The first step to securing your Azure SQL Database is understanding what type of threats you are trying to protect against. Below are the most common threats to be aware of.
- Abuse of privileges—occurs when users or applications have privileges in excess of what is required. For example, you should not give users permission to insert, update, or delete data when they only need read access. If abused, privileges can lead to data loss, leakage, or corruption.
- SQL injection attacks—occur when malicious code is provided to the database, typically through unvalidated inputs or URLs. Attackers can use SQL injection to gain access to sensitive data, modify data, or cause damage to databases.
- Weakness of the native audit—if you are not auditing transactions and connections to your database, you cannot accurately access or detect malicious activity. This presents opportunities for attacks to persist in your systems and prevents you from meeting compliance.
- Attack by denial of service (DoS)—DoS attacks are performed by overloading servers with requests, making your database inaccessible. These attacks may be used as a distraction for other attacks or to test the capabilities of your systems.
- Dictionary attack—uses a dictionary of common words used in passwords to brute force entry or to identify passwords. This type of attack is often done to uncover credentials stored in databases which an attacker can then use to gain system access.
Through Azure SQL Database, there are multiple layers of protection that you can implement. These layers relate to network security, authorization, and threat protections.
SQL Database automatically blocks network access to your server until it is purposely granted. These access rights are provided based on IP address or according to origin in an Azure Virtual Network.
IP firewall rules grant access based on a request’s originating IP address. If the origin IP is permitted, the request goes through. Virtual network firewall rules enable your SQL Database to identify the originating subnet of endpoints in your virtual network. If the subnet is permitted, the request goes through. This process relies on using service tags that manage outbound traffic via Network Security Groups.
Authorization determines what users or applications are allowed to do within your database. These permissions are controlled through the creation of user accounts and by assigning those accounts to database roles. You can also grant object-level permissions directly.
In general, you should restrict users to the least possible privileges and should not assign permissions directly to users. You should also be mindful of who has access to your server admin account since this account has built-in db_owner privileges. For applications, you can attach roles by defining the EXECUTE AS functionality or by applying Application Roles.
Auditing and threat detection capabilities are built-in to SQL Database to help you keep your data secured. Auditing capabilities enable you to track database activity and ensure compliance through event logging. These logs can then be used to evaluate database activities and to investigate potential threats or incidents.
Threat protection capabilities are provided through the Advanced Threat Protection feature. This feature analyzes your logs, correlates activity, and alerts to detected or suspected threats. These threats include data infiltration, brute force attacks, SQL injection attacks, and inconsistent use of credentials or privileges. You can evaluate alerts through the Azure Security Center, where you are also provided recommendations for remediation.
When deploying your SQL Database several best practices can help you ensure that your database remains secure and operational.
Azure’s migration tools, including Database Migration Service and Database Migration assistant can help you ensure that your database instances are secure from the start. These tools can highlight incompatibilities in your migration and can provide you with recommendations for fixes as well as best practice settings.
Pay special attention to any settings or functionalities that might have changed between your current database versions and SQL Database. The Azure service maintains the most recent patches and versions automatically and there may be a significant difference from your former version.
Use firewall rules to prevent database access by unknown users. One effective way to accomplish this is to set whitelists of known users by specifying accepted origin IP addresses. However, you can also adjust your port access settings to control traffic.
Your Azure SQL Database service can be accessed through TCP port 1433. To access your database, you should ensure that your firewalls enable outbound communications on this port. If you have no applications which require inbound traffic be allowed, you should block this access.
Auditing your database activity, either through Azure’s service or with third-party tools, can help you identify security and performance issues. It is also a requirement for proving compliance, although standards vary by the type of data you store.
When auditing, you should be evaluating who is accessing data, how frequently, and how data is being used after access. For example, you want to identify if you have users who are suddenly accessing sensitive data or are exporting large amounts of data. Both of these could be signs of either a malicious insider or evidence that credentials have been compromised.
Although the Advanced Threat Protection service requires an additional fee, you should strongly consider enabling it. This service contains multiple sub services, including Threat Detection, Vulnerability Assessment, and Data Discovery and Classification services. One of the primary benefits of the service is that it provides access to these features in a centralized location, easing management.
Data discovery and classification
The Data Discovery and Classification service enables you to automatically inventory data and identify data that requires higher security measures. You can then use this service to monitor sensitive data access and report on that access for compliance or security purposes.
The Vulnerability Assessment service enables you to scan your database for potential vulnerabilities according to Microsoft best practices. It can help you identify excessive permissions, misconfigurations, or unprotected data. The service can scan for vulnerabilities at both the database level and server level. When identified, vulnerabilities are labelled according to risk level and recommendations are given for remediation.
Azure SQL Database, like many other cloud-based databases, is susceptible to cyber attacks, including privileges abuse, SQL injections, dictionary attacks, and DoS. To protect your data against these attacks, you should consider adopting a multi-layered protection approach.
A multi-layered protection approach ensures that for Azure SQL Database deployments, you enforce network security, authorization, and threat protection. You can also leverage dedicated Azure migration tools for secure data in transit. You should also audit for compliance, on a consistent basis, to ensure your data remains secure and meets regulatory requirements.