Configure an SQL Database firewall
- Primary characteristics of an SQL Database firewall:
- Supports SQL Database and Azure SQL Data Warehouse
- SQL Database supports server-level and database-level firewall (evaluated first)
- SQL Data Warehouse supports server-level firewall only
- Default deny (inbound)
- Explicit allow (inbound):
- From internet: based on a source IP address range
- From Azure: all connections
- From Azure virtual networks: based on virtual network service endpoints from individual subnets
- Supports SQL Database and Azure SQL Data Warehouse
- Implementing an SQL Database firewall:
- Involves creating one or more allow rules
- Supports creation of server-level rules from the Azure portal
- The platform provides the Add client IP feature
- Requires the use of T-SQL for database-level rules
Enable database authentication and authorization
- SQL Database authentication
- Supports two types of authentication:
- SQL authentication: based on locally stored username and password
- Azure Active AD authentication: based on Azure AD credentials
- Supports two types of users:
- Users defined in the master database, referenced in user databases
- Users defined directly in user databases (contained database users)
- Supports two types of authentication:
- Azure Cosmos DB authorization:
- Supports authorization based on master keys, resource tokens, and users
- Users are resources representing custom permissions to database resources
- The master key is used to create user resources
- Resource tokens represent permissions associated with user resources
- Supports authorization based on master keys, resource tokens, and users
Enable Azure AD authentication for SQL Database
- Create a new or identify an existing Azure AD user to designate as the Azure SQL Database server administrator In hybrid scenarios, the account should be sourced in Active Directory
- If needed, associate the Azure subscription hosting SQL Database with Azure AD tenant
- Create an Azure AD administrator for the SQL Database server, Azure SQL Managed Instance, or SQL Data Warehouse
- Configure client computers
- Create contained database users mapped to Azure AD identities
- Connect to the database by using Azure AD identities
Enable database auditing
- Primary characteristics of Azure SQL Database auditing:
- Facilitates tracking of designated events, reporting on database activities, and event analysis
- Is configurable via server and database audit policies
- Implementing database auditing:
- Enable a server policy to audit all existing and newly created databases
- Enable a database policy to audit individual databases to:
- Configure a different storage account or retention period for a specific database
- Audit event types or categories for a specific database that differs from the other databases on the server
- You can use the Azure portal to:
- Enable and disable server and database level policies
- Configure audit log destinations (Azure Storage, Azure Log Analytics, Azure Event Hub) and retention period (Storage only)
- You must use Azure PowerShell or REST API to customize audited events
Configure SQL Database threat detection
- Primary characteristics of SQL Database threat detection:
- Helps detect and respond to suspicious database activities, potential vulnerabilities, cyber attacks, and anomalous access patterns
- Integrates with Azure Security Center
- Assists with investigating and mitigating threats
- Is available as part of the Advanced Data Security offering, which includes:
- Data discovery and classification
- Vulnerability assessment
- Threat detection
- Implementing SQL Database threat detection:
- Enable Advanced Data Security on a per-server or database level
- Designate a storage account for saving vulnerability assessment scan results
- Configure recurring scans
- Specify email addresses that will receive scan results
Configure access control for storage accounts
Azure storage accounts access controls:
- Azure AD–based authentication and authorization (in preview as of March 2019)
- Storage access key–based authorization
- SAS–based authorization
- Anonymous access (blobs and containers only)
Configure key management for storage accounts
- Regenerating storage access key is a recommended security practice
- This requires updating your audit policy:
- Modify the policy to use the secondary key
- Regenerate the primary key
- Modify the policy to use the primary key
- Regenerate the secondary key
Create and manage SASs
- Primary characteristics of SAS:
- Represents digitally signed URIs of target storage resources
- Supports two types of access:
- Service SAS: access to resources within a single storage service only (Blob, Queue, Table, or File)
- Account SAS: access to resources within one or more storage services
- Provides granular access to storage account resources, based on such criteria as:
- Validity period, including the start and expiration times
- Set of permissions
- IP address range designating the origin of the access request
- Protocol (HTTP or HTTPS)
- Implementing SAS-based scenarios:
- Front End Proxy Service
- SAS Provider Service
Configure security for Azure HDInsight
- Perimeter security:
- Network Security Groups
- Virtual network
- Azure VPN Gateway
- Authentication:
- Azure AD DS
- On-premises Active Directory
- Authorization:
- RBAC
- Hive policies
- Data security:
Encryption at rest
Configure security for Cosmos DB
- Perimeter protection:
- Regular scanning and penetration-testing of Cosmos DB ports
- Azure DDoS
- IP firewall protection
- Virtual network security:
- Virtual network service endpoints
- Network Security Groups
- Key-based access control:
- Master key
- Read-only key
Configure security for Azure Data Lake
- Management plane security: RBAC with Azure AD integration
- Data plane security:
- Built-in SSE
- RBAC with Azure AD integration
- Delegated access to data objects by using SAS
- Flexible object-level permission assignments and inheritance:
- based on ACLs and POSIX-style model
- configurable via Hive, Spark, and Azure Storage Explorer
Top comments (0)