Azure SQL Database, Databases, Hybrid + Multicloud, Thought leadership
Microsoft Azure SQL Database provides unparalleled data security in the cloud with Always Encrypted
6 min read
Our customers use over 1.5 million mission-critical databases in Azure, which provide high availability, security, compliance, high performance. From the smallest startup to the largest enterprise, data security is increasingly top of mind for all businesses, especially as they continue to target the cloud for both new and existing applications.
Building on the security foundations of SQL Server, we’re supporting customers as they transform their business and move to the cloud – and as such today we are announcing the following security features for Azure SQL Database:
- Always Encrypted will be in public preview by the end of the month. Always Encrypted helps you protect sensitive data without having to relinquish the encryption keys to Azure SQL Database. Data remains encrypted at all times – in transit, in memory, on disk and even during query processing.
- Transparent Data Encryption will be generally available now. Transparent Data Encryption helps you meet compliance requirements by encrypting your databases, associated backups, and transaction log files at rest without requiring changes to your applications.
- Azure SQL Database supports Azure Active Directory (Azure AD) authentication in public preview now. Azure AD authentication provides an alternative to SQL Authentication. It simplifies password management by allowing you to connect to a number of Azure services including Azure SQL Database using the same identity.
- Row-Level security generally available now. Row-Level Security allows access to rows of data based on a user’s identity, role memberships, or query execution context.
- Dynamic Data Masking will be generally available by the end of the month. Dynamic Data Masking lets you define masking patterns on database columns to limit the exposure of sensitive data.
- Threat Detection will be in public preview by the end of the month. Threat detection complements Azure SQL Database Auditing and alerts on suspicious database activities at the database or logical server level.
Building on SQL Server security foundations
Microsoft delivers world-class data security and privacy protection for both on-premises and in the cloud. According to the National Institute of Standards and Technology, over the past six years, SQL Server has had the fewest number of vulnerabilities among the leading database engines such as Oracle, IBM DB2 and MySQL. This, along with our continued momentum of security investments, makes SQL Server the most secure relational database available.
Built on the foundation of SQL Server and combined with Azure’s physical and operational security, Azure SQL Database meets the most stringent regulatory compliances such as ISO/IEC 27001, FedRAMP/FISMA, SOC and PCI DSS.
Keeping your data safe
In order to achieve the highest degree of protection and meet the regulatory compliances you need to secure your data in SQL Server on-premises or Azure SQL Database, we provide multiple layers of data protection. This includes encrypting data while at rest, in motion or in use, authenticating only authorized users against the database or application, and limiting user access to the appropriate subset of the data. Additionally, we provide continuous monitoring and auditing of activities to help in the detection of potential threats and provide a record of critical events in case of a breach. These rich security capabilities are each balanced by the ability to quickly implement features and mitigate security risk without compromising developer productivity or a customer’s experience. These layers of protection are summarized across three areas: Protect Data, Control Access and Monitor Activity.
Today’s announcement is focused on the new capabilities we’re delivering across all of these layers to make it even easier for customers of Azure SQL Database, our managed database-as-a-service, to secure their data.
With Always Encrypted, Microsoft is first to offer built-in protection of data against theft at all times -namely at rest, in flight and while in use. Always Encrypted enables you to encrypt sensitive data such as credit card numbers using NIST’s AES 256 cipher, retain the encryption keys in a trusted environment (e.g., Azure Key Vault), and perform operations against the encrypted data (ciphertext) inside SQL Database. Cloud database operators or other high-privileged, but unauthorized users will not have access to the encryption keys, nor do they need to since sensitive data will remain encrypted even during query processing. This separation of concerns between those who own the data (and can see it) and those who manage it (but should have no access) is only possible with Azure SQL Database.
Transparent Data Encryption (TDE), protects your data and helps you meet compliance requirements by encrypting your database, associated backups, and transaction log files at rest without requiring changes to your application. SQL Database TDE is based on SQL Server’s TDE technology which encrypts the storage of an entire database by using an industry standard AES-256 symmetric key called the database encryption key. SQL Database protects this database encryption key with a service managed certificate. All key management for database copying, Geo-Replication, and database restores anywhere in SQL Database is handled by the service – just enable it on your database with only two clicks on the Azure Portal.
In verticals such as finance, banking, and healthcare, regulatory compliance requirements such as Payment Card Industry Data Security Standard (PCI DSS) v3.1 mandate strong, end-to-end protection of payment data. SQL Database now supports the strongest version of Transport Layer Security (TLS) to protect all data during transmission to and from SQL Database. Support for TLS in combination with TDE and Always Encrypted provides a comprehensive encryption solution meeting PCI DSS requirements.
Azure SQL Database now supports Azure Active Directory (Azure AD) authentication in addition to SQL Authentication. It helps stop the proliferation of user identities across database servers owned by an organization since the same identity that can connect to SQL Database can also be used to provide a single sign on experience with a growing number of Microsoft cloud services like Office 365. Database users based on Azure AD principals can be managed in the Azure Management Portal or via REST APIs/PowerShell.
Security is not just about allowing you to access a database or application; with a large number of users, it becomes important for applications to allow users only access to their data. Row-Level security (RLS) allows you to restrict read and write access to rows of data based on a user’s identity, role memberships, or query execution context. RLS centralizes your access logic within the database itself, which simplifies your application code and reduces the risk of accidental data disclosure. Dynamic Data Masking limits exposure of sensitive data by masking it for non-privileged users. It operates by hiding the sensitive data in the result set of a query over designated database fields, while leaving the underlying database operations unaffected. Customers can decide how much of the sensitive data to reveal, with minimal impact on the application layer.
SQL Database’s new Threat Detection capability uncovers anomalous database activities that indicate a potential security threat to the database. Threat detection is integrated with the Azure Portal or can surface information about suspicious events directly to the subscription administrator. Threat Detection currently complements Azure SQL Database Auditing which records database events and writes audited events to an audit log in your Azure Storage account. Auditing can help you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations. Both Auditing and Threat Detection are great examples of how we are proving additional value in Azure and making it simple for you to monitor and respond to risk.
A secure platform
As part of our cloud first principle, these features are available in the cloud with Azure SQL Database and will be delivered as part of SQL Server 2016. Across all layers of protection, both Azure SQL Database and SQL Server provide a platform to easily implement state-of-the art defense for data and applications. Azure SQL Database with its high availability (99.99% SLA), predictable performance and enterprise-grade security is the only comprehensive Platform as a Service (PaaS) database in the cloud. SQL Database is part of our end-to-end data platform designed to make it easier for you to maximize the value from all accessible data. With today’s announcements, we’re building on our existing investments and continuing to make it easier for customers to capture, transform, and analyze any data, of any size, at any scale – using the tools, languages and frameworks they know and want in a trusted environment on-premises and in the cloud.
Getting started with Azure SQL Database Security
- Watch our Channel 9 Data Exposed videos to get an overview of the security features we are making available in Azure SQL Database.
- Stay up-to-date with more technical information from the SQL Server Security Blog.
- Get started with Securing your Azure SQL Database.
- Read our Security and Azure SQL Database whitepaper for details on the security management features found in Microsoft Azure SQL Database.
Please do take some time to stop by the Microsoft area at PASS Summit 2015 to learn more and talk to our team about these comprehensive security features.