Microsoft Azure – Data Protection in Azure SQL

In this article, we will learn about the data protection aspects of Azure SQL. Azure SQL provides a Unified package of SQL security intelligent capabilities, which includes:

• Data Classification
• Vulnerability Assessment
• Advanced Threat Protection

 

SQL Data Discovery & Classification:

This service is used to discover, classify, protect and track access to sensitive data. This tool helps users on the following fronts of data protection:

1. Discovery and recommendations: It scans your database and looks for sensitive data and provides the user with an overview of the same so that you can review it and make changes as per your requirements.
2. Labeling: You can label the data in your columns as per their sensitivity which further helps in managing and auditing the data while protecting its integrity.
3. Query result-set sensitivity: The sensitivity of the data in a query set is also calculated in real-time, making sure no sensitive data is fetched with SQL queries on the server and can also help during auditing of the servers and databases.
4. Visibility: The azure portal has a dashboard where you can view the details of the classifications of the columns in your database and also provides an option to download the same for review.

 

SQL Vulnerability Assessment: 

This tool is used to discover, track, and remediate security misconfigurations. This is a service that provides actionable steps to resolve security issues and enhance database security. It is a scanning service that employs a set of rules that flags security vulnerabilities. The rules are based on Microsoft’s best practices and focus on the security issues that are big risks to the database. 

 

They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions. Below listed are some of the features of this service:

• It identifies security misconfigurations present in the SQL server.
• The service provides a set of actionable remediation steps.
• The service also helps to set up a security baseline that is tuned to your environment.
• It has support for both Manual and periodic scans.

Note: This service is a part of the Microsoft Defender for SQL, which is a unified package for advanced SQL security capabilities.

Advanced Threat Protection

It is used to detect unusual and harmful attempts to breach your database.

 

It is a solution that helps ensure end-to-end security across the attack vectors in the modern workplace. The Advanced Threat Protection solution is powered by the signals from the Microsoft Intelligent Security Graph which provides 6.5 trillion daily signals from email alone!  With this, you gain end-to-end security for the modern workplace, fully integrated services that communicate with one another, all supported by one of the largest threat networks through the Microsoft Intelligent Security Graph. It provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities and makes it simple to address potential threats to the database without the need to be a security expert or manage advanced security monitoring systems. 

To summarize, SQL Threat Detection allows you to respond to unusual and harmful attempts to breach your database.

• It is easier to enable and requires no modifications in the code.
• It provides algorithms that learn, profile, and detect potential SQL injections and unusual behavior patterns.
• It triggers security alerts upon detection of an anomaly, with detailed descriptions and actionable investigation and remediation steps.

Advanced Threat Protection Suite

 

SQL Threat Detection triggers the following type of security alerts, each of which is discussed in detail below:

1. SQL injections: It indicates if someone has attempted or succeeded to attacks your database using SQL injection methods.
2. Access anomalies: It indicates a change in the access pattern to the SQL server in the form of brute force, harmful application, the usual location.
3. Queries anomalies: It indicates a change in the query pattern to SQL server in the form of usual data exfiltration or suspicious commands.
    

Potential SQL injection attacks:

• SQLi attempt: An application generated a faulty SQL statement, which may indicate a potential vulnerability of the application to SQL injection.
• SQLi attack: Potential exploitation of application code vulnerability to SQL Injection, which may indicate a SQL Injection attack.

Anomalous access patterns:

• Someone has logged from an unusual location: It refers to a change in the access pattern from an unusual geographical location
• An unfamiliar principal successfully logged: It refers to a change in the access pattern using an unusual SQL user.
• Someone is attempting to brute force SQL credentials abnormally high number of failed logins with different credentials.
• Someone has logged from a potentially harmful application.

Anomalous queries patterns:

• Data exfiltration by volume: Someone has extracted anomalous amounts of data in an hour or using a single query  
• Data exfiltration by location: Someone has a backup database to an unusual storage location,
• Unsecured commands: Someone has executed unsecured commands (e.g.  xp_cmdshell…)