 Hello, my name is Tony Petrosian. I'm with the SQL team here at Microsoft, and today we're going to talk about Azure SQL Database. Azure SQL Database is our fully managed database as a service, which allows you to build great application without spending a lot of time administering your OSes and instances. This is a fully managed service, so of course it's a perfect choice for SaaS and enterprise application. The Azure SQL Database comes with great predictable performance. It has a 4.9 SLA built into the service. You have features like geo-replication and data protection services, restoring databases, geo-restores, so you have disaster recovery solution. The service comes with a lot of security and compliance features. You can learn about Azure SQL Database visiting MSDN or Channel 9, but today we're going to talk about some of the aspects of SQL DB that helps developers build more secure applications, and so that you don't have to spend a lot of time building security in your app yourself. First of all, let's start with the choice of languages. As a developer, you're welcome to choose any language you want to interact with Azure SQL Database. Of course, C-Sharp and VB, Java, CC++, PHP, JavaScript, Python, Ruby, the whole spectrum of languages are available for you to connect to SQL. Of course, many of these languages are multi-platforms, so if you're programming in Java or JDBC drivers, run on Windows and Mac as well as Linux, you can use our ODBC drivers on Linux and Windows, and of course, when you get to something like Ruby or Python, you can use open-source software like FreeTDS on Windows and Macs and Linux. You have a great choice of languages to pick from, to build your application and the security features that we're going to talk about are a great set of features that you can use for your application. So let's dive into some of the features. So one of the features that we have recently introduced is called dynamic data masking. Imagine when you go to a restaurant and you get your bill and you look at the bill and the credit card numbers are all xed out or they're little stars. Well, that means somebody wrote an application and that application that's at the print point replaced a bunch of the numbers for your credit card with the actual x's and stars. And this is something that you have to do in the application. Well, if you have to do this a lot in different applications and you have to do this for every application that you write, you have to make sure that all the code is right and everything. It becomes really cumbersome. So what we've done is we've introduced a data masking in the database, which basically allows you to do on the fly masking of your query results. And it's policy driven. So you define a policy once in the database and that policies then apply to all queries for the users that you have defined that needs to be masked. And it's really flexible and you can define the masking functions and you can delete masking functions. And this way you don't have to spend a lot of time in your application trying to figure out which data needs to be masked, which data is PII and so on. So take a quick look. If you have lots of applications that interact with your database, you can usually have your security officer or someone who's really familiar with security and needs to know which fields need to be masked can define a set of policies in the database that apply to the specific columns. So for example, again, it could be social security number, it could be phone numbers, it could be credit card numbers. Once you define the masking policies, from then on, whenever the database sees a query, which includes the columns that need to be masked, the database automatically masks the result before returning to the application. And this way, you're insured that you never show clear text for things like credit card numbers or social security numbers in an application where the data doesn't need to be seen. And of course, you can have users which are excluded from the masking. So applications and new users who do need to see the data in real and instead of masking can also see the data. So this is dynamic data masking. It's in SQL Server 2016. It's also in Azure SQL database. So you can use this feature for building great apps. Another feature that we have introduced is called Always Encrypted. There are some pieces of data that you really don't ever need to see in clear text. So again, let's take a social security number. Whenever you hear about hackings that go on at retailers or insurance company or government agency, usually the hackers are interested in social security numbers and credit card numbers. And the interesting thing about a social security number and a credit card number is that you really never do calculations on it. I mean, it's not like you multiply or divide or add or subtract to social security number, it's just a string. And the string only needs to be seen by very few people. So if you use Always Encrypted, you can encrypt social security numbers in the database. So the data in the database is always encrypted and it's never decrypted. And the database and the database administrator or anyone managing that infrastructure never sees the data. And if somebody hacks into the system, all they get is a bunch of encrypted gibberish. However, from an application perspective, you can query these encrypted data because the magic really happens in the client drivers. And the magic happens at the point where the data is visible. So again, example, you go to the doctor's office and you check in and the nurse asks you for a security number so they can look up your record. At that point, the social security number is known to the nurse anyway. So that's not the real secret. But once that number is typed in and it goes out to the database for querying, that's where the data doesn't need to be seen ever again. So how does this really work? So we have built the capabilities in the SQL client drivers like adio.net. And what happens is this encryption is pretty transparent to the application. So your application really doesn't need to do anything. And let's say in your application you want to look for all the records or the records for the person whose social security number is 11122333. What happens in this case, the data as it passes through the SQL client driver is encrypted. So the predicate and the social security number in this case, in this query gets encrypted by the time it gets to the database. So the database is then capable of searching for the record using the encrypted text against what is stored in the database, which is also