Information protection becomes one of the dominant factors that drive modern database design and implementation. This becomes particularly evident when operating in a cloud computing environment, with Azure SQL Database serving as one of prime examples of this trend. Microsoft delivers relevant features by leveraging several different security-related Azure services. In this article, we will provide an overview of this functionality.
The core feature that facilitates Azure SQL Database information protection is part of the Advanced Threat Protection offering, which includes the following components:
- Data Discovery & Classification - uses customizable criteria to automatically identify and categorize business sensitive data residing in databases protected by the offering.
- Vulnerability Assessment - evaluates security and compliance stance of the database based on the security-related best practices of Azure SQL Database and the outcome of data discovery and classification.
- Threat Detection - dynamically discovers activities that represent potential threats to the integrity and security of the databases protected by the offering.
While our intention is to focus on the first of these three components, it is important to understand the functionality provided by the other two because they are, to some extent, interrelated. For example, the analysis performed by Vulnerability Assessment takes into account the results of the Data Discovery & Classifications when providing recommendations regarding restricting access to business sensitive data. In addition, it is worth pointing out that the Advanced Threat Protection offering integrates closely with Azure Security Center, which provides a comprehensive set of security-related features within your entire Azure environment. As a matter of fact, some of the Data Discovery & Classification configuration settings are available from within the Azure Security Center section of the Azure portal.
Vulnerability Assessment is based on scans that you can run on an as-needed basis or according to a custom schedule. The scans identify existing security vulnerabilities resulting from service misconfiguration, excessive permissions, or exposure of potentially sensitive data on the server instance and individual database levels. An output of each scan is presented in the form of recommendations, which not only provide remediation steps, but also assist with their implementation. In cases where some of these recommendations are not relevant or applicable in your environment, you have the option of incorporating them into a custom security baseline, which effectively excludes them from the scope of subsequent scans. You can export scan assessment reports in the Excel format for reporting purposes. It is also possible to automate management of Vulnerability Assessment by using Azure PowerShell.
Threat Detection continuously monitors databases on protected logical servers and managed instances for any activities that might indicate cyber attacks or unauthorized data queries and modifications. These activities include common database exploits (such as SQL injection) or out-of-ordinary data access patterns (such as access attempts from unusual locations or by unfamiliar security principals, as well as an excessive number of failed authentication attempts, which is typically associated with brute force attacks). In response, Threat Detection can generate email alerts, which can be investigated based on the information presented in the Azure portal.
Data Discovery & Classification focuses on identifying and categorizing business sensitive data in protected databases. This capability relies on two metadata attributes that are used to evaluate database content:
- Labels - designate classification categories that represent the extent of data sensitivity (from the security, confidentiality, and compliance standpoint). For example, the built-in labels include Public, General, Confidential, Highly confidential, Confidential - GDPR, and Highly confidential - GDPR.
- Information types - serve as the basis for determination of the category that data in a particular column belongs to. For example, the built-in information types include Date of Birth, Contact info, National ID, SSN, Credit Card, Credentials, Name, and Health.
You have the option of modifying built-in labels and information types (by excluding predefined patterns), as well as creating custom ones. You also have the ability to order labels in order of their respective sensitivity. This functionality is exposed in the Azure Security Center section of the Azure portal. The configuration leverages the concept of Management Groups, which constitute collections of Azure subscriptions that can be managed together as a single entity. It is possible to create a hierarchy of management groups, with the Tenant Root Group at the top and with child groups inheriting configuration settings from their parent. In the context of Azure SQL Database Information Protection, you define labels and information types on the Tenant Root Group level. To perform changes at that level, you have to be a member of the Security Admin role in the Azure Active Directory tenant associated with the Azure subscriptions within the management group hierarchy.
In order to be used for an evaluation, a label must include one or more information types. If data stored in a particular database column matches patterns defined in any of these information types, the discovery process will provide recommendations regarding assignment of the corresponding label. These recommendations are generated automatically once you enable the Data Discovery & Classification functionality. If you choose to accept any of them, the corresponding column will be classified according to your choice. That, in turn, will be reflected in Advanced Threat Protection vulnerability assessment and threat detection behavior. In addition, the classification will enhance monitoring access to sensitive data by automatically including the data_sensitivity_information field in the Azure SQL Database audit logs.
Pricing of Advanced Threat Protection is in line with Azure Security Center Standard offering. At the time of authoring this article (November 2018), each protected node (which translates into a logical server in the case of Azure SQL Database and a protected instance in the case of Managed Instance) is priced at $15 USD per month, with an initial 60-day free trial period.
This concludes our overview of Azure SQL Database Information Protection. In our upcoming articles, we will explore this functionality in more detail.