Security is a major concern for organizations when migrating to the cloud, and so organizations are hesitant to move to this form of storage. Microsoft provides strong security protection at the physical, logical, and data layers of Azure services. Microsoft data centers are among the most secure data centers in the world.
Azure SQL Database provides multiple layers of security to control access to the databases using SQL Server or Active Directory ( AD) authentication as well as firewall rules, which limits access to the data through role-based permissions and Row-Level Security.
Azure SQL Database provides proactive security using Dynamic Data Masking, automating auditing, and Threat Detection.
It also provides Transparent Data Encryption to encrypt the data at rest and Always Encrypted to encrypt the data at rest or in motion.
This chapter teaches the students about all of these security mechanisms and how to implement and use them to secure their Azure SQL Database.
By the end of this chapter, you will be able to:
Azure SQL Database limits access to the database through firewall rules, which are authentication techniques which require users to log in to the database with a valid username and password. Azure SQL Database further controls access to the underlying data through role-based permissions and Row-Level security. We'll now look into different access control methods in detail.
Azure SQL Database uses firewall rules to limit access to authorized IPs and block access to unauthorized IPs. It's the first level of access control provided by Azure SQL Database. The firewall rules can be created at the server-level and at the database-level.
When a SQL database is provisioned, it's inaccessible to everyone. To make it accessible, you would first need to add a server-level firewall rule. A firewall allows an IP or range of IP addresses to connect to an Azure SQL Database. You can then create database firewall rules to enable certain clients to access individual secure databases.
Connection requests to an Azure SQL Database are first validated against the firewall rules, and the computers with IPs as specified in the firewall rules are allowed to connect to the database:
If a computer attempts to connect to an Azure SQL Database over the internet, then:
To allow applications from Azure to connect to an Azure SQL Database, you need to add the IP
0.0.0.0
as the start and end IP address to the server-level firewall rule:
Server-Level Firewall Rule |
Database-Level Firewall Rule |
---|---|
Allows clients to access all SQL databases in a given logical Azure SQL Server |
Allows clients to access particular SQL databases within the logical Azure SQL Server |
Rules are stored in the master database |
Rules are stored within individual Azure SQL Databases |
Can be configured using the Azure portal, PowerShell, and T-SQL |
Can only be configured using T-SQL after configuring the first server-level firewall rule |
In this section, we will learn how to create, delete, or update a server-level firewall rule from the Azure portal:
We can also make use of Transact-SQL instead of the Azure portal to manage server-level firewall rules. In this section, we will learn how to create, delete, or update a server-level firewall rule from Transact-SQL.
Master
database context, run the following query to list out all existing server-level firewall rules:Select * from sys.firewall_rules
The IP address will be different in your case. You should get an output like the one shown in the following screenshot:
Execute sp_set_firewall_rule @name = N'Work', @start_ip_address = '115.118.1.0', @end_ip_address = '115.118.16.255'
Work
, is when the Start IP 115.118.0.0 and the End IP 115.118.16.255 is added to the firewall.Select * from sys.firewall_rules
You should get an output like the one shown the following screenshot:
sp_set_firewall_rule
procedure with the rule name you wish to update, as well as the updated IP addresses.Execute sp_set_firewall_rule @name = N'Work', @start_ip_address = '115.118.10.0', @end_ip_address = '115.118.16.255'
Select * from sys.firewall_rules
You should get an output like the one shown in the following screenshot:
Execute sp_delete_firewall_rule @name= N'Work'
Select * from sys.firewall_rules
Similar to server-level firewall rules, database-level firewall rules can also be managed from Transact-SQL. In this section, we will learn how to create, delete, or update a database-level firewall rule from Transact-SQL.