encrypted text. And once the record is discovered and the result is returned to the application. As the data is returned, the client drivers again decrypt the data. So by the time that the result is seen in the application, the data is decrypted. And as you can see, this magic happens in the adio.net client or the ODBC driver or the JDBC driver is provided by Microsoft. And the client drivers have access to the certificates and the keys necessary to encrypt and decrypt the data, but the database doesn't. So this allows you to build applications that are secure as well as ensuring the data stored in the database is secure. And since the DBAs and anyone managing your infrastructure and the databases, whether it's in the cloud or on-prem or in SQL DB, people who have access to that don't get to see the data decrypted, which is a great security for you and your application. Anyway, so let's take a look at a demo of this and see how this stuff works. Okay, so here we are in the Azure portal and I'm just gonna do a quick demo of creating a database. I'm just gonna click on plus, Azure SQL Database is in the data and storage section and pop that and SQL database shows up. To create a SQL database, I simply have to give it a name and configure a server. I have a bunch of server already configured, so I'm just gonna pick one of my existing servers for simplicity. I'm gonna select that. Then you get to decide whether you want a blank database or a sample database or if you want to restore a database from backup, I'm gonna just go with the blank database. And then for a pricing tier, which is the size of the database, how much resources your database gets, we have a variety of sizes, anywhere from a $5 a month database to a $2,000 a month database or $7,000 a month database, there's a lot of variety. I'm gonna pick the $5 database for the purpose of our demo. I'm gonna leave the collation and the resource group and the subscription as the default and that's it, just hit Create and this will go create a database. So you get a notification when the database create is finished and it takes a couple of minutes for the database to create. So while that database getting created, I'm gonna go in there and take a quick look at one of the databases that I already have. So this is my customer database. It's a premium P1 database and got lots of interesting features here. So one of the features is you want a database application that's really resilient and you want to replicate your data out of the data center just for safety, you can go use our geo-replication feature. In this case, I'm going to go and geo-replicate this database which happens to be in West US to an East US data center. This way if something happens in West US, I have a copy of my database in East US. So I just click on Create. Again, I'm gonna take all of the defaults and I already have a server which is appropriate in the East US. I'm gonna select and type create. And that's all it takes to geo-replicate a database. The geo-replication is an asynchronous replication so it doesn't really interfere with your rights. And as you can see here in this panel, the database is being seeded once the geo-replication, the initial seeding of the database finishes is in the initial copy of the database. Then from then on, the line goes solid and that basically replicates any changes that you make in your database are immediately replicated from West US to East US. You can geo-replicate a database to any location that you want as part of our active geo-replication features which are in premium databases. Or you can replicate to Azure data centers which are kind of paired like East US to West US and North to South or Europe, North and Europe West. So that's a little bit about our geo-replication feature. And I also like to go and show you a little bit about the data masking feature which we talked about earlier. So I'm gonna pick a database here, so database number 10. Right here in the panel, you will see dynamic data masking. The dynamic data masking feature is kind of clever. It kind of finds out a few things. Says, hey, maybe these fields should be masked because they look like PII data. It's personally identifiable information like first name and last name. So you can do that and pick the last name and maybe the email address. And what you see here that the system suggests a default masking function for that type of a column. So in this case, the email uses an email masking function and last name uses a masking function which replaces most of the name with Xs. I also wanna go and manually add a masking function for a phone number because I want a very specific masking function. So I can go pick the customer's table and pick a column like contact number and I'm gonna define a mask using a custom masking function. And so this is a phone number. So I'm gonna show the three first characters as plain characters and then followed by a dash and I want four Xs, three Xs, followed by a dash, followed by two Xs and then I wanna show the last two digit of the number. So that's the masking function that I choose for that particular column which happens to be a phone number. I just click save and so these are the fields that I've chose to mask and I'm just gonna hit save again and the system will save the masking function and apply to the database and here we are and it's done and I click okay. Now to actually see this in action, I'm gonna go to SQL Management Studio which is our favorite SQL Management Studio. You can see the query that was executed before and I'm gonna execute this query again. And here I'm executing the query as a system administrator. So the system administrator was exempt from masking because that's what we chose. You can choose different users to be exempt from masking. Now I'm gonna go run the same query as a user and as you can see the last name is replaced by a bunch of Xs. The email address is masked and the phone number is masked except the area code in the last two digits as we had defined in the masking function. So as you can see, it's really easy to build nice security features in your application so that you don't have to write the code yourself by using the database features to enforce the policies for your security. So that's our demo. All right, well, thank you for watching this session. For more information, please visit channel nine or the Microsoft Virtual Academy or MSDN pages or Visual Studio pages. There's a lot of information out there about SQL DB. You can go to your favorite search engine and just search for Azure SQL database and you'll get plenty of information. And thank you very much.