Has OData Become FIPS Compliant Accessing Azure SQL?
When accessing externally Azure databases from a Xamarin app, is OData now FIPS compliant? Can it be? If so, what is necessary to be done? If not, what are the alternatives?
Xamarin
Azure SQL Database
-
Saurabh Sharma 23,816 Reputation points • Microsoft Employee
2021-07-12T21:07:13.123+00:00 Thanks @Marc George using Microsoft Q&A !!
Sorry but if I understand your question correctly you can find information about SQL being FIPS over [here][1]. As per the document - Microsoft attests to Azure SQL Database and SQL Managed Instance as being FIPS 140-2 Level 1 compliant.Thanks
Saurabh -
Marc George 21 Reputation points
2021-07-12T21:36:15.97+00:00 @Saurabh Sharma Per NIST, the "Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks."
What I am trying to is determine if using OData from my Xamarin app meets the security requirements for use of "ports and interfaces; roles, services, and authentication" of the Azure SQL databases and managed instances. Several years ago it wasn't but was supposed to be under development.
-
Saurabh Sharma 23,816 Reputation points • Microsoft Employee
2021-07-13T23:30:05.487+00:00 @Marc George Thanks for sharing details.
@Leon Lu (Shanghai Wicresoft Co,.Ltd.) Do you have any insights on this.Thanks
Saurabh -
JarvanZhang 23,961 Reputation points
2021-07-19T01:38:42.03+00:00 Hi, MarcGeorge-9076. Please don't make the application connect to the remote database directly.
A mobile app should not connect directly to a database of any sort. There are many reasons for this, but the most important is security. A mobile app is a client based app, not a server based app. As such a mobile app can try to connect from almost any IP address, so that would require allowing the data base to accept connections from any IP address, and also it would potentially expose the database connection strings and username/password info to the internet at large, which is not a good idea. Also databases generally depend on low latency connections that one cannot guarantee in a mobile app as it may be on poor wifi networks or cellular networks.
As such it is definitely best practice to create a web service that the mobile client app connects to, and that web service would then connect to the database to fetch the database results and forward those results to the client app. In this way, the database only has to allow connections from the known IP address(es) of the web service server, and the connection from the web service to the database will be on a steady, fast, wired connection. Also this allows the web service to perform additional security checks when a request for data is received.
To create a web service API, you could check this doc: ASP.NET app with Azure SQL Database - Azure App Service | Microsoft Learn
-
Saurabh Sharma 23,816 Reputation points • Microsoft Employee
2021-07-27T18:14:29.593+00:00 Thanks @JarvanZhang
@Marc George Please let me know if you have any other questions. -
Marc George 171 Reputation points
2021-07-28T09:12:14.387+00:00 @JarvanZhang @Saurabh Sharma Thanks for the reply, but my question hasn't been answered. I wasn't asking for architectural suggestions. OData is part of the .NET APIs like WCF, not a direct connection to SQL.
-
JarvanZhang 23,961 Reputation points
2021-07-30T03:21:51.417+00:00 Hi, are you looking for the Microsoft security compliance service? Please check the following doc:
https://www.microsoft.com/en-us/msservices/security?activetab=pivot1%3aprimaryr4
Sign in to comment