com/in/billwilder