Azure Relational Database Security Layers
Network Security
IP firewall rules : Grant access to the databases based on originating IP address of each request
Virtual Network firewall rules : Enable Azure SQl Database to only accept requests originating from subnets inside a virtual network
Access Management
Authentication is a process of authenticating the user who he is claiming to be. 2 types -
SQL authentication : Provide server admin login with username and password and then use them in our client application to connect to the database
Azure Active Directory: Use AD identities to connect to your database. Azure Active Directory Authentication allows administrators to centrally manage the identities and permissions of database users along with other Microsoft services in one central location. This includes the minimization of password storage and enables centralized password rotation policies.
Authorization refers to the permissions assigned to a user within an Azure SQL database and determines what the user is allowed to do. Permissions are controlled by adding user accounts to a database roles and assigning database level permission to those roles or by granting the user certain object level permissions
Row level security : Control access to rows in a table based on the role of the user
Threat Detection
SQL Database secures customer data by providing threat detection capabilities through auditing. Auditing allows users to monitor ongoing database activities as well as analyze and investigate historical activities to identify potential threats or suspected abuse and security violations.
SQL Auditing in Azure Monitor Logs and Event Hubs tracks database activities and helps maintaining compliance with security standards.
Advanced threat protection technology analyzes your SQL server logs to detect unusual behaviors and potentially harmful attempts to access or exploit databases. You can create alerts for suspicious activities such as SQL injection or potential data infiltration or different attacks like brute force attacks or for different anomalies in access patterns to catch privilege escalations and breached credentials used.
Information Protection
Transport Layer Security (TLS) - Always enforces encryption for all connections
Transparent Data Encryption - Protects data at rest from offline access to raw files or backups, AES encryption, Keys are stored in Azure key vault
Dynamic Data masking - Protects data by masking it for non-privileged users
Security management
Vulnerability assessment - Discover track and remediate potential database vulnerabilities
Data Discovery and Classification - Identify and label sensitive data for monitoring and alerting
Images Source : Microsoft docs
Comments
Post a Comment