Azure SQL and Security best practices

Azure SQL security layers
Figure 1 – Microsoft Azure SQL security layers.

Microsoft is grouping all the options for SQL running in the Azure platform into one portfolio.  A family of managed products, making it easier to see them and choose the best for your needs.

Cloud computing requires new security paradigms unfamiliar to many application users, database administrators, and programmers. When it comes to Azure SQL Security, where do you begin?

Azure can be very different from any other data center.  While Azure helps secure your business assets, a great deal of responsibility is shared and requires customer to do their part.

In this article, we will see Azure Security best practices. If you are moving toward cloud adoption, you need to be aware of what you need to do to enhance security measures.

Control the database and application access

Centralize the identities management using the Azure Active Directory Authentication (Azure AD):

Figure 2 – Adding a user on Azure AD.

Enable Azure Multi-Factor Authentication and minimize the use of password-based authentication

MFA is an authentication method that requires users to ensure through multiple ways that they are who they claim to be.

  • Activate Conditional Access in Azure AD (requires Premium subscription).
  • Use an Azure AD integrated authentication that eliminates the use of passwords.
  • Use cert-based authentication for an application.
  • If avoiding passwords or secrets aren’t possible, store user passwords and application secrets in Azure Key Vault and manage access through Key Vault access policies.

Protect sensitive data using encryption

Figure 3 – Enabling TDE on Azure SQL.

Apply encryption protocols to protect your data between your client and server (in-transit), and when it is persisted in the database, log, and backup files (in-rest).

  • If you are in a SQL Managed instance restoring a database from an on-premises server that doesn’t have Transparent Database Encryption (TDE) enabled, you will need to allow it manually. Otherwise, TDE is enabled by default for any database created after 2017 in Azure SQL.
  • Don’t store any data that requires encryption in the master database. This database can not be encrypted with TDE.
  • Use Always Encryptedto ensure sensitive data isn’t exposed in plaintext, but do not use it as a substitute to encrypt data at rest (TDE) or in transit (SSL/TLS). Microsoft recommends it in conjunction with other security layers.
  • Minimize performance and functionality impact using Always encrypted only on sensitive data.
  • Ensure that client machines and applications connecting to Azure SQL Database and SQL Managed Instance are using Transport Layer Security (TLS). Prevent clients with well-known vulnerabilities from connecting to Azure SQL (for example, using older TLS protocols and cipher suites).

Implement network access controls

Minimize the number of features that a malicious user can attack, restricting access to Azure SQL Database and SQL Managed Instance.

Protect databases against attacks

Figure 4 – SQL defender dashboard on Azure.

To ensure your databases’ security,  enable tools to detect and respond to threats as quickly as possible.

Audit your databases periodically

Auditing helps you monitor unauthorized activities, vulnerabilities in access permissions or configurations, and maintain regulatory compliance. The specific audits you should enable depends on your data use and what compliance standards apply to your data.

Ensure that the databases are configured to meet security best practices

Enable SQL Vulnerability Assessment (VA) to scan your database for security issues periodically automatically.

Figure 5 – Vulnerability Assessment report sample.

It can help you identify misconfigurations, unprotected data, and excessive permissions at database and server levels.

For any vulnerabilities found, evaluate the drift from the previous scan result and determine if the check should be resolved.

Are your company ready to implement the Azure SQL Securities?

Azure provides many built-in security features, but not all of the security features are automatic. In fact, many require configuration, and not all requirements apply to all environments.

Remember that Azure SQL is a dynamic platform. Be sure to keep abreast of new changes and apply necessary security adjustments continually—the more current your security operation, the better your posture.

Let’s get on the call, and we will walk you through how we will keep your database safe and answer any questions you have.

Mark Varnas

Mark Varnas

Hey I'm Mark, one of the guys behind Red9. I make a living performance tuning SQL Servers and making them more stable. I channel my SQL into our SQL Managed Services, SQL Consulting and our internal database products.

Leave a Reply

Your email address will not be published. Required fields are marked *