Azure Relational Database Security Layers

Network Security 

IP firewall rules : Grant access to the databases based on originating IP address of each request

Virtual Network firewall rules : Enable Azure SQl Database to only accept requests originating from subnets inside a virtual network

Access Management 

Authentication is a process of authenticating the user who he is claiming to be. 2 types -

SQL authentication : Provide server admin login with username and password and then use them in our client application to connect to the database

Azure Active Directory: Use AD identities to connect to your database. Azure Active Directory Authentication allows administrators to centrally manage the identities and permissions of database users along with other Microsoft services in one central location. This includes the minimization of password storage and enables centralized password rotation policies.

Authorization refers to the permissions assigned to a user within an Azure SQL database and determines what the user is allowed to do. Permissions are controlled by adding user accounts to a database roles and assigning database level permission to those roles or by granting the user certain object level permissions

Row level security : Control access to rows in a table based on the role of the user

Threat Detection

SQL Database secures customer data by providing threat detection capabilities through auditing. Auditing allows users to monitor ongoing database activities as well as analyze and investigate historical activities to identify potential threats or suspected abuse and security violations. 

SQL Auditing in Azure Monitor Logs and Event Hubs tracks database activities and helps maintaining compliance with security standards. 

Advanced threat protection technology analyzes your SQL server logs to detect unusual behaviors and potentially harmful attempts to access or exploit databases. You can create alerts for suspicious activities such as SQL injection or potential data infiltration or different attacks like brute force attacks or for different anomalies in access patterns to catch privilege escalations and breached credentials used. 

Information Protection

Transport Layer Security (TLS) - Always enforces encryption for all connections

Transparent Data Encryption - Protects data at rest from offline access to raw files or backups, AES encryption, Keys are stored in Azure key vault

Dynamic Data masking - Protects data by masking it for non-privileged users

Security management

Vulnerability assessment - Discover track and remediate potential database vulnerabilities

Data Discovery and Classification - Identify and label sensitive data for monitoring and alerting

Images Source : Microsoft docs