Advanced Data Security Using Azure Defender for SQL

The world of the data professionals and DBAs is swirling with threats and risks, and those dangers are on the rise. You’re probably accustomed to using longstanding database fea­tures to secure your databases, including roles and permissions, and you’re likely familiar with working with your identity management admins to control and create your user authentication scheme.

In the next two columns, I’ll provide an overview of addi­tional security features provided by Azure Defender plans.

Let’s discuss the Advanced Data Security set of features designed to assess, detect, categorize, and analyze your SQL Server data and threat environment. An important consid­eration if you’re an Azure user is that Advanced Data Secu­rity features are a separate and paid service from Azure SQL. Advanced Data Security contains three distinct features: Advanced Threat Detection, Data Discovery and Classifica­tion, and Vulnerability Assessment.

Advanced Threat Detection

This feature detects and alerts Azure administrators and DBAs about suspicious activity and anomalies in user patterns. The alerts provide details and potential solutions to the detected issue via integration Azure Security Center. Advanced Threat Detection monitors your Azure SQL around the clock for hacks and unusual activity associated with hackers prepared to penetrate your systems. It is also helpful in detecting when internal per­sonnel are attempting to access data they don’t usually require.

The specific threats it monitors include:

  • Brute-force SQL credentials attacks: These alerts fire when an Azure SQL resource expe­riences an abnormally high number of failed log-in attempts with varying credentials.
  • Access from a potentially harmful application: These alerts fire when a connection is made from a potentially harmful application, such as one of the common attack tools.
  • Access from an unfamiliar principal: These alerts fire when a user logs into an Azure SQL resource using an unfamiliar or unusual SQL log-in.
  • Access from an unusual location: These alerts fire when a user logs into an Azure SQL resource from a location differ­ent than the user’s usual location.
  • Access from an unusual Azure data center: These alerts fire when a user logs into an Azure SQL resource from a data center other than the usual or the regular data center used to log in.

SQL injection attacks: SQL injection is the oldest trick in the book, and yet it’s still wildly successful due to widespread poor programming practices. These alerts fire when an SQL injection attack happens or if bad code is present, resulting in a successful SQL injection attack.

In my opinion, these threat protections are worth the added cost, particularly for migration projects where code vulnerable to SQL injection may be lurking.

Data Discovery and Classification

At first glance, you might think the Data Discovery and Clas­sification (DDC) features are more relevant to data governance than data security. However, this feature enables users to discover, classify, label, and protect sensitive data within Azure SQL. This is especially useful for data privacy and regulatory compliance scenarios, such as databases containing credit card numbers or financial data that must remain confidential. DDC also moni­tors your classified data and alerts you when it’s accessed in an unusual way.

There are two main components to DDC:

  • Discovery and Recommendations: The classification engine scans the Azure SQL database schemas and discovers columns containing potentially sensitive data. It provides suggestions to protect the data and possible ways to secure the data.
  • Labeling: The labeling component tags columns containing sensitive data using classification metadata attributes found within the SQL engine. One of two attributes may be applied to your data. One is a label, which defines the level of sensi­tivity of the data. The other is the information type, which further details the type of data stored in the column. This capability is meant to aid with auditing sensitive data.

Vulnerability Assessment

As the name implies, the Vulnerability Assessment fea­ture scans Azure SQL databases for a wide variety of security issues, system misconfigurations, superfluous permissions, unsecured data, firewall and endpoint rules, and server-level permissions. The Vulnerability Assessment tool is valuable for detecting data security, data privacy, or data compliance issues found in a database you’re migrating to Azure SQL. The Vul­nerability Assessment tool uses a repository of best practices defined and updated by Microsoft, so new security issues may be added to the tool.

Learn More

The Microsoft documentation for Azure Defender for SQL is found at defender-for-sql-introduction. From this site, you can find infor­mation on pricing, how alerts work, and other technical details. as well as how-to tutorials. You can also find several excellent vid­eos on this and related topics on YouTube. I suggest you start at Enjoy!