Securing Azure Backup for Azure SQL DB (PaaS)

Question

Securing Azure Backup for Azure SQL DB (PaaS)

MS Techie 2,751

1) What options do we have to secure the Azure Backup of the Azure SQL Database against ransomware attacks ?

2) Are Azure SQL Backups stored in Recovery Vault ?

3) Do these security changes cost money ?

Gharat, Pradeep 6 Reputation points

2022-03-13T16:43:33.723+00:00

1) Same options that you have to securing your storage accounts - as backups are placed in storage accounts ( https://learn.microsoft.com/en-us/azure/azure-sql/database/automated-backups-overview?tabs=single-database#what-is-a-database-backup ). you should ensure that the security best practices like disabling public end points access, securing keys in key vault and rotating keys on a periodic basis and using encryption at rest using CMK are followed to reduce the chances of malicious attacks.

2) storage accounts geo-replicated by default ( https://learn.microsoft.com/en-us/azure/azure-sql/database/automated-backups-overview?tabs=single-database#what-is-a-database-backup )

3) Like everything in cloud except the initial ingress, yes . you will be charged for storage as well as if it is geo-replicated for the region - to - region copy band width.

Accepted answer

1 additional answer

Your answer

Gharat, Pradeep 6 Reputation points

2022-03-13T16:43:33.723+00:00

1) Same options that you have to securing your storage accounts - as backups are placed in storage accounts ( https://learn.microsoft.com/en-us/azure/azure-sql/database/automated-backups-overview?tabs=single-database#what-is-a-database-backup ). you should ensure that the security best practices like disabling public end points access, securing keys in key vault and rotating keys on a periodic basis and using encryption at rest using CMK are followed to reduce the chances of malicious attacks.

2) storage accounts geo-replicated by default ( https://learn.microsoft.com/en-us/azure/azure-sql/database/automated-backups-overview?tabs=single-database#what-is-a-database-backup )

3) Like everything in cloud except the initial ingress, yes . you will be charged for storage as well as if it is geo-replicated for the region - to - region copy band width.

Answer 1

Hi,
You should check these resources - Security and Ransomware protection Overview. By Azure SQL backups I suspect that you mean backing up SQL Server inside Azure VM rather backing up Azure SQL Database as the latter is not function of Azure Backup. Check also Soft delete feature. You should check also Multi-user authorization using Resource Guard which will protect your recovery vault from critical operations. Azure SQL backups are stored in recovery vault. There is no additional cost associated with these features.

As mentioned you are actually referring to Azure SQL Backup. This backup does not use recovery services vault. The backup is provided by the Azure SQL Database service. With that as stated in the document: "If you delete a database, the system keeps backups in the same way it would for an online database with its specific retention period. You cannot change backup retention period for a deleted database." and "If you delete a server or a managed instance, all databases on that server or managed instance are also deleted and cannot be recovered. You cannot restore a deleted server or managed instance. But if you had configured long-term retention (LTR) for a database or managed instance, long-term retention backups are not deleted, and can be used to restore databases on a different server or managed instance in the same subscription, to a point in time when a long-term retention backup was taken."
With that in mind I would suggest the following things:

configure long term retention backup. This has additional cost.
set permissions correctly and restrictively to only the personal who needs to manage the databases/servers or use Azure AD PIM to grant permissions only when needed. Azure AD PIM requires Azure AD licenses.
Use Azure Policy to configure/audit short and long term backup settings on Azure SQL Database. Azure policy is free to use for native Azure resources.

Update:
Hi MSTechie-7364, I am not sure if I am not explaining something correctly or you are not reading the provided replies completely.
Initially on my first reply I have provided information based on backups for SQL server on Azure VM. Later I have understood that you are talking about Azure SQL Database Backup. In order not to delete the initial reply or remove the previous text I have updated that reply with additional information specifically for Azure SQL Database Backup so it matches your request. As explained there Azure Backup and Azure SQL Backup are different services and not related to each other in any way. Azure SQL Backup is provided by the Azure SQL Database service and it is available once you have SQL Logical servers and SQL Databases created. Later you have asked me some other questions around Azure Backup which really should have been a separate thread but I have answered those in order to help you. Because Azure Backup is different from Azure SQL Backup none of the features for Azure Backup apply to Azure SQL backup and vice versa. So on

- soft-delete is Azure Backup feature so it does not apply to Azure SQL Backup. See my initial reply with the document for long term backup. There it says "If you delete a server or a managed instance, all databases on that server or managed instance are also deleted and cannot be recovered. You cannot restore a deleted server or managed instance. But if you had configured long-term retention (LTR) for a database or managed instance, long-term retention backups are not deleted, and can be used to restore databases on a different server or managed instance in the same subscription, to a point in time when a long-term retention backup was taken."
The alerts mentioned are for Azure Backup as question was specific for Azure Backup and do not apply for Azure SQL Backup. Azure SQL Backups cannot be deleted. Old backups for Azure SQL Backup are deleted automatically according to retention period. If you want again via activity log you can monitor if database or sql logical server gets deleted. You can create instances of those resources and delete them to see what activity logs are generated to create alerts based on those logs. Alternatively you can use Azure Monitor to create alert. When you choose scope subscription and specific resource type on adding condition you will see examples like 'Delete Azure SQL Server (Microsoft.Sql/servers)' that you can select to create such alert.
What permissions and who has permissions solely depends your requirements and how you manage Azure resources. Here you can see available built-in roles for Azure SQL Databases that are available. You can also create your own custom roles as well if those does not suites you. Let's take a simplest scenario where you have a single team that manages your SQL logical servers and databases in Subscription A. You create two AAD groups - Group A and Group B. On subscription level you give Group A reader access and for Group B you give SQL Server Contributors. All the users of the team are members of Group A and using AAD PIM users are granted access to Group B temporarily only when needed and of course one someone approves. That way they will get access to do any actions on those resources only when it is needed for short period of time. As mentioned this setup very much depends on your requirements and how you want to do it.
Azure AD pricing is available here. There you have link to see feature comparison between licenses. Particularly you need Azure AD Premium P2 license.

