Evaluate the security aspects of the possible database offering
In this we will outlines the basics of securing the data tier of an application using Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. The security strategy described follows the layered defense-in-depth approach as shown in the picture below, and moves from the outside in:
Network security
Microsoft Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics provide a relational database service for cloud and enterprise applications.
IP firewall rules
IP firewall rules grant access to databases based on the originating IP address of each request.
Virtual network firewall rules
Virtual network service endpoints extend your virtual network connectivity over the Azure backbone and enable Azure SQL Database to identify the virtual network subnet that traffic originates from. However, to allow traffic to reach Azure SQL Database, use the SQL service tags to allow outbound traffic through Network Security Groups.
Access management
Authentication
Authentication is the process of proving the user is who they claim to be. Azure SQL Database and SQL Managed Instance support two types of authentication:
SQL authentication:
SQL authentication refers to the authentication of a user when connecting to Azure SQL Database or Azure SQL Managed Instance using username and password. A server admin login with a username and password must be specified when the server is being created.
Azure Active Directory authentication:
Azure AD authentication refers to connecting to Azure SQL Database, Azure SQL Managed Instance and Azure Synapse Analytics by using identities in Azure AD. Moreover, Azure AD authentication allows administrators to centrally manage the identities and permissions of database users with other Azure services.
Authorization
Authorization refers to the permissions assigned to a user within a database in Azure SQL Database or Azure SQL Managed Instance, and determines what the user is allowed to do. However, permissions are controlled by adding user accounts to database roles and assigning database-level permissions to those roles or by granting the user certain object-level permissions. For more information, see Logins and users
Row-level security
Row-Level Security enables customers to control access to rows in a database table based on the characteristics of the user executing a query. For example, group membership or execution context.
Threat protection
SQL Database and SQL Managed Instance secure customer data by providing auditing and threat detection capabilities.
SQL auditing in Azure Monitor logs and Event Hubs
Firstly, SQL Database and SQL Managed Instance auditing tracks database activities and helps maintain compliance with security standards by recording database events to an audit log in a customer-owned Azure storage account. Moreover, auditing allows users to monitor ongoing database activities, as well as analyze and investigate historical activity to identify potential threats or suspected abuse and security violations.
Advanced Threat Protection
Advanced Threat Protection is analyzing your logs to detect unusual behavior and potentially harmful attempts to access or exploit databases. Alerts are created for suspicious activities such as SQL injection, potential data infiltration, and brute force attacks or for anomalies in access patterns to catch privilege escalations and breached credentials use. Further, alerts are viewed from the Azure Security Center, where the details of the suspicious activities are provided and recommendations for further investigation given along with actions to mitigate the threat.
Information protection and encryption
Transport Layer Security (Encryption-in-transit)
SQL Database, SQL Managed Instance, and Azure Synapse Analytics secure customer data by encrypting data in motion with Transport Layer Security (TLS).
SQL Database, SQL Managed Instance, and Azure Synapse Analytics enforce encryption (SSL/TLS) at all times for all connections. Further, this ensures all data is encrypted “in transit” between the client and server irrespective of the setting of Encrypt or TrustServerCertificate in the connection string.
Transparent Data Encryption (Encryption-at-rest)
Transparent data encryption (TDE) for SQL Database, SQL Managed Instance, and Azure Synapse Analytics adds a layer of security to help protect data at rest from unauthorized or offline access to raw files or backups. Further, common scenarios include data center theft or unsecured disposal of hardware or media such as disk drives and backup tapes. TDE encrypts the entire database using an AES encryption algorithm, which doesn’t require application developers to make any changes to existing applications.
Key management with Azure Key Vault
Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE) allows customers to take ownership of key management and rotation using Azure Key Vault, Azure’s cloud-based external key management system. Moreover, Azure Key Vault provides a central key management platform, leverages tightly monitored hardware security modules (HSMs), and enables separation of duties between management of keys and data to help meet security compliance requirements.
Always Encrypted (Encryption-in-use)
Always Encrypted is a feature designed to protect sensitive data stored in specific database columns from access (for example, credit card numbers, national identification numbers, or data on a need to know basis). Moreover, this includes database administrators or other privileged users who are authorized to access the database to perform management tasks. But have no business need to access the particular data in the encrypted columns.
Dynamic data masking
Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. Moreover, this automatically discovers potentially sensitive data in Azure SQL Database and SQL Managed Instance. And provides actionable recommendations to mask these fields, with minimal impact to the application layer.
Security management
Vulnerability assessment
Vulnerability assessment is an easy to configure service that can discover, track, and help remediate potential database vulnerabilities with the goal to proactively improve overall database security. However, Vulnerability assessment (VA) is part of the Azure Defender for SQL offering, which is a unified package for advanced SQL security capabilities. Further, you can access Vulnerability assessment via the central Azure Defender for SQL portal.
Data discovery and classification
Data discovery and classification (currently in preview) provides advanced capabilities built into Azure SQL Database and SQL Managed Instance for discovering, classifying, labeling, and protecting the sensitive data in your databases. However, it can serve as infrastructure for:
- Firstly, various security scenarios, such as monitoring (auditing) and alerting on anomalous access to sensitive data.
- Secondly, controlling access to, and hardening the security of, databases containing highly sensitive data.
- Lastly, helping meet data privacy standards and regulatory compliance requirements.
Reference: Microsoft Documentation