Cloud computing

Best practices for securing your Azure SQL

gregg rodriguez / 04.23.19

Azure SQL enables you to maintain the security, integrity and consistency of your data, which is critical when customer information is at stake, but it requires using a new approach to security.

In Azure, you can have your SQL Server workloads running in a hosted infrastructure (IaaS) or running as a hosted service (PaaS). Within PaaS, you have multiple deployment options and service tiers within each deployment option. The decision between PaaS or IaaS comes down to deciding if you want to manage your database, apply patches, take backups, or if you want to delegate these operations to Azure.

In the Azure environment, Microsoft provides a secure foundation across physical infrastructure, and operational security, while you are responsible for the security of your application workloads, data, identities, on-premises resources, and all the cloud components that you control. This is referred to as the shared responsibility model.

You can ensure the security of your Azure resources by understanding the risks to misconfigured services and applying security best practices based on the shared responsibility model.

 What are the risks to misconfigured Azure SQL?

  • Restricted Server Access: If SQL Servers do not have restricted access from the Internet enabled, you will not be able to block unauthorized connections.
  • Data Encryption: If SQL Server Databases do not have transparent data encryption enabled you will not be protected against the threat of malicious activity through real-time encryption and decryption of the database.
  • Resource Locks: If SQL Server Databases do not use resource locks, your Azure resources will not be locked down and you will  not be able to prevent deletion or changing of a resource.
  • Auto Failover Groups: If SQL Servers do not use failover groups, you will not have the ability to manage replication and failover of a group of databases on a logical server or all databases in a Managed Instance to another region (currently in public preview for Managed Instance). It uses the same underlying technology as active geo-replication.
  • Database Auditing: If SQL Servers do not have auditing enabled you cannot ensure that all existing and newly created databases on the SQL server instance are audited.
  • Audit Retention: If SQL Servers do not  have auditing retention enabled for greater than 90 days, you will not be able to check for anomalies and get insight into suspected breaches or misuse of information and access.

How Halo Can Help Secure Your Azure SQL

Halo Can help you secure your SQL by ensuring that:

  • Restricted Server Access: SQL Servers do not have unrestricted access from the Internet to ensure that unauthorized connections are blocked from gaining access.
    • After creating your SQL Database, you can specify which IP addresses can connect to your database. You can then define more granular IP addresses by referencing the range of addresses available from specific data centers.
  • Data Encryption: SQL Server Databases have transparent data encryption enabled to help protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
  • Resource Locks: SQL Server Databases are using resource locks to provide a way for administrators to lock down Azure resources and prevent deletion or changing of a resource.
    • These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These are very useful when you have an important resource in your subscription that users should not be able to delete or change and can help prevent accidental and malicious changes or deletion.
  • Auto Failover Groups: SQL Servers are using failover groups that allow you to manage replication and failover of a group of databases on a logical server or all databases in a Managed Instance to another region (currently in public preview for Managed Instance).
  • Database Auditing: SQL Servers have auditing enabled to ensure that all existing and newly created databases on the SQL server instance are audited.
    • Auditing tracks database events and writes them to an audit log in your Azure storage account. It also helps you to maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
  • Audit Retention: SQL Servers have auditing retention configured for greater than 90 days enabled to ensure Audit Logs can be used to check for anomalies and give you insight into suspected breaches or misuse of information and access.

Learn more about how Halo Cloud Secure can give you security visibility into your inventory of Azure SQL server inventory and help you reduce your overall cloud attack surface.