Database Security (part 2 of 4)

By Ashwin Venugopal -

 

To read part 1 please click here
To read part 3 please click here
To read part 4 please click here



Azure Database Auditing

Auditing for Azure SQL Database and Azure Synapse Analytics tracks database events and write them to an audit log in your Azure storage account, Log Analytics Workspace or Event Hubs.

Auditing also:

  • Helps you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
  • Enables and facilitates adherence to compliance standards, although it doesn't guarantee compliance.

Overview

You can use SQL database auditing to:

  • Retain an audit trail of selected events and can define categories of the database actions to be audited.
  • Report on database activity. You can use pre-configured reports and a dashboard to get started quickly with activity and event reporting.
  • Analyze reports. You can find suspicious events, unusual activity, and trends.

Define server-level vs database-level auditing policy

An auditing policy can be defined for a specific database or as a default server policy:

  • A server policy applies to all existing and newly created databases on the server.
  • If server auditing is enabled, it always applies to the database that will be audited regardless of the database auditing settings.
  • Enabling auditing on the database or data warehouse, in addition to enabling on the server, does not override or change any of the settings of the server auditing. In other words, the database is audited twice in parallel; once by the server policy and once by the database policy.

Data Discovery and Classification

Data discovery and classification is built into Azure SQL Database which provides an advanced capabilities for discovering, classifying, labeling, and reporting the sensitive data in your databases. It can also serve as an infrastructure for:

  • Helping to meet standards for data privacy and requirements for regulatory compliance.
  • Various security scenarios, such as monitoring (auditing) and alerting on anomalous access to the sensitive data.
  • Controlling access to and hardening the security of databases that contain highly sensitive data.   

Data discovery and classification is a part of the Advanced Data Security offering, which is a unified package for advanced SQL security capabilities. 

Data classification enables organizations to find storage optimizations that might not be possible when all the data is assigned the same value and can yield benefits such as compliance efficiencies, improved ways to manage the organization's resources, as well as facilitation of migration to the cloud. 

Data exists in one of the three basic states- at rest, in process, and in transit. The data that is classified as confidential needs to stay confidential when at rest, in process, or in transit and can also be either structured or unstructured. Generally, the organizations will have more unstructured data than structured data. 

Regardless of whether the data is structured or unstructured, it's important for the organizations to manage the data sensitivity and when properly implemented, data classification helps ensure that sensitive or confidential data assets are managed with greater oversight than the data assets that are considered public distribution.

Data Discovery

Data discovery and classification provides advanced capabilities built into Azure SQL Database for discovering, classifying, labeling, and protecting sensitive data in your databases while introducing a set of advanced series and SQL capabilities, forming an SQL Information Protection Paradigm aimed at protecting the data, not just the database:
  • Discovery and recommendations- The classification engine scans your database and identifies columns containing potentially sensitive data. It then provides you with an easier way to review and apply the appropriate classification recommendations via the Azure portal.

  • Labeling- Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL Server Engine. This metadata can be then be utilized for advanced sensitivity-based auditing and protection scenarios.

  • Query result set sensitivity- The sensitivity of the query result set is calculated in real time for auditing purposes.

  • Visibility- You can view the database classification state in a detailed dashboard in the Azure portal. Additionally, you can download a report (in the Microsoft Excel format) that you can use for compliance and auditing purposes, in addition to other needs. 

Steps for discovery, classification, and labeling

Classifications have two metadata attributes:

  • Labels that are the main classification attributes used to define the sensitivity level of the data stored in the column.
  • Information Types that provides additional granularity into the type of data stored in the column.

SQL data discovery and classification comes with a built-in set of sensitivity labels and information types and discovery logic. As a part of the Azure Information Protection Policy management, you can define custom labels, rank them, and associate them with a selected set of the information types.

After you have defined the tenant-wide policy, you can continue with classifying individual databases using your customized policy. 


To read part 1 please click here
To read part 3 please click here
To read part 4 please click here









Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more