Posts

Showing posts from November, 2020

Manage Security Operations (part 1 of 3)

Image
  To read part 2 please click  here To read part 3 please click  here Azure Monitor The following high-level diagram depicts the two fundamental data types that Azure Monitor uses, Metrics and Logs. On the left side of the figure are the sources of monitoring data that populate these data stores, while on the right side are the different functions that Azure Monitor performs with this collected data, like analysis, alerting, and streaming to external systems. For many Azure resources, you can find the data that Azure Monitor collects right in the resource's overview page in the Azure portal while the several charts displaying performance metrics can be noticed in any virtual machine (VM), you can select any of the graphs to open the data in Metrics Explorer, which allows you to chart the values of the multiple metrics over time.  You can analyze log data that Azure monitor collects by using queries to quickly retrieve, consolidate, and analyze the collected data while also creating

Database Security (part 4 of 4)

Image
  To read part 1 please click  here To read part 2 please click  here To read part 3 please click  here Dynamic Data Masking SQL Database Dynamic Data Masking (DDM) can limit the sensitive data exposure by masking it to non-privileged users which also helps in preventing an unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. It's a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed. You set up a DDM policy in the Azure portal by selecting the DDM operation in your SQL Database configuration blade or settings blade. This feature cannot be set by using portal for Azure Synapse. Dynamic data masking policy SQL users excluded from masking- A set of SQL users or AAD identities that get unmasked data in the SQL query results. Users with the administrators privileges

Database Security (part 3 of 4)

Image
  To read part 1 please click  here To read part 2 please click  here To read part 4 please click  here Vulnerability Assessment SQL Vulnerability Assessment is an easy-to-configure service that can discover, track, as well as help you remediate potential database vulnerabilities and provides visibility into your security state. It can help you: Meet compliance requirements that require database scan reports. Meet data privacy standards. Monitor a dynamic database environment where changes are difficult to track. Vulnerability assessment is a scanning service built into Azure SQL Database and its rules are based on the Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. The results of the scan includes actionable steps to resolve each issue and provide customized remediation scripts wherever applicable.  View the report When your scan is finished, your scan report is automatically displayed in the Azure

Database Security (part 2 of 4)

Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here Azure Database Auditing Auditing for Azure SQL Database and Azure Synapse Analytics tracks database events and write them to an audit log in your Azure storage account, Log Analytics Workspace or Event Hubs. Auditing also: Helps you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations. Enables and facilitates adherence to compliance standards, although it doesn't guarantee compliance. Overview You can use SQL database auditing to: Retain an audit trail of selected events and can define categories of the database actions to be audited. Report on database activity. You can use pre-configured reports and a dashboard to get started quickly with activity and event reporting. Analyze reports. You can find suspicious events, unusual activity, and trends. Defi

Database Security (part 1 of 4)

Image
  To read part 2 please click  here To read part 3 please click  here To read part 4 please click  here SQL Database Authentication Authentication and authorization Authentication is the process of proving the user is who they claim to be and when a user attempts to connect to a database, they provide a user account and authentication information. There are two authentication methods: SQL authentication- With this authentication method, the user submits the user account name and associated password to establish a connection which is stored in the master database in the user accounts linked to a login or stored in the database containing the user accounts not linked to a login. Azure AD authentication- With this authentication method, the user submits a user account name and requests that the service use the credential information stored in Azure AD.  You can create user accounts in the master database, and grant permissions in all databases on the server, or you can create them in the

Storage Security (part 2)

Image
To read part 1 please click  here Shared Access Signatures For untrusted clients you can use a Shared Access Signature (SAS) which is a string that contains a security token that can be attached to a URI as well as delegate access to storage objects and specified constraints, such as the permissions and the time range of access.  Types of SAS You can use a service-level SAS to allow access to specific resources in a storage account. You'd use this type of SAS, for example, to allow an app to retrieve a list of files in a file system or to download a file. Use an account-level SAS to allow access to anything that a service-level SAS can allow, plus additional resources and abilities. For example, you can use an account-level SAS to allow the ability to create file systems. A user delegation SAS, introduced with version 2018-11-09, is secured with Azure AD credentials. This type of SAS is supported for the Blob service only and can be used to grant access to containers and blobs.  Ad

Storage security (part 1)

Image
  To read part 2 please click  here Data Sovereignty Data sovereignty is the concept that information which has been converted and stored in binary digital form is subject to the laws of the country or region in which it is located. Most of the current concerns that surrounds data sovereignty relate to enforcing privacy regulations and preventing data that is stored in a foreign country or region from being subpoenaed by the host country or the region's government. In Azure, the customer data might be replicated within a selected geographic area for enhanced data durability in case of a major data center disaster, and in some cases will not be replicated outside it. Paired regions Azure operates in multiple geographies around the world. Each Azure region is paired with the another region within the same geography, forming the regional pair (except Brazil South). It is recommended to configure Business Continuity and Disaster Recovery (BCDR) across regional pairs to benefit from Azu

Application Security (part 3 of 3)

Image
  To read part 1 please click  here To read part 2 please click  here Managed Identities Managed Identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI) for Azure resources feature in Azure AD and provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. The managed identities for Azure resources feature is free with Azure AD for Azure subscriptions, there's no additional cost. How managed identities for Azure resources works? There are two type of managed identities: A system-assigned managed identity  is enabled directly on an Azure service instance and when the identity is enabled, azure creates an identity for the instance in the Azure AD tenant that's trusted by the subscription of the instance. The lifecycle of a system-assigned managed identity is