Windows azure sql_database_security_isug012013


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Windows azure sql_database_security_isug012013

  2. 2. Agenda• Windows Azure SQL Database security capabilities and resources• Best practices securing Windows Azure SQL Database• What actually happens within my database?• Advanced Windows Azure SQL Database security with GreenSQL2
  3. 3. Before We Start…• Windows Azure = Microsoft’s Cloud Platform• Windows Azure SQL Database (was known as “SQL Azure”, renamed by Microsoft on June 2012) is part of Windows Azure data management features• You can also run SQL Server on a virtual machine on Windows Azure (!= SQL Database)3
  4. 4. What is Windows Azure SQL Database?• SQL Server engine, based on SQL Server 2012 with restrictions – New server-level roles, hashing algorithms, permissions – Contained databases – Security management enhancements• Main restrictions – Server auditing is not supported in SQL Database – SQL Server authentication only – USE command – See more at us/library/ff394115.aspx and
  5. 5. Security Best Practices• SQL Database clients – TCP port 1433 open for outbound connections (for TDS protocol) – Block inbound connections on TCP port 1433• SQL Database is always up-to-date, make sure you use the most current version of clients (specifically SSMS 2012)• Configure Windows Azure SQL Database Firewall• General Best Practices – Prevent SQL Injection vulnerabilities during coding – Perform regular penetration testing5
  6. 6. Security Best Practices – Encryption and Certificates• ALL communications between Windows Azure SQL Database and your applications require encryption (SSL) at all times (to avoid "man in the middle" attacks)• Apps need to explicitly request an encrypted connection• Don’t trust server certificates – If your application code does not request an encrypted connection, it will still receive one. However, it may not validate the server certificates and will be subject to "man in the middle" attacks6
  7. 7. Security Best Practices - Authentication• Only SQL Server authentication is supported• Windows Authentication is NOT supported• Users must provide credentials (login and password) every time they connect to Windows Azure SQL Database• USE command is not allowed (connect to specific DB)• Password reset – Connections will not be immediately re-authenticated, ALWAYS (unlike on-premise SQL Server) – Re-authentication happens after more than 60 minutes from last re-authentication – If the password has been changed, the request will fail and the session will disconnect (end)7
  8. 8. Security Best Practices – Logins & Users• Many restrictions apply. Main restrictions: – The database user in the master database corresponding to the server-level principal login cannot be altered or dropped – To access the master database, every login must be mapped to a user account in the master database – If you do not specify a database in the connection string, you will be connected to the master database by default – You must be connected to the master database when executing the CREATE/ALTER/DROP LOGIN and CREATE/ALTER/DROP DATABASE statements – CREATE USER statement with the FOR/FROM LOGIN option or the ALTER USER statement with the WITH LOGIN option, it must be the only statement in a batch – Azure User Management Console – AUMC - open source project on CodePlex
  9. 9. Security Best Practices - Contained Databases• Windows Azure SQL Database is a fully contained database as it employs a multi-tenant environment• SQL Databases have to be scoped to only allow users the ability to consume database level assets• This is the reason many SQL Server capabilities are not yet currently available in Windows Azure SQL Database• Assuming that Microsoft will add these capabilities to Windows Azure SQL Database with a contained implementation9
  10. 10. Security Best Practices – Hybrid Applications• To access on-premise SQL Server, use Windows Azure Connect (still CTP)• You can join Windows Azure role instances to your domain, so that you can use your existing methods for domain authentication• Windows Azure Connect uses industry-standard end-to-end IPSEC protocol to establish secure connections between on-premise machines and roles in the cloud. This allows you to connect to your cloud app as if it were inside the firewall.10
  11. 11. Windows Azure SQL Database Firewall• Access grant based on originating IP address only• Default - SQL Database firewall prevents all access to your SQL Databases• Server-level firewall rules – Restrict access to the whole SQL Database server (all databases). Rules stored in master database. – Configured via Windows Azure Platform management portal, SQL Database Management REST API or System SPs&views (sys.firewall_rules, sp_set_firewall_rule and sp_delete_firewall_rule)11
  12. 12. Windows Azure SQL Database Firewall• Database-level firewall rules – Restrict access to individual databases within a SQL Database server. Rules stored in each databases (including master). Rule extends server-level rules. – Configured via System SPs&views sys.database_firewall_rules, sp_set_database_firewall_rule and sp_delete_database_firewall_rule12
  13. 13. Windows Azure SQL Database Firewall SQL Database Firewall architecture13
  14. 14. Windows Azure SQL Database Firewall14
  15. 15. Microsoft Resources• Start with Windows Azure Trust Center• You can carry out authorized penetration testing on Windows Azure CE2F-4659-B1C9- CB14917136B3/Penetration%20Test%20Questionnaire.docx• Microsoft constantly adding compliance to more regulations on Windows Azure – SQL Database compliance is still behind but in the works according to Microsoft center/compliance/15
  16. 16. GreenSQL for Windows Azure SQL Database• Complete database security and regulatory compliance for Windows Azure SQL Database• Complements Windows Azure security capabilities• Software-based reversed database proxy, easy to install, maintain and use• Easy on your budget• Available for a FREE trial• Also supports SQL Server 2000 to 2012 (“Denali”), MySQL and PostgreSQL using same installation16
  17. 17. GreenSQL for Windows Azure SQL Database• Supports hybrid and fully hosted architectures17
  18. 18. GreenSQL for Windows Azure SQL Database18
  19. 19. GreenSQL Offering Activity Monitoring Security • DAM (Database Activity • Prevents SQL Injection Monitoring) attacks • PCI-DSS,SOX,HIPAA reports • Separation of duties • Email Alerts • Database firewall • Before & after images Performance Data Masking • Offloading database • Hide sensitive data workload with caching • Dynamic, real-time, instant • Significant performance 19 improvement
  20. 20. SQL Database Security - Comparison Security Concern Windows Azure SQL DatabaseCompliance & Regulations Limited, no server audit, Full administrative & SQL(Auditing) required by 3rd party according rd granular auditing, before & to regulations after imageSQL Injection Protection None FullSeparation of Duties Limited with database firewall Full, based on variety of criteria and database rolesComplete Database Firewall Limited with database firewall Full, based on variety of criteria, customized actionsDatabase patching Patching Frequent by Microsoft Virtual patchingData masking Masking None Dynamic, no code or schema changes requiredUnified security for hybrid and Limited with database firewall One management system withfully hosted apps flexible policiesDirect database access SQL database is segregated Proxy, examines SQLs before they hit the database, performance acceleration20
  21. 21. GreenSQL for Windows Azure SQL Database• Recommended compute instance size is medium (2 CPU cores, 3.5 GB RAM)• It can be installed on a Windows or Linux server• Recommended Windows 2008R2 64-bits• Web-based management, all major browsers supported• Flexible installation architecture – Windows Azure/On-premises21
  22. 22. Best of Breed Database Protection + = Complete database security and regulatory compliance for Windows Azure cloud22
  23. 23. Microsoft SQL Azure Thank you Q&A David Habusha, VP Product