Azure SQL Database Security Reference
This section provides detailed reference information on security features and configurations for Azure SQL Database.
Authentication and Authorization
Azure SQL Database supports two primary modes of authentication:
- SQL Authentication: Uses a username and password to connect to the database.
- Azure Active Directory (Azure AD) Authentication: Allows identity management through Azure AD, supporting integrated security, multi-factor authentication, and conditional access policies.
Authorization is managed through server-level and database-level principals, roles, and permissions. Understanding these concepts is crucial for implementing the principle of least privilege.
Refer to: Authentication and authorization in Azure SQL Database
Data Encryption
Azure SQL Database employs several layers of encryption to protect your data:
- Encryption in Transit: Connections to Azure SQL Database are encrypted by default using TLS/SSL.
- Encryption at Rest:
- Transparent Data Encryption (TDE): Encrypts the entire database, including backups and transaction logs, without requiring application code changes. TDE is enabled by default for all new Azure SQL Database instances.
- Always Encrypted: Provides enhanced data protection by encrypting sensitive data columns within the database. This allows clients to encrypt and decrypt sensitive data without needing to manage encryption keys.
Learn more about configuring and managing encryption:
Transparent Data Encryption for Azure SQL Database
Always Encrypted with Azure SQL Database
Network Security
Securing network access to your Azure SQL Database is paramount. Key features include:
- Firewall Rules: Control access to your SQL Database server and specific databases by allowing connections from specified IP addresses or ranges.
- Virtual Network Service Endpoints: Enable Azure resources to connect to your SQL Database securely over an optimized path within the Azure network.
- Private Endpoints: Provide a secure and private connection from your virtual network to Azure SQL Database, eliminating public internet exposure.
Configuration details for network security are available in:
Configure network access to Azure SQL Database
Threat Detection and Auditing
Azure SQL Database offers advanced security features to detect and respond to potential threats:
- Azure SQL Vulnerability Assessment: Identifies and remediates potential database vulnerabilities.
- Azure SQL Threat Detection: Monitors your database for anomalous activities, potential threats like SQL injection, and suspicious access patterns, providing real-time alerts.
- SQL Server Audit: Tracks database events and writes them to an audit log, enabling you to understand data access and changes.
Explore these features further:
Azure SQL vulnerability assessment
Azure SQL Advanced Threat Protection
Security Best Practices
Adhering to best practices is essential for maintaining a secure Azure SQL Database environment:
- Implement strong password policies for SQL authentication and use Azure AD authentication whenever possible.
- Configure firewall rules and network security features restrictively.
- Enable TDE and Always Encrypted for sensitive data.
- Utilize Threat Detection and Vulnerability Assessment to proactively identify and address security risks.
- Regularly audit database access and activity.
- Keep your database schema and applications up-to-date with security patches.
For a comprehensive guide, see the Azure SQL Database security best practices.