Please enable JavaScript.
Coggle requires JavaScript to display documents.
Azure SQL Security First 4 Sections (Advanced Threat Protection (A.…
Azure SQL Security
First 4 Sections
Advanced Threat Protection
A. Discovery and Classification
Discovery & recommendations
Engine scans DB and
identify columns containing Sensitive Data
Labeling
Sensitivity Classification labels for tagging columns using new classification metadata attributes
Query result set sensitivity
The sensitivity of query result set is calculated in real time for auditing purposes
Visibility
Viewership for DB classification on Portal dashboard, reports can be downloaded
B. SQL Vulnerability Assessment
Scanning service
Built into the Azure SQL Database service
A knowledge base of rules
Flag security vulnerabilities and highlight deviations from best practices
Covers both DB level issues and Server level issues
Scanning Schedule
Can set up periodic recurring scans
C. Threat Detection
Azure SQL Database
Detect (Receive an alert)
Suspicious database activities
Potential vulnerabilities, SQL injection attacks
Anomalous database access and queries patterns
Integration
To Azure Security Center
:red_flag:Recommendation
Enable Azure DB Auditing
Managed Instance
New deployment model of Azure SQL Database
100% compatibility with the latest SQL Server onprem (Entrp Ed) DB Engine
Provides a native virtual network (VNet) implementation
Allows to migrate onprem applications to the cloud with minimal application and DB changes
Preserves all PaaS capabilities
Automatic patching
Version updates
automated backups
high-availability
Billed at the same price as ASC Std tier
$15/node/month
Threat Detection alerts
Vulnerability to SQL Injection
Potential SQL injection
Access from unusual location
Access from unusual Azure data center
Access from unfamiliar principal
Access from a potentially harmful application
Brute force SQL credentials
Firewall Rules
A. Rules of Rules
Specific IP Addresses
Grants access to databases based on the originating IP address of each request
Server Level Firewall Rules
Specify IP Address range from Internet
Allows access to whole Azure Server - all DBs in same logical server
Rules are stored in "Master" Database
To create rules from Azure - Azure Owner permissions on the subscription in necessary
To create rules from Transact-SQL - connect to the SQL Database instance as the server-level principal login or the Azure Active Directory administrator
DB Level Firewall Rules
Allows connection to "select" DBs in same logical server
To create rules - Only Transact-SQL is allowed and Only after Server-level rules are created
Rules are stored in individual DBs
128 DB level rules allowed
Default Blocked
All Transact-SQL access to Azure SQL server blocked
Specific Computers
Prevents all access to DB server except specific computers have permission
Connecting from the Internet
Firewall first checks the originating IP address of the request against the DB-level firewall rules
If IP Address in defined IP range of DB - Access is granted to that DB
If IP address not in DB-level rules range - Server-level rules are checked
If IP address in defined IP range of Server rules - access granted
If IP address not in DB-level or server-level range - Access denied
Connecting from Azure
Azure connections must be enabled
Firewall verifies that Azure connections are allowed
B. Virtual Network Rules
Special configuration
To allow access based on VNets
VNets associated with Azure subscription
A VNet contains subnets - All VMs in Azure are setup in subnet
Virtual Network service endpoint
A subnet whose property values include one or more formal Azure service type names
Azure service named SQL Database - Type is
Microsoft.Sql
#
Virtual network rule
A
Subnet
of DB Server listed in ACLs of that DB Server
The subnet must contain the
Microsoft.Sql
type name.
Benefits
Allow access to Azure services on granular
level
Allows IP range used for Dynamic allocation to access SQL DB
Server
More Details
Only one geographic region
Server-level, not database-level
Security admin roles
Network Admin: Turn on the endpoint
Database Admin: Update the access control list (ACL) to add the given subnet to the SQL Database server
Access Control
A. Firewall and Rules
Port Restriction
Dynamic Port and IP allocation for separate worker process
Clients with Permissions
B. Authentication
SQL Authentication
Username and password for logical server
Authenticate to any DB on that server
AD Authentication
User Id managed by Azure
Create another server admin
Allowed to administer Azure AD users/groups
Azure AD Authentication