Azure database security checklist

To help improve security, Azure Database includes many built-in security controls that you can use to limit and control access.

Security controls include:

• A firewall that enables you to create firewall rules limiting connectivity by IP address,
• Server-level firewall accessible from the Azure portal
• Database-level firewall rules accessible from SSMS
• Secure connectivity to your database using secure connection strings
• Use access management
• Data encryption
• SQL Database auditing
• SQL Database threat detection

Introduction

Cloud computing requires new security paradigms that are unfamiliar to many application users, database administrators, and programmers. As a result, some organizations are hesitant to implement a cloud infrastructure for data management due to perceived security risks. However, much of this concern can be alleviated through a better understanding of the security features built into Microsoft Azure and Microsoft Azure SQL Database.

Checklist

We recommend that you read the Azure Database Security Best Practices article prior to reviewing this checklist. You'll be able to get the most out of this checklist after you understand the best practices. You can then use this checklist to make sure that you've addressed the important issues in Azure database security.

Checklist Category	Description
Protect Data
Encryption in Motion/Transit	Transport Layer Security, for data encryption when data is moving to the networks. Database requires secure communication from clients based on the TDS(Tabular Data Stream) protocol over TLS (Transport Layer Security).
Encryption at rest	Transparent Data Encryption, when inactive data is stored physically in any digital form.
Control Access
Database Access	Authentication (Microsoft Entra authentication) AD authentication uses identities managed by Microsoft Entra ID. Authorization grant users the least privileges necessary.
Application Access	Row level Security (Using Security Policy, at the same time restricting row-level access based on a user's identity,role, or execution context). Dynamic Data Masking (Using Permission & Policy, limits sensitive data exposure by masking it to non-privileged users)
Proactive Monitoring
Tracking & Detecting	Auditing tracks database events and writes them to an Audit log/ Activity log in your Azure Storage account. Track Azure Database health using Azure Monitor Activity Logs. Threat Detection detects anomalous database activities indicating potential security threats to the database.
Microsoft Defender for Cloud	Data Monitoring Use Microsoft Defender for Cloud as a centralized security monitoring solution for SQL and other Azure services.

Conclusion

Azure Database is a robust database platform, with a full range of security features that meet many organizational and regulatory compliance requirements. You can easily protect data by controlling the physical access to your data, and using various options for data security at the file-, column-, or row-level with Transparent Data Encryption, Cell-Level Encryption, or Row-Level Security. Always Encrypted also enables operations against encrypted data, simplifying the process of application updates. In turn, access to auditing logs of SQL Database activity provides you with the information you need, allowing you to know how and when data is accessed.

Next steps

You can improve the protection of your database against malicious users or unauthorized access with just a few simple steps. In this tutorial you learn to:

• Set up firewall rules for your server and or database.
• Protect your data with encryption.
• Enable SQL Database auditing.