Database Security (part 2 of 4)

 

To read part 1 please click here
To read part 3 please click here
To read part 4 please click here



Azure Database Auditing

Auditing for Azure SQL Database and Azure Synapse Analytics tracks database events and write them to an audit log in your Azure storage account, Log Analytics Workspace or Event Hubs.

Auditing also:

  • Helps you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
  • Enables and facilitates adherence to compliance standards, although it doesn't guarantee compliance.

Overview

You can use SQL database auditing to:

  • Retain an audit trail of selected events and can define categories of the database actions to be audited.
  • Report on database activity. You can use pre-configured reports and a dashboard to get started quickly with activity and event reporting.
  • Analyze reports. You can find suspicious events, unusual activity, and trends.

Define server-level vs database-level auditing policy

An auditing policy can be defined for a specific database or as a default server policy:

  • A server policy applies to all existing and newly created databases on the server.
  • If server auditing is enabled, it always applies to the database that will be audited regardless of the database auditing settings.
  • Enabling auditing on the database or data warehouse, in addition to enabling on the server, does not override or change any of the settings of the server auditing. In other words, the database is audited twice in parallel; once by the server policy and once by the database policy.

Data Discovery and Classification

Data discovery and classification is built into Azure SQL Database which provides an advanced capabilities for discovering, classifying, labeling, and reporting the sensitive data in your databases. It can also serve as an infrastructure for:

  • Helping to meet standards for data privacy and requirements for regulatory compliance.
  • Various security scenarios, such as monitoring (auditing) and alerting on anomalous access to the sensitive data.
  • Controlling access to and hardening the security of databases that contain highly sensitive data.   

Data discovery and classification is a part of the Advanced Data Security offering, which is a unified package for advanced SQL security capabilities. 

Data classification enables organizations to find storage optimizations that might not be possible when all the data is assigned the same value and can yield benefits such as compliance efficiencies, improved ways to manage the organization's resources, as well as facilitation of migration to the cloud. 

Data exists in one of the three basic states- at rest, in process, and in transit. The data that is classified as confidential needs to stay confidential when at rest, in process, or in transit and can also be either structured or unstructured. Generally, the organizations will have more unstructured data than structured data. 

Regardless of whether the data is structured or unstructured, it's important for the organizations to manage the data sensitivity and when properly implemented, data classification helps ensure that sensitive or confidential data assets are managed with greater oversight than the data assets that are considered public distribution.

Data Discovery

Data discovery and classification provides advanced capabilities built into Azure SQL Database for discovering, classifying, labeling, and protecting sensitive data in your databases while introducing a set of advanced series and SQL capabilities, forming an SQL Information Protection Paradigm aimed at protecting the data, not just the database:
  • Discovery and recommendations- The classification engine scans your database and identifies columns containing potentially sensitive data. It then provides you with an easier way to review and apply the appropriate classification recommendations via the Azure portal.

  • Labeling- Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL Server Engine. This metadata can be then be utilized for advanced sensitivity-based auditing and protection scenarios.

  • Query result set sensitivity- The sensitivity of the query result set is calculated in real time for auditing purposes.

  • Visibility- You can view the database classification state in a detailed dashboard in the Azure portal. Additionally, you can download a report (in the Microsoft Excel format) that you can use for compliance and auditing purposes, in addition to other needs. 

Steps for discovery, classification, and labeling

Classifications have two metadata attributes:

  • Labels that are the main classification attributes used to define the sensitivity level of the data stored in the column.
  • Information Types that provides additional granularity into the type of data stored in the column.

SQL data discovery and classification comes with a built-in set of sensitivity labels and information types and discovery logic. As a part of the Azure Information Protection Policy management, you can define custom labels, rank them, and associate them with a selected set of the information types.

After you have defined the tenant-wide policy, you can continue with classifying individual databases using your customized policy. 


To read part 1 please click here
To read part 3 please click here
To read part 4 please click here









Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)