Skip Navigation

Manage your SQL Information Protection policy in Azure Security Center

Posted on September 26, 2018

Senior Program Manager, Azure Data Security

We are pleased to share that your SQL Information Protection policy can now be centrally managed for your entire tenant within Azure Security Center. SQL Information Protection is an advanced security capability for discovering, classifying, labeling, and protecting sensitive data in your Azure data resources. With central policy management you can now define a customized classification and labeling policy that will be applied across all databases on your tenant.

SQL Information Protection

SQL Information Protection (SQL IP) consists of an advanced set of capabilities that form a new information protection paradigm in SQL aimed at protecting the data, not just the database. It provides the following abilities:

  • Discovery and recommendations: The classification engine scans your database and identifies columns containing potentially sensitive data. It then provides you an easy way to review and apply the appropriate classification recommendations via the Azure portal.
  • Labeling: Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL engine. This metadata can then be utilized for advanced sensitivity-based auditing and protection scenarios.
  • Monitoring/Auditing: Sensitivity of the query result set is calculated in real time and used for auditing access to sensitive data.
  • Visibility: The database classification state can be viewed in a detailed dashboard in the Azure portal. Additionally, you can download a report, in Excel format, to be used for compliance and auditing purposes, as well as other needs.

The labeling of sensitive data is done using a classification taxonomy, consisting of Labels and Information Types. Labels are the main classification attributes, used to define the sensitivity level of the stored data. Information Types provide additional granularity into the type of data stored in the database column. In addition, string patterns containing special keywords are used to help discover different classes of sensitive data and associate it with the right Information Type and Label.

Customizing your Information Protection policy

You can now customize the Labels and Information Types used by SQL Information Protection. While the system has a built-in classification taxonomy to start out, many customers have requested the ability to set their own values for sensitivity labels and types of data.

The policy is a singular policy for your entire Azure tenant and can be managed in Azure Security Center. Managing your own customized policy enables you to:

  1. Define a fully customized set of sensitivity labels, according to your organizational requirements.
  2. Rank the sensitivity labels in a linear order, signifying a scale of least to most sensitive.
  3. Add customized Information Types to identify sensitive data types specific to your organization's data environment.
  4. Fully customize the association of Information Types to sensitivity Labels, so that each type of data discovered is automatically assigned the right sensitivity classification.
  5. Add a customized set of discovery keywords and string patterns to each Information Type, used by the data discovery engine to automatically identify sensitive data in your databases.
  6. Rank the Information Types in hierarchical order to definitively determine the association when overlapping data types are discovered.

Information Protection Policy

Once your Information Protection policy is fully defined, it will apply to the classification of data on all Azure SQL databases in your tenant.

Get started today!

You can now use Information Protection central policy management to define your organization's Information Protection policy, across all your Azure SQL databases. This gives you the flexibility and control over how sensitive data is discovered in your systems, and enables you to align the sensitivity labels and classification classes to your organizational needs.

Try it out and let us know what you think!