What is database security?

• Firewalls serve as the first line of defense in DiD database security. Logically, a firewall is a separator or restrictor of network traffic, which can be configured to enforce your organization's data security policy. If you use a firewall, you will increase security at the operating system level by providing a chokepoint where your security measures can be focused.

• Authentication is the process of proving the user is who he or she claims to be by entering the correct user ID and password. Some security solutions allow administrators to centrally manage the identities and permissions of database users in one central location. This includes the minimization of password storage and enables centralized password rotation policies.
• Authorization allows each user to access certain data objects and perform certain database operations like read but not modify data, modify but not delete data, or delete data.
• Access control is managed by the system administrator who assigns permissions to a user within a database. Permissions are ideally managed by adding user accounts to database roles and assigning database-level permissions to those roles. For example, row-level security (RLS) allows database administrators to restrict read and write access to rows of data based on a user's identity, role memberships, or query execution context. RLS centralizes the access logic within the database itself, which simplifies the application code and reduces the risk of accidental data disclosure.

• Auditing tracks database activities and helps maintain compliance with security standards by recording database events to an audit log. This allows you to monitor ongoing database activities, as well as analyze and investigate historical activity to identify potential threats or suspected abuse and security violations.
• Threat detection uncovers anomalous database activities that indicate a potential security threat to the database and can surface information about suspicious events directly to the administrator.

• Data encryption secures sensitive data by converting it into an alternative format so only the intended parties can decipher it back to its original form and access it. Although encryption doesn't solve access control problems, it enhances security by limiting data loss when access controls are bypassed. For example, if the database host computer is misconfigured and a malicious user obtains sensitive data, such as credit card numbers, that stolen information might be useless if it’s encrypted.
• Database backup data and recovery is critical to protecting information. This process involves making backup copies of the database and log files on a regular basis and storing the copies in a secure location. The backup copy and file are available to restore the database in the event of a security breach or failure.
• Physical security strictly limits access to the physical server and hardware components. Many organizations with on-premises databases use locked rooms with restricted access for the database server hardware and networking devices. It's also important to limit access to backup media by storing it at a secure offsite location.

Securing or "hardening" a database server combines physical, network, and operating system security to address vulnerabilities and make it more difficult for hackers to access the system. Database hardening best practices vary according to the type of database platform. Common steps include strengthening password protection and access controls, securing network traffic, and encrypting sensitive fields in the database.

By strengthening data encryption, these capabilities make easier for organizations to secure their data and comply with regulations:

• Always encrypted data offers built-in protection of data against theft in transit, in memory, on disk, and even during query processing.
• Transparent data encryption protects against the threat of malicious offline activity by encrypting stored data (data at rest). Transparent data encryption performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

When combined with support for the strongest version of Transport Layer Security (TLS) network protocol, always encrypted data and transparent data encryption provide a comprehensive encryption solution for finance, banking, and healthcare organizations that need to comply with Payment Card Industry Data Security Standard (PCI DSS), which mandates strong, end-to-end protection of payment data.

Advanced threat protection analyzes logs to detect unusual behavior and potentially harmful attempts to access or exploit databases. Alerts are created for suspicious activities such as SQL injection, potential data infiltration, and brute force attacks, or for anomalies in access patterns to catch privilege escalations and breached credentials use.

As a best practice, users and applications should use separate accounts to authenticate. This limits the permissions granted to users and applications and reduces the risks of malicious activity. It's especially critical if application code is vulnerable to a SQL injection attack.

The information security principle of least privilege asserts that users and applications should be granted access only to the data and operations they require to perform their jobs. This best practice helps reduce the application's attack surface and the impact of a security breach (the blast radius) should one occur.

Database security best practices should be part of a comprehensive approach to security that works together across platforms and clouds to safeguard your entire organization. A Zero Trust security model validates identities and device compliance for every access request to protect people, devices, apps, and data wherever they're located. Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to "never trust, always verify."

Enable Zero Trust with Microsoft security solutions. Take an end-to-end approach to security to safeguard your people, data, and infrastructure.

Strengthen your security posture with Azure. Use multilayered, built-in security controls and unique threat intelligence from Azure to help identify and protect against threats. More than 3,500 global cybersecurity experts work together to help safeguard your data in Azure.

Take advantage of built-in Azure Database security tools and services including Always Encrypted technology; intelligent threat protection; security controls, database access and authorization controls such as row-level security and dynamic data masking, auditing, threat detection, and data monitoring with Microsoft Defender for Cloud.

Protect your NoSQL databases with Azure Cosmos DB, which includes comprehensive advanced database security tools to help you prevent, detect, and respond to database breaches.