SELECT * FROM sys.database_firewall_rules
Exec sp_set_database_firewall_rule @name=N'MasterDB', @start_ip_address='115.118.10.0', @end_ip_address='115.118.16.255'
Select * from sys.database_firewall_rules
MasterDB
, is added to the firewall.sp_set_database_firewall_rule
procedure with the firewall rule you wish to update and the new start and end IP addresses. Execute the following query to update the MasterDB firewall rule created in the previous step:Exec sp_set_database_firewall_rule @name=N'MasterDB', @start_ip_address='115.118.1.0', @end_ip_address='115.118.16.255'
Select * from sys.database_firewall_rules
You should get an output like the one shown in the following screenshot:
Exec sp_delete_database_firewall_rule @name=N'MasterDB'
Select * from sys.database_firewall_rules
The login
details and server-level firewall rules are cached in each SQL database. The cache is periodically refreshed; however, you can run
DBCC FLUSHAUTHCACHE
to manually flush the authentication cache:
Authentication refers to how a user identifies themselves when connecting to the database. There are two types of authentication mechanisms: SQL Server Authentication and Azure Active Directory Authentication.
This is similar to
what we have in on-premises SQL Servers, which is that it requires a username and password. When provisioning an Azure SQL Database, you have to provide a Server Admin login with a username and password. This user has admin access on the Azure SQL Server and
dbowner
access on all databases in a particular Azure SQL Server.
There can be only one Server Admin account in an Azure SQL Database.
Azure Active Directory ( AD) Authentication allows users to connect to an Azure SQL Database by using the identities stored in the Azure Active Directory.
When you create an Azure account, it creates a default directory for your account. This is where you can add users and give them permissions to access different Azure services as appropriate.
You can add custom domains to the default directory or you can create directories from here.
You can also integrate your on-premises Windows AD to Azure AD using Azure AD Connect.
There are three different ways to authenticate, Active Directory – Universal with MFA Support, Active Directory – Password, and Active Directory – Integrated, as shown in the following screenshot:
This is the easiest way to get started with Azure AD authentication. It works with Azure AD managed domains and federated domains.
The user authenticating to an Azure SQL Database has to provide the Azure AD identity and the password for a successful authentication:
This is similar to the conventional Windows Authentication in on-premises SQL Servers. To authenticate using this method, a user has to provide the domain account which has access to an Azure SQL Database. The user doesn't have to provide the password. It's validated against the Azure AD.
To get this method working, the on-premises Active Directory should be integrated to the Azure AD. This can be done using the free tool Azure AD Connect.
When using SSMS to authenticate using the Azure Directory – Integrated method, it automatically takes the username as the logged—in username, similar to on-premises Windows authentication:
MFA stands for Multi-factor authentication. MFA allows you to provide a code received by a call, SMS, or by any other means. This further secures the authentication process, as the code received is only accessible by the person who has initiated the authentication process:
MFA requires you to provide a username which is pre-populated after you configure MFA.
In this section, we will discuss how to authenticate to an Azure SQL Database using Active Directory–Password. Let’s consider the toy manufacturing company introduced previously. Mike needs to ensure that, if any of his networking workplaces expect access to the database, he gives them access by utilizing Active Directory–Password to authenticate to an Azure SQL Database. He can achieve this by following the below steps:
You can use the default domain when providing a user email. For example, if your Microsoft Account email ID is
[email protected]
, then the default directory would be
ahmadosama1984.onmicrosoft.com
. Therefore, you can provide a username as
[email protected]
.
toyfactory
Azure SQL Server. In the toyfactory
, find and select the Active Directory Admin option under the SETTINGS section:[email protected]
:If you wish to explore Active Directory – Integrated and Active Directory – Universal with MFA, start here: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect.
Azure SQL Database will always have two different administrators if Azure AD authentication is used: the original SQL Server administrator (SQL Authentication) and the Azure AD Admin. The Azure AD administrator login can be a user or a group. All users in the Azure AD Admin group will have administrative access to an Azure SQL Server:
You must consider the following factors for Azure SQL Database authentication:
bcp.exe
can't connect to an Azure SQL Database using Azure Active Directory Authentication as it uses an old ODBC driver.Authorization refers to the object-level permission a user has within the SQL database. For example, a user may have access to read a set of tables and read-write on another set of tables.
The Admin accounts, SQL Authentication, and Azure AD Account have
db_owner
access to all the databases and are
allowed to do anything within the database.
Members of Database Creators (dbmanager) are allowed to create a new SQL database. To create a new user with the Database Creators role:
CREATE LOGIN John WITH PASSWORD = 'Very$Stro9gPa$$w0rd';
CREATE USER John FROM LOGIN John
dbmanager
role using the following query:ALTER ROLE dbmanager ADD MEMBER John;
CREATE DATABASE JohnsDB
db_owner
access to all the databases he creates.Login Manager
Members of this role can
create new logins in the
master database. To create a new user with the
loginmanager
role, follow the preceding steps to create a user and add them to the
loginmanager
role.
Non-administrative users don't have access to the master database and have limited access to required databases and objects.
An example of a non-administrative user is the application user. An application user is the one which is used by an application to connect to the database and perform DML operations.
A non-administrative user can either be an Azure Active Directory user or a SQL Server authentication user.
In this section, we will learn how to create contained database users for Azure AD Authentication for firms such as ToyStore Ltd., where there are many roles that requires access to the database.
db_owner
role:--Create a contained database user (SQL Authentication) CREATE USER Mike WITH PASSWORD='John@pwd' GO -- Make Mike toystore database owner ALTER ROLE db_owner ADD MEMBER Mike
db_datareader
role:--Create a contained database user (Azure AD Authentication) CREATE USER [[email protected]] FROM EXTERNAL PROVIDER -- Give read access to John on all tables ALTER ROLE db_datareader ADD Member [[email protected]]
toystore
database node. In the toystore
database, expand the Security node and then expand the Users node.[email protected].
master
database. The database master doesn't contains the user [email protected]
and therefore the connection fails.toystore
database.You can ask the students to add users to different roles and test out the security. For example, they can add a user in the
db_dbwriter
role and then log in using the user and verify that it's only able to write to tables and that it can't do any other database operations such as creating tables, databases, and so on.
Additionally, you can group users with similar sets of permissions in an Azure AD Group or a SQL Database role. You can then assign the permission to the group and add users to the group. If a new user with the same permission arrives, add the user to the group or role.
Authorization controls whether or not a user can read or write one or more tables. Row-level security (RLS) further controls what data in a table the user has access to:
Let's say we have a customer table in a database and we want users to access only those rows in a table which belong to them, for example, Customer 1 should only have access to rows with customer ID 1, and customer 2 can only access rows with customer ID 2, and so on and so forth.
Row-level security allows you to enable this at the database-level and not the application level. Prior to Row-Level security, such security was only possible by implementing access logic at the application level.
RLS is implemented by writing the row access logic or the security predicates in an inline table-valued function and then creating a security policy on top of the security predicate.
The security predicate defines the criteria to determine whether or not a user has read or write access to a given set of rows in a particular table.
RLS support two types of security predicates:
Dynamic Data Masking or DDM works on top of Row-Level Security and further restricts the exposure of sensitive data by masking it to non-privileged users:
For example, say users John and Chris can read and write data that belongs to customer 1. The Row-Level Security ensures that they can only read and write data for customer 1 in the customer table. However, Dynamic Data Masking will ensure that John can see Social Security Numbers of the customer and Chris can't, as he's not authorized to see SSN. Chris will see masked data in the SSN column, though he can see data in the rest of the columns.
DDM is implemented by defining masks and applying them to columns as and when required. There isn't any change required at the application level or the query level, as the masks are applied at the column level.
DDM can be used for full, partial, or random masking. For example, call support people need the last four characters of a user's password to identify them. This can be done by masking all characters except the last four characters.
DDM has the following four types of masks to obfuscate the data:
Implements full masking depending on the data type of the column being masked.
Partial masking which
masks all characters except the first letter and the suffix ".com" of an email address. For example,
[email protected]
will be masked as
[email protected]
.
Masks a column with a numeric data type with a random value within a specified range.
Partial masking, which masks all characters with a custom string, excluding the first and last letters.
DDM has the following limitations:
3.22.77.63