I will once again ask you to accept the reply as answer as I have answered way more than what was initially asked and it is usually best to open new threads on new questions that you have.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

MS Techie 2,751 Reputation points

2022-03-08T18:37:46.823+00:00

Hi @Stanislav Zhelyazkov
i am only referring to Azure SQL DB Backup (PaaS SQL)... Is it backed up using Azure Backup to a Recovery vault and how can it be secured ?

Please Note: i am not referring to backing up SQL on Azure VM in my question
Stanislav Zhelyazkov 28,186 Reputation points MVP Volunteer Moderator

2022-03-09T07:32:11.207+00:00

information was added to the original reply about Azure SQL Backup.
MS Techie 2,751 Reputation points

2022-03-09T10:12:42.7+00:00

i am only referring to Azure SQL DB Backup (PaaS SQL)... Is it backed up using Azure Backup to a Recovery vault ?

Please advise
Stanislav Zhelyazkov 28,186 Reputation points MVP Volunteer Moderator

2022-03-09T11:32:20.223+00:00

See the original reply. I have edited and added the additional information about Azure SQL Backup.

Answer 2

Gharat, Pradeep 6

1) Same options that you have to securing your storage accounts - as backups are placed in storage accounts ( https://learn.microsoft.com/en-us/azure/azure-sql/database/automated-backups-overview?tabs=single-database#what-is-a-database-backup ). you should ensure that the security best practices like disabling public end points access, securing keys in key vault and rotating keys on a periodic basis and using encryption at rest using CMK are followed to reduce the chances of malicious attacks.

2) storage accounts geo-replicated by default ( https://learn.microsoft.com/en-us/azure/azure-sql/database/automated-backups-overview?tabs=single-database#what-is-a-database-backup )

3) Like everything in cloud except the initial ingress, yes . you will be charged for storage as well as if it is geo-replicated for the region - to - region copy band width

Stanislav Zhelyazkov 28,186 Reputation points MVP Volunteer Moderator

2022-03-14T13:25:17.21+00:00

These are not security features related to the backup. Storage type is related to disaster recovery situations rather ransomware. Disabling public network access and encrypting are related to attacks on the database rather to attack the backup. If you get access to the DB it does not mean you have access to the backup.
MS Techie 2,751 Reputation points

2022-03-17T13:51:00.447+00:00

For Azure Backup Service , do we have automatic alerts triggered on Ransomware attack ?

Any features to support automatic alerting for ransomware attack ?
Stanislav Zhelyazkov 28,186 Reputation points MVP Volunteer Moderator

2022-03-17T13:59:53.67+00:00

For Azure backup alerting you should check this document. Specifically check alerts for Delete Backup Data, Upcoming Purge, Purge Complete and Soft Delete Disabled for Vault. These does not necessary signal that there is ransomware attack but you will get notified about these critical operations and when they happen you can investigate further if these are approved operations or ransomware happening.
MS Techie 2,751 Reputation points

2022-03-28T17:37:11.103+00:00

Does using Azure Resource Guard (MUA) cost extra money ? What are its charges. ?
Stanislav Zhelyazkov 28,186 Reputation points MVP Volunteer Moderator

2022-03-29T10:57:55.71+00:00

For pricing always refer to the pricing page for the resource. If you do not see listed charges related to the feature. Currently Azure Resource Guard (MUA) does not have any charges.
MS Techie 2,751 Reputation points

2022-03-30T12:26:58.547+00:00

Hi Stan
Actually i checked the azure pricing page and had not found details of Resource Guard. Hence wanted to know the cost of it .

So is Azure REsource guard free of cost ?
Stanislav Zhelyazkov 28,186 Reputation points MVP Volunteer Moderator

2022-03-30T13:26:24.33+00:00

I have already answered in the previous reply: "If you do not see listed charges related to the feature. Currently Azure Resource Guard (MUA) does not have any charges." If a service does not have any charges it is free.
MS Techie 2,751 Reputation points

2022-03-31T11:45:26.577+00:00

@Stanislav Zhelyazkov

1) Azure backup data is not stored in recovery vault. So i think soft delete option does not apply for Azure SQL Backup. Pease correct me if i am wrong.

2) Do these alerts correspond to Azure SQL DB Backup ?
for Delete Backup Data, Upcoming Purge, Purge Complete

3) You mentioned earlier like this ---> set permissions correctly and restrictively to only the personal who needs to manage the databases/servers or use Azure AD PIM to grant permissions only when needed. Azure AD PIM requires Azure AD licenses
Can you please give any link on the correct permissions for Azure Backup

4) Which AD license is required for enabling Azure AD PIM ?
Stanislav Zhelyazkov 28,186 Reputation points MVP Volunteer Moderator

2022-03-31T12:29:01.13+00:00

I have provided information in the original reply due to characters limit. PLEASE read it carefully and please accept the reply as answer as I have answered way more questions than the initial ask.

Share via

Securing Azure Backup for Azure SQL DB (PaaS)

1 additional answer

Your answer