Share via

Azure SQL Database: are backups stored on immutable storage?

Bastiaan Molsbeck (Infoland) 6 Reputation points
2020-11-16T11:09:13.36+00:00

There is a lot of documentation on learn.microsoft.com about automated backups and long-term backup retention for Azure SQL Databases.
But I can't seem to find any article which confirms that these backups are stored on immutable storage.
I would like to know whether these backups are tamper proof and are not susceptible to ransomware attacks.
Or do I need to take additional measures to achieve that?

Azure SQL Database

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. sakman999 70 Reputation points
    2023-02-16T14:14:16.7066667+00:00

    Customers do, however, have the ability to delete backup copies using the portal (and I imagine az cli and powershell az). In my book, this does not qualify as "immutable" because it is possible to remove the backup. Contrast this situation to the newly-released immutable VM backup capability in Azure backup, or immutable BLOB options on storage accounts.

    So, is there any way to make that "delete backup" capability go away? Is anything like that planned?

    2 people found this answer helpful.
    0 comments
  2. Navtej Singh Saini 4,221 Reputation points Microsoft Employee
    2020-11-17T02:36:25.267+00:00

    @Bastiaan Molsbeck (Infoland)

    Azure SQL Backups are redundant and are replicated across the regions for protection. Here are the more details for the same.

    Also Azure Cloud is a Trusted Cloud with capabilities of in built security, privacy and compliance. Please go through these documents for more information regarding the same.

    Hope this helps.

    Thanks
    Navtej S

  3. David Browne - msft 3,771 Reputation points
    2020-11-18T00:11:28.237+00:00

    I would like to know whether these backups are tamper proof and are not susceptible to ransomware attacks.

    Customers have no direct access to the storage for these backups, protecting against both tampering and ransomware from compromised customer accounts.

    0 comments
  4. Rahul Randive 8,756 Reputation points Microsoft Employee
    2023-03-09T22:41:32.0666667+00:00

    Hi,

    Below points regarding SQL backup should answer questions about backup immutability.

    Encrypted backups

    If your database is encrypted with TDE, backups are automatically encrypted at rest, including LTR backups. All new databases in Azure SQL are configured with TDE enabled by default. For more information on TDE, see Transparent data encryption with SQL Database.

    Backup integrity

    On an ongoing basis, the Azure SQL engineering team automatically tests the restore of automated database backups. Upon point-in-time restore, databases also receive DBCC CHECKDB integrity checks.

    Any issues found during an integrity check will result in an alert to the engineering team. For more information, see Data integrity in SQL Database.

    All database backups are taken with the CHECKSUM option to provide additional backup integrity.

    Compliance

    When you migrate your database from a DTU-based service tier to a vCore-based service tier, the PITR retention is preserved to ensure that your application's data recovery policy isn't compromised. If the default retention doesn't meet your compliance requirements, you can change the PITR retention period. For more information, see Change the PITR backup retention period.

    Reference document- https://learn.microsoft.com/en-us/azure/azure-sql/database/automated-backups-overview?view=azuresql#encrypted-backups

  5. Rahul Randive 8,756 Reputation points Microsoft Employee
    2023-03-09T23:40:51.26+00:00

    To answer your question,

    Well, if that's the case then, Azure SQL transparent data encryption with customer-managed key may help

    Azure SQL transparent data encryption (TDE) with customer-managed key enables Bring Your Own Key (BYOK) scenario for data protection at rest, and allows organizations to implement separation of duties in the management of keys and data. With customer-managed TDE, customer is responsible for and in a full control of a key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing of operations on keys.

    Once a database is encrypted with TDE using a key from Key Vault, any newly generated backups are also encrypted with the same TDE protector. When the TDE protector is changed, old backups of the database are not updated to use the latest TDE protector.

    To restore a backup encrypted with a TDE protector from Key Vault, make sure that the key material is available to the target server.

    Key Vault is highly available and scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). It doesn't allow direct access to a stored key, but provides services of encryption/decryption using the key to the authorized entities.

    One of the Benefits of the customer-managed TDE is Greater trust from your end customers, since AKV is designed such that Microsoft can't see nor extract encryption keys;

    All points are from reference document Customer-managed transparent data encryption (TDE) - Azure SQL Database & Azure SQL Managed Instance & Azure Synapse Analytics | Microsoft Learn

    Please have a look
    Thank